What is IT to do?
In many enterprises, the challenge of dealing with structured data has created dangerous gaps between information policies — driven by business, legal and compliance issues — and the information practices of IT. In most organizations, the tissue connecting information policies and IT practices is made up of little more than emails and sneakers.
As alluded to earlier, in the absence of clear mechanisms to operationalize information policies related to information retention and disposal, IT tends to save everything, leading to huge storage costs, increased risk of unnecessary exposure during e-discovery, and increased risk of violating privacy and retention regulations.
The solution to balancing costs against retention policies lies in embedding governance and defensible disposal into the IT processes themselves. All the stakeholders — business, legal, governance and IT — must work together to create processes that allow data to be compressed, de-duplicated, moved to lower-cost storage, and finally eliminated without undermining the business, legal, and compliance requirements. Specifically, the goal is to create mechanisms for automatically implementing and releasing retention schedules and holds across both unstructured file storage and messaging systems and structured business database systems.
To achieve this goal, legal, compliance, and business stakeholders must each clearly and specifically define what needs to be retained and for how long. IT must then have the technology, systems, and processes to identify and retain the relevant data in a single, secure location, apply the definitions, and dispose of released data immediately.
Getting buy-in and stakeholder support
Unfortunately, for many companies, the biggest challenge is getting the stakeholders to sit at the same table and speak the same language. As with any cross-functional project, start by getting high-level buy-in and then identify the most efficacious supporters to join the team. Only then can you begin the process of mapping information flows and systems, mapping IT systems to expert business users, determining what it will take to operationalize the information policies for each unique system, and deciding how the new mechanisms will be implemented and validated.
There’s no doubt that the challenge may be great for many companies. However, the combined benefits of tremendous long-term cost saving and reduced risk of legal and regulatory penalties (and associated brand damage) should compel action and motivate near universal buy-in.
David White is a partner in the Commercial Litigation department at Seyfarth Shaw LLP and CGOC faculty member. His practice focuses on issues regarding electronic discovery and information governance, including international and domestic data privacy and security and other IT-related legal issues. Mr. White has more than a decade of experience assisting corporations in multiple sectors in preparing for and responding to discovery in litigation and regulatory matters, including electronic document preservation, production, spoliation mitigation, and computer forensic investigations. He is a contributing member of the Sedona Conference, a CGOC faculty member, and speaks regularly across the country on e-discovery and data privacy issues.