Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Read Part I of this series here.
This article is the second and final part of a commentary discussing the importance of information governance practices, and the increased need for revised information management practices. Regulatory and legal obligations imposed on corporations to protect the security and privacy of information create increasing information governance challenges. With widespread data volume growth as a norm, the need for automation and reliance on technology to serve a role in governing data is apparent. The article discusses various options organizations consider when trying to create or revise their information governance practices. The first part of the series discusses the need for information governance plans, with the second part of the series addressing the use of rules-based technologies to help classify and manage information.
Information Governance: “Rules-Based” Solutions
Corporations with developed document retention practices rely on using “rules-based” technology to enforce those policies, automating an otherwise complex manual process. IG technology classifies information by performing content analysis and applying those results to a pre-established set of rules. Defined rules within a classification technology provide great flexibility for an organization wishing to implement automated processes into their information governance (IG) plans.
A rules-based workflow can control the ultimate disposition of each individual file. Records outside of the organization’s document retention schedule, and not subject to any litigation hold, are eligible for deletion subject to preferred additional safeguards. Administrative approval may be required before deletion of any information occurs, however technology can be fully automated to follow a deletion schedule enforcing the organization’s retention policies. IG technologies that are rules based can provide an audit trail that will provide details of each action taken within the system.
Configuring rules to add automation to an IG action plan requires an iterative process. Once the defined rules are configured, a means is necessary to validate their performance. Organizations use existing business knowledge to determine if rules are being properly enforced based on known attributes within the data. When initially implementing an IG technology solution, organizations must conduct tests of the results generated by the created rules set. In addition, IG solutions provide options to test the results of new or revised rules, before generating system-wide updates.
Organizations vary in complexity, size, and scope, and some may have useful practices already in place that can be replicated through the creation of rules based in technology designed to satisfy IG tasks. It is important for corporations to examine and evaluate any IG technology, ensuring that the solution doesn’t hinder their normal data throughput. Adding technologies at an enterprise level, IG professionals must ensure that normal business is not interrupted by IG solutions. IT professionals should measure the performance of IG technology by monitoring the impact of the solution on the overall system’s throughput.
Upon validation of results provided from a rules-based IG solution, automation is used to help certain key personnel more effectively perform their designated tasks. IG solutions provide great benefit for corporate compliance needs. IG technology offers an added safeguard through the provision of monitoring alerts. Detecting certain specific content in unique files results in automatic alerts sent to designated contacts. Hence, monitoring notifies administrators and other select personnel that files contain sensitive information, or perhaps otherwise anomalous information deviating from expected norms, requiring further scrutiny.
Corporations face significant compliance challenges, ranging from legal obligations to adherence with industry accepted best practices. Using rules-based technology adds an element of automation to assist compliance officers in the performance of their duties. In certain jurisdictions, compliance is more complex and provides additional challenges unique to the organization’s geographical location. Having automated alerts sent to compliance personnel that require them to take further action goes a long way toward establishing the validity of an internal compliance program. When contents of the data, or some other action, trigger an alert to system administrators, technology further tracks the history associated with each alert.
Compliance and Reducing Risk
Monitoring, combined with results generated by IG technology and practices, can prove as an effective solution for a variety of needs. Rules-based IG plans rely on monitoring and alerts to satisfy a range of obligations: data governance, data privacy, security, e-discovery, investigations, regulatory compliance, litigation hold, and information purging. Monitoring features in IG solutions are customizable and integrate to share information with other data security programs.
Pattern-matching technology is available to trigger alerts in IG systems. Numerical sequences (social security numbers) are detected and IG alphanumeric values are determined from the content level of the information. Hence, a specific bank account or other financial account numbers are detected by programming the rules-based technology to look for those patterns. Unique product numbers or client identifiers are automatically found and monitored by IG solutions. Detecting the presence of “Personally Identifiable Information” (PII) proves useful to organizations for several reasons.
Applying the results of content analysis to a defined set of rules improves the organization’s archival and data storage practices. IG solutions seek to provide guidance for the ultimate disposition of each file. The content analysis results produced via IG technology is available as a reference source for a rules-based system. It is possible to configure IG solutions, matching existing folder level taxonomies used by other ECM systems to store data. Each file’s specific attributes determine the location where the information is stored according to the organization’s information management policy.
Organizations using ECM systems experience improved results in the performance of those solutions, resulting from increased file classification accuracy. Human file classification errors are corrected by IG automated classification, improving information retrieval capabilities. IG software increases the ability to retrieve information for any business purpose providing widespread benefit.
Beyond serving as a solution within an active server environment, organizations use IG solutions in conjunction with other EIM technology to migrate data. For projects involving a need to migrate legacy data from one system to another, IG content analysis serves as a valuable resource to identify and track the movement of the electronically stored information. IG solutions identify files eligible for purging during data migration projects as well. IG technology exists to serve a “smart” archive or “risk repository,” creating additional methods to track important information, making it readily available upon demand, further improving information management capabilities.
Security and Privacy: Restricting Access to Information
Visibility into information’s content is useful for several IG purposes, including enhancing the ability to protect information. IG technology detects sensitive information in any file and triggers options for special handling of that information. The ability to locate and control sensitive information and PII is a vital component of IG practices. Automated classification technology detects PII and provides control mechanisms limiting access to that content. Automated redactions at the content level provide a means of granting access to a limited version of that document. Organizations limit access to files not only by redacting content but through enforcing user-level security permissions. A senior stakeholder’s user access may enable that individual to view an un-redacted document, where a user with lesser privileges accesses only the redacted version.
Detecting sensitive content enables organizations to safeguard essential corporate information and protect trade secrets. Pattern matching elements within IG technology is customizable. IG technology detects numerical sequences, such as social security number, or bank accounts. Rules control the access to files containing data with detected patterns. Similar to handling PII, content deemed to match a pattern trigger special handling options. Alphanumeric patterns serving as organizational identifiers, such as client numbers or matter numbers, provide useful reference information for IG technology.
Unrelated technologies in use by organizations for specific business purposes integrate with IG technologies to further boost security and data protection capabilities. New technological solutions will be designed to meet corporate needs as the importance of IG practices continue to grow. IT systems with primary functions unrelated to one another already serve certain data protection and data privacy roles in an organization. IG technology solutions enhance the functionality of other data protection systems. Incorporating a rules-based technology providing detailed file and content level analysis delivers an added layer of security across all enterprise systems.
GDPR: A Driving Force for IG Expansion
A recent driving force behind IG awareness relates to changes in data privacy laws. The GDPR’s new privacy regulations went into effect on May 25, 2018, there remains great concern within the business climate based on the significant sanctions threat. The GDPR applies to “Personal Data”, defined in Article 4 as “any information relating to an identified or identifiable natural person … who can be identified, directly or indirectly … by reference to an identifier.”
GDPR compliance requires both organizational and technological resources. It is necessary for corporations to control their data within a defined manageable perimeter. Organizations are appointing “Data Protection Officers” (DPO), and training employees on how to handle personal and data. Organizations are undertaking “Data Protection Impact Assessments” (DIPA) to ensure they satisfy data privacy and data security requirements. The GDPR requirements alone merit a detailed discussion which goes beyond the scope of this writing. Suffice to say the threat of substantial fines for violations of GDPR regulations is clear.
Vital for GDPR compliance is the ability for an organization to show knowledge regarding specific information in its control and to have the ability to retrieve data from the location where the information is stored. Information controlled by a third-party is also a concern since organizations can be held responsible for information that might be in possession of another entity. Accurate data maps are essential for GDPR compliance. Without organizational knowledge regarding the location of its data, compliance with GDPR regulations is unattainable. If an entity doesn’t know where all of its data is, they can’t possibly know what all of the data contains either.
Organizations continue to struggle with provisions requiring knowledge regarding the contents of all the information within their data environment. An Osterman Research Survey results from January 2017 found that 58% of mid- and large-sized corporate respondents felt they were not familiar enough with the scope of the GDPR’s requirements.
Technology helps address some of these GDPR concerns, including managing consent, limiting the transfer of certain types of data, and preventing certain data transfers. In addition, measures needed to delete information are vital under the GDPR’s provisions, as companies must be able to comply with a “Right to be Forgotten” request from an EU citizen. Detailed customized reports provided by IG technology further substantiate GDPR compliance. Audit trails that track activity across the enterprise, along with detailed reporting options and data analytics.
The GDPR focuses on protection of personal data, not just enforcement of privacy rights. Without a proper balance of people, process, and technology, regulatory obligations will pose too significant of a challenge for companies to meet. Other privacy laws and cybersecurity regulations on the horizon will provide similar obligations imposed by the GDPR, and may expand those requirements. Rapid ability to generate reports showing the location and content of specific data possessed by the organization has tremendous GDPR compliance value.
Growing Importance of IG
Information governance is a discipline requiring the use of a variety of business resources to gain a greater level of control over organizational data. IG policies impact the ultimate storage practices of valuable organizational information. In addition, IG practices enforce the policies, standards, and processes of an organization. The contents of information, along with automated enforcement of rules and alerts triggered by a file’s attributes, bring automation that reduces cost and risk. Managing information continues to pose new challenges, including recent increases in data sources that store fragments of information across multiple systems and locations.
Corporate entities have been managing information and addressing governance, risk, and compliance obligations throughout the modern era. Traditional GRC protocols serve as a foundation for updating IG plan. Implementing technology designed to provide additional visibility to information across the enterprise provides increased information management capabilities. Moving away from silo models where business vertical units manage their information separately, into an enterprise management approach provides a means to reduce costs and create efficiency. Using search and retrieval results performed across all data sources from within a single dashboard eliminates duplicative efforts. However, an IG plan does not require abandoning a departmental management model. IG solutions should integrate with technology in use by various business units, enhancing other systems’ performance. IG plans built on institutional knowledge help improve organizational content management, records management, and knowledge management.
Removing surprises from the data universe is an additional goal for any IG plan. Having access to information in various systems in a timely fashion is essential. A goal of IG should be to ensure that the right persons have access to the data they seek, whenever they need such information. Content-based monitoring and accompanying alerts limit the burden of governing information, providing safeguards against sensitive data loss or data privacy violations.
Finding the information needed to complete a business task in a timely fashion continues to pose a growing challenge for organizations. IG plans, combined with the processes and procedures required to implement those practices, are essential components for managing data governance, risk, and compliance requirements. Tools and technology exist to help organizations create customized solutions, tailored to integrate with other existing business systems, thus reducing the challenges associated with IG principles.
Conclusion
Establishing an effective combination of people, process, and technology as components of each business processes is a key element of satisfying IG requirements. IG’s importance will continue to grow, as governing information from new data sources creates additional challenges. Volumes of electronically stored information continue rapid expansion, and the business purposes requiring retrieval of information will continue to compel organizations to improve their IG practices. Data policies grow increasingly complex, compelling organizations to address newer forms of communication including social media,”Internet of Things” (IOT), messaging apps, text messages, mobile apps, and Blockchain.
The only means to fulfill increased information management regulations is to establish a framework relying on automation to perform certain designated tasks. Organizations face an increased technology dependence requiring a need for automation in comprehensive IG plans. The tasks required to properly manage information cannot be performed solely by individuals within an acceptable time frame. Components of technology and automation must serve to create time efficiencies and cost reductions to prove their worth. Businesses need to define their established best practices associated with the use of IG technology. Audits and validation procedures should be a component of IG practices as well. Technology results should be verified by some element of human quality control.
Documenting an IG plan and creating audit reports used to respond to any incident will prove useful to various business units, depending on the nature of the purpose of the task at hand. The results provided by automated solutions should also be validated by a quality control protocol in order to further establish a proper IG plan. Creating an effective IG plan provides benefits across business units and departments.
Businesses with proper rules and controls in place use some degree of automation to determine the preservation and disposition of each file. Technology relied on to classify files by content and to control their disposition through a rules-based approach results in greater consistency in guarding corporate assets. Once implemented, an IG plan requires periodic updates as modern forms of technology create new information governance challenges.
An enterprise-level IG solution provides great value to a business organization and delivers a substantial return on investment. Although corporate budgets might limit technology spend, IG solutions certainly merit consideration. Improved IG protocols enable organizations to locate information, determine content, restrict access, redact, and produce information from across the entire enterprise. Improved search and retrieval functions increase the effectiveness of an organization’s employees, regardless of the intended business activity. IG technology enhances the effectiveness of other EIM and ECM technologies, providing a further return on investment.
The increased regulatory and legal requirements imposed on corporations through data privacy and security laws compel improvements to information management practices. IG technology solutions offer assistance to organizations as IG plans and practices continue to develop. Specific corporate needs differ and IG programs require customization. Developing an effective IG plan will result in efficiencies across the organization, resulting in increased productivity and reduced risk. While the main organizational goals for IG plans is to reduce risk and cost, effective plans go beyond that, providing competitive advantages and a wide range of business benefits across an organization.
