Modern companies store vast amounts of information that is used to improve products, organize services and expand markets. What is often lacking, however, are discussions about the economics around the large amount of data being collected, according to Derek Gascon, executive director of the Compliance, Governance and Oversight Council.
Companies often overlook the cost of storing, analyzing and managing data in relation to its expected business value, Gascon said. Moreover, sprawling data stores often contain massive amounts of old, valueless and duplicative "data debris" that make it difficult to find the information that is vital to business and compliance processes. In this Q&A with SearchCompliance, Gascon discusses how effective data management strategy, such as incorporating retention and schedules, can transform organizations for the better.
What regulatory compliance and security risks do companies face when they do not dispose of old, valueless and duplicative data?
If you can reduce the data footprint, that reduces the cost to review documents for discovery purposes.
executive director, Compliance, Governance and Oversight Council
Derek Gascon: The more digital data a company has on hand, the less it's used and the more it becomes an oversight. There is potential for it to be released into the wild, so to speak, and if it's not taken care of like it needs to be, an organization faces risk because of its potential to fall into the wrong hands.
There is so much new data being generated, and the amount of data that's considered archival, historic-kind of data is continuing to grow. Maintaining oversight of that is becoming much more challenging. It's not so much that there is a specific compliance regulation that is driving that; it's that if you are not monitoring what needs to be retained for compliance reasons, then you run the risk that IT doesn't know what that data is. If they don't know how sensitive it might be, it could be moved from one storage location to another that's not as protected as it should be and increase the risk the company might face.
If you look at the European Union, however, they have a very different perspective. Their regulations are less about retention and much more about ensuring privacy and ensuring that personal data is deleted. For example, if you have a customer or client whose data you are maintaining, when they are no longer a customer or client, you have to get rid of that data.
Data that might be useless to one department might prove very valuable to another in the same company. How can businesses make this distinction when developing a data management strategy so they are not mistakenly deleting necessary information?
Gascon: IT personnel and the IT infrastructure are storing so much data that one of the things we are starting to see is that some organizations are looking to identify the data that they have. During legacy data analysis, they're basically going into file shares and doing an initial, primarily automated assessment to identify the types of files and gather as much information as they can. It comes down to records managers to start looking at the information to determine exactly what that data is, then work across multiple disciplines to determine what can be construed as not having any value and is a candidate for deletion. That data can be very valuable to a different functional discipline in the organization. That's where, from an information governance standpoint, you need to engage stakeholders across the enterprise to determine importance.
A lot of companies have seen their infrastructure sprawl out over the last decade or so, and we really haven't seen any better control over managing the data. A lot of organizations have to start at ground zero and analyze their data. Once they identify what the data is, they work with stakeholders to develop a policy relative to individual data assets. The next step is to ensure you're not just storing data in the environment without having a policy already set. For example, a lot of legacy data is really never subject to information management. It's created by users, it's stored in a file share and there's not a lot of context and controls around it.
Organizations should start classifying that newly generated data as soon as possible so that, from the time that it's "born," priorities are identified for it and policies are set around it so you don't fall into a trap where information that is not important for one part of the organization is deleted, but the data is critical for another group inside the company. You want to catch that early on, so that even if it loses value to one area of the organization, it's still identified as having value for another.
What overall business benefits can companies expect when they properly dispose of unnecessary information? For example, will retention/deletion schedules result in storage cost savings?
Gascon: Once you identify the data and apply deletion and retention policies, you're starting to manage the storage environment in a much more useful way. In the last several decades, companies have just stored everything, and that comes with a tremendous amount of costs. We've reached that tipping point, where the amount of floor space in the data center runs low, power consumption continues to grow and resources are scarce. If you are managing data and deleting it effectively and in a defensive manner, you can keep that storage environment to a manageable level.
More on data management strategy and compliance
Adapting continuous monitoring to maintain regulatory compliance
The keys to compliance-centric data retention and deletion
You'll start to see the cost benefits relative to how much you need to spend on storage. The other aspect is that by eliminating data from the environment, from a legal standpoint, the cost to conduct discovery work drops dramatically. You don't have to sift through or evaluate so much data, so it keeps the amount of data you are seeking through e-discovery at a manageable level. If you can reduce the data footprint, that reduces the cost to review documents for discovery purposes.
How should companies develop their records retention/deletion schedules to ensure regulatory compliance? Also, who should be responsible for leading this effort in the organization?
Gascon: Regulatory compliance has become much more complex over the last several years, especially for companies that operate in multiple jurisdictions. It's that cross-functional group input again: You have legal that is looking out for the best interests of the organization and has to understand the jurisdiction in which the company operates, and what the regulatory and legal requirements are. Legal needs to work in conjunction with records management so that together they can review the compliance mandates that are out there and come up with a retention schedule that makes sense. It comes down to those two groups identifying what the policies are, and both need to work with the IT group because ultimately IT is going to be responsible for the technology. It's a cross-functional endeavor, and various stakeholders will have responsibility throughout the lifecycle of data elements.
From a regulatory and compliance standpoint, the legal team probably has the most responsibility. They need to understand what the legal requirements are from a regulatory standpoint in the jurisdiction in which they are operating.