Notice I did not specifically call out technology. The reason is that technology is seen as a tool by most Attorneys and Auditors I have spoken with over the years. As one Attorney replied to me when discussing this topic, “technology that has been installed and maintained to vendor specifications is difficult to challenge, in that is doing what is designed to do. The focal point then turns to governance, process, and procedural elements undertaken by the human element where inconsistency, inaccuracy, and error is likely to be present. Technology is the secondary area of focus for potential fault.”
Understanding the Challenge
Imagine that your organization is in litigation and being challenged in relation to your data privacy practices. Perhaps it is in relation to the European Union (EU) General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). The challenge you must defend is that of proving your governance (if you have any), processes, people, and technology are aligned to comply with these regulations. The information in question could be contained within a database, various documents (contracts, spreadsheets, presentations, proposals, etc.), email, websites and file-shares, and even hard copy.
When called upon to present the information in question, do you have a process in place to:
• identify the information in question and where it resides across your enterprise.
• initiate a legal hold on the information preventing it from being modified and/or being destroyed.
• a means to audit the information ecosystem that ensures the legal hold is adhered to.
• determining which parts of the information collected are relevant to the request and which are not.
• preserving all relevant information until it can be destroyed.
• a means by which it will be presented to the courts or Auditors.
Steps You Can Take Now
While this may sound incredibly daunting, there are steps you can and should take now to prepare for a time when defending your information management practices will be questioned. Here are several items to consider and act upon now.
1. Identify the regulatory, legal, and industry specific requirements your business organization my adhere to across the enterprise. These could differ State by State and within various countries where you transact business.
2. Determine if there is an information governance policy in place that addresses these requirements from a people, process, and technology perspective. Look for documented processes, training, and technology solutions. If there is governance in place, update it as needed to reflect current requirements. If there is no governance to be found, begin developing a framework to address it.
3. Conduct an information inventory to identify what information assets you have, how many copies or versions of each information asset exists (you will be amazed and the number – especially those found in emails, shared drives, and PC hard drives).
4. Identify information assets of value to the business organization, eliminate any redundant, obsolete, or trivial information (ROT), and maintain singular copies – if possible - of your information assets that are of business value to the organization.
5. Document, improve, and automate your business processes wherever possible, and as many as possible to establish and maintain consistent practices across your enterprise.
6. Monitor your business processes to ensure they conform with your regulatory, legal, and industry specific requirements, and initiate a continuous improvement program in an effort to further enhance your business operations.
7. Provide training to all stakeholders interacting with your information assets on the updated policies, processes, and technologies with periodic refresh training that focuses on any changes to regulations, policies, processes, or technology.
In My View
Defense of your information practices is not merely a legal issue it should be viewed as an organizational practice leveraging the expertise of a cross functional team. Of course, legal would be a major part of this team, but so should IT, representatives from the various business organizations, information and records managers, and even business partners if they are interacting with your information assets and accessing your information ecosystem.
There is never a “right time” to begin, so I always say that time is now. Given the potential risk for non-compliance, even having part of your information governance, processes, and technology in place, you are more defensible that if there is nothing in place, and no way to prove you are making an effort.
About Bob Larrivee
Inducted into the AIIM Company of Fellows in 2019, Bob Larrivee is the President and Founder of Bob Larrivee Consultancy. With over 35 years in information and process management, Bob is a recognized expert in the application of advanced technologies and process improvement to solve business problems and enhance business operations, and serves as a Staff Writer for Document Strategy.