Baker Donelson's Data Protection, Privacy and Cybersecurity attorneys are pleased to continue a series of client alerts that address significant cyber-threats to your business and how you can protect your business with thoughtful and timely planning before an emergency arises. Proper planning includes recognition of the threats, assessment of the risk and then examination of the facts and tools at your disposal to mitigate the risks. The series will address your options, from adopting appropriate IT policies and procedures to acquiring contractual indemnity and insurance for specific loss risks. When there is a recommended technical solution available, we will consult with leading expert vendors and provide their input. We often hear that in today's tech environment, it's not a matter of whether you will be hacked or attacked, but when; therefore, we want to help you be well-prepared for the challenges ahead. Our series will help you get ahead of the game.
Keep Only What You Need – Information Management in the Digital Age
Many of us make personal New Year's resolutions, but how many of us also do that with our businesses? It's 2017 and any business that has to comply with state, federal or international data privacy laws and regulations (which is virtually every business) should make this resolution: keep only what you need! In other words, for any data affected by privacy laws and regulations (i.e., any data that contains personally identifiable information, protected health information or other sensitive information), your company should only keep the data required as necessary for business purposes and to comply with applicable privacy laws and regulations. It's a simple concept, but it can only be achieved through diligent information management.
With non-compliance risks higher than ever before and companies needing to support an expanding number of applications, communication networks and storage platforms, it's never been more important to implement and maintain an effective information governance program.
What Your Company Should Be Doing Now
It is now crucial to identify the types of data your company has so the data can be managed according to the privacy laws and regulations applicable to that data. You must know what types of data you have in order to manage the data at the granular level required for compliance purposes. Managing data at a granular level will also allow your company to strike the appropriate balance between compliance and efficiency. If your company's data isn't managed at this level of granularity, your company runs the risk of non-compliance or needless inefficiencies (e.g., increased storage and security costs). An effective information governance program is not only important as a risk management tool (by improving the ability to meet data compliance obligations), but it's also important for budgeting and obtaining value from the data (i.e., reduce inefficiencies and costs by removing unneeded data).
The faster your company accumulates data and the more data your company accumulates, the less likely it is that the data will be viewed, analyzed, used or understood, which means the data has little value to your company. If you need to accumulate large amounts of data because it has potential value (i.e., analytics and artificial intelligence), at a minimum the data should be anonymized so the data contains no personally identifiable or other sensitive information. This will allow your company to unlock the potential value without the fear of regulatory non-compliance.
For many companies, information governance is a manual process, but automating this process is critical for any company maintaining large amounts of data. Manual information governance involves training every employee and is too time consuming. In addition to individual employee responsibilities, a company must assign information governance responsibilities for data of former employees and data specific to departments, projects, etc. (but not individuals). Other considerations include data that is subject to litigation holds and who can make decisions about that data. The problem with manual information governance is that it is an ongoing process, so employees will constantly be doing this. It's just too time consuming and not practical for any company with large amounts of data. The solution is to put processes in place that keep data organized, which includes automation.
Automated information governance involves applications that analyze the data and take action based on a company's policies. Most automated solutions start with analyzing metadata (creation and modification dates, location, file type, author, etc.) to make policy decisions, such as legal holds and ROT (redundant, obsolete, trivial). Newer and more advanced automated information governance solutions go beyond metadata analysis and use artificial intelligence (AI) to analyze content and make decisions. If your company maintains large amounts of data, this is the type of information governance solution your company should be preparing for if it's not already using.
What Your Company Should Be Preparing For (If It's Not Already Doing)
Cloud-based Governance
Many countries, and companies located or with a presence in those countries, have been slow to adopt cloud-based governance solutions, primarily due to data sovereignty concerns. However, cloud-based governance and archiving solutions are evolving to meet evolving global demand. Cloud providers are now offering "in country" cloud-based governance solutions (via the cloud provider or local partners), which should alleviate data sovereignty concerns and incentivize previously hesitant organizations to move information governance to the cloud. By adopting cloud-based governance solutions, companies will enhance their information governance programs because of the powerful analytics and AI capabilities that will now be available to them.
In-Place Records Management
If your company's data is not centralized, whether in the cloud or on premise, In-Place Records Management is a good alternative to centralized cloud-based governance solutions. With In-Place Records Management, the governance solution does not move the data to manage it. Rather, the data remains in its original location while the governance solution manages the data retention policies. There are several advantages to this type of solution: (1) users will find their documents in the same place they are accustomed to; (2) existing security controls remain in place and do not have to be replicated; (3) existing workflow processes do not have to change; and (4) faster implementation of one solution for all different systems.
Turn AI into IA
Regardless of the type of information governance solution your company uses, it should be using a solution that includes machine learning. Machine learning used to only be associated with advanced analytics, but it is shifting toward empowering data-driven applications, including information governance applications. These applications analyze the content of large data sets to identify data types and data relationships not identifiable by metadata analysis. After using AI to analyze content and make decisions about large data sets, your company can take advantage of machine learning by using the knowledge learned by AI to inform and assist with the ongoing employee processes related to information governance. In other words, turn AI into IA (intelligent assistance). Your company can take advantage of the intelligent assistance provided by these data-driven applications to manage the day-to-day process of your company's information governance program, which will make it more efficient and more accurate.
Many companies continue to maintain data just in case they need it in the future. This practice is inefficient and leads to higher storage, application and security costs. Modern AI and analytics tools allow companies to minimize these inefficiencies and costs by performing deep analysis of the information and achieving insight that, when combined with granular data management policies, allows companies to automate data segregation, removal and migration. When data is managed using policies based on intelligent, granular data insight, companies not only remove inefficiencies and reduce costs, but they put themselves in a good position to defend their data retention policies (and keep only what they need).
GDPR
AI and intelligent assistance will significantly enhance a company's ability to comply with onerous data privacy laws and regulations such as the European Union's (EU) General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018 (see GDPR). If your company maintains or processes personally identifiable information about EU citizens, your company will soon have to accommodate new data subject rights under the GDPR. These data subject rights include:
- The right to have their data deleted
- The right to have their data transferred
- Upon request, the right to receive any of their data that is being processed
- Deletion of personal data once it is no longer being used for its original purpose
In addition, under the GDPR, certain sensitive personal data (data relating to health and religious beliefs) requires a higher level of protection than other types of personal data. It’s critical for a company to be able to identify the types of data it maintains and be able to locate that data when necessary (e.g., legal holds, permissible disclosure, deletion).
Having an information governance program in place that takes advantage of powerful data identification technologies will greatly assist your company in complying with the GDPR. Because the GDPR is likely to be the model for other privacy laws, it may become the data management standard for all companies. But that's a good thing, because the GDPR is a high standard to meet, and if your company is GDPR-compliant, it will likely be compliant, or very close to compliant, with other applicable privacy laws and regulations.
Embrace Minimalism
In addition to compliance, an effective information governance program can also enable your company to change its data retention culture. Many people are embracing minimalism and your company can too (at least with respect to its data). For individuals, minimalism can mean many different things: living with fewer material possessions, not owning a car, being able to travel the world, etc. But minimalism is more than that; it's a tool that allows a person to focus on what's important and free themselves of the surplus in their life. The same can apply to your company through its information governance program. By removing the ROT and other data that is not required to be kept any longer, your company can save money on data storage, reduce e-discovery costs, reduce risk and focus on other aspects of its data, which unlocks and increases the value of its now-manageable data. Simply put, your company's information governance program can be used to develop a culture of data retention minimalism and allow your company to keep only the data that it needs.
For more information regarding this alert, or for any questions involving data protection, please reach out to Bill O'Connor, CISSP, CIPP/US or any member of Baker Donelson's Data Protection, Privacy and Cybersecurity Team.