As a whole, humanity creates and stores a truly mind-boggling amount of data. Most of the time, when describing just how much data there is out there, well-intentioned articles will provide helpful comparisons such as ‘if you put all the data predicted to exist in the world by 2025 on DVDs, the stack would wrap around the earth 222 times.’ As if that makes it easier to grasp. Luckily, as overwhelming as the global data-related numbers are, they do not really matter all that much: what matters is there is a lot of it. So, just think of the largest amount of a thing you can think of, and it is likely significantly more than that.
It is no surprise that in response to that explosion in data creation, data stores across the world are growing exponentially, with total data numbers expected to double over the next 3 years. This growth also applies equally, if not especially, to corporate data stores.
As corporations are more often subject to legal disputes and are obligated to comply with a wide range of regulations, keeping the data at least somewhat organized is essential. The policies and procedures in place to organize data is commonly referred to as Information Governance.
Here's what we'll cover:
- What is Information Governance?
- Why does Information Governance matter in eDiscovery?
- 3 Challenges to Information Governance
- Getting started with Information Governance
- Best practices for Information Governance
- Information Governance tools
What is Information Governance?
According to Gartner, Information governance is “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
Which is to say, it is the set of rules and policies that decides who does what with data when to prevent the company from getting in trouble later on.
Why does Information Governance matter in eDiscovery?
In order for eDiscovery to perform its task of finding relevant information, it must first have information to search. That is where information governance comes in. In the industry-standard Electronic Discovery Reference Model (EDRM), Information Governance is square one, quite literally the natural state all the potentially relevant data should exist in prior to the eDiscovery process. In effect, within the standard framework EDRM provides, Information Governance continually happens in the background even as the other stages of the model are occurring. At the same time, it should be noted that data that is deemed potentially relevant as evidence may need to be exempted from certain provisions in the Information Governance framework.
In the context of an ongoing investigation, any data identified as relevant should be subject must remain available to investigators for process, review and analyze. Therefore, relevant documents are placed in a legal hold (or litigation hold); a process that ensures the data is not deleted or moved around while it could be evidence. Once the hold is lifted, normal operations continue and the data in question is once again subject to the Information Governance protocols.
EDRM frames Information Governance as a responsibility shared by three main stakeholders: the Business-interested departments (business is broadly defined: referring to anyone that generates and/or uses data), Information Technology (IT) department, and the risk avoidance departments (these are the departments that seek to protect the business rather than add to the profits, e.g. Legal).
When eDiscovery enters the scene, it uses the result of the Information Governance process, which is information being stored in such a way that it can be found and searched, to find information or evidence relevant to the case at hand. Simply put, Information Governance practices are the data equivalent of keeping a house tidy, so when there’s people coming over you know where the board games are kept without having to move all the furniture around trying to find them.
Even putting eDiscovery-related concerns aside for a second, the reasons for companies to adopt a set of Information Governance practices are simple: storage is expensive, and keeping potentially sensitive information is risky (and potentially expensive). The term that applies to the data that Information Governance would aim to weed out is digital debris: data that holds no legal, business or regulatory value. In 2014, EDRM wrote: “the question is no longer why but how to dispose of digital debris.”
3 Common Information Governance challenges in eDiscovery
Due to its continuous nature, Information Governance can have more fundamental challenges to its proper execution than most other steps described in the EDRM. As most of the EDRM only comes into play when a matter is at hand, effective Information Governance needs to happen consistently and across the board, even when there is no active legal reason to, which causes it to have a few particular challenges that do not necessarily apply to the rest of the eDiscovery process.
As visualized in the Information Governance Reference Model (IGRM, see above) the Information Governance’s ownership is typically a three-way tie between the business, IT, and Legal. Each of those stakeholders has different requirements and desires. These competing interests lead to a situation where stakeholders spend a lot of time arguing with one another about Information Governance without actually governing the information. This is partially why even as the importance of Information Governance is well known, only 33% of companies surveyed in 2018 had a program for consistent defensible disposal, and 60% of the data volume held by companies, in general, represented no business, legal, or regulatory value.
The ownership issue does have two obvious solutions: collaboration and specialization. Collaboration would see the formation of a high-level steering committee, which would smoothen out many of the current mini-debates that constantly bog down Information Governance issues, although it does require time out of the schedules of some already very busy people. Specialization, meanwhile, addresses the problem with the oldest solution in the book: throw money at it. By creating a new c-level position, the Chief Information Governance Officer (CIGO), an executive who is directly in charge of enterprise-wide information coordination. Of course, finding the right person for the job might not be easy, but as Big Data continues to challenge businesses, and data privacy becomes a growing concern, the need for CIGOs becomes increasingly clear.
On a similar note as the ownership issue, and even if there is a CIGO in place, stakeholders have different priorities when it comes to Information Governance:
- Business leaders prioritize convenience since they rely on data to drive profits. Their top concern is having data as easily accessible and creatable as possible,
- Legal departments prioritize access and structure since they are in the business of limiting risk. Their top concern is knowing where data resides, and restricting avenues for data creation (i.e. do business via email, even if Slack or WhatsApp is more convenient).
- IT departments prioritize data protection since their job is to ensure data security. Their top concern restricting both access and creation in order to limit potential security risks.
That is not to say these departments can never agree, but it does mean that there is work to be done by any steering committee or CIGO in order to balance these priorities.
3. Executive backing
Gaining the support, both effort-wise and financially, of business executives is a challenge that Information Governance shares with almost every other department. Information is a significant and complex effort, which translates to an expensive one in the ears of business management. Building a business case is thus essential to communicate the value of Information Governance. Sure enough, ROI models do exist such as this one by Osterman Research, which shows creating a compelling case is feasible. The interesting thing concerning creating a business case is that it grows in relevance and urgency as the business grows. At the same time, the authors of the report urge patience: “[ROI] is often misrepresented as only cost savings. (…) Individuals calculating an ROI should take as much time as needed to fully understand the costs before and after implementation. If information is easier to find, use, and manage within an organization, the organization will benefit.”
Getting started with Information Governance
Once project ownership is established, priorities are set and the business is on board with getting started, it is time to actually get started. Unfortunately, as with any large operation, getting started happens to be the hardest part of the operation. As most companies already hold significant amounts of data, getting to a point where you are ready to start implementing the management program that Information Governance is like installing a steering wheel on a moving car. On the bright side, there’s no time to start like the present! Data stores have never done anything but grow.
Step One: Perform a comprehensive Data Audit to learn what you have in store
Step one is getting to know how much data you’re dealing with. At the start of an Information Governance effort, all data held should be accounted for, that includes backup tapes, legacy systems, data archives. Though most departments will have a solid understanding of the data they use semi-regularly, there is likely to be a lot of data held in places that have not been given any attention in a good while.
Step Two: Deal with step one
The process of starting Information Governance is an exercise in prioritization. Once the data audit is complete, it should become clear what the main issues are. If data is kept in decentral drives and on individual devices, then a centralization effort is the best place to start. Does the audit reveal large swaths of data held in legacy systems, backups and long-term storage? Then your first steps should be to begin the creation of a retention policy. What you find during the audit will dictate what you do next. Any data audit will turn up a number of issues that need to be addressed before a plan can be put in place, it’s like a spring cleaning on your data stores, and surveys show up to 60% of data held holding no business, Legal, or regulatory value. That’s a lot of bytes, and once a retention plan is put in place, you can begin getting rid of that digital debris.
Step Three: Let’s never do this again
Performing the first data audit is a big undertaking, which in many cases is still dwarfed by dealing with its results. Worse yet, unless you put plans in place, you’ll have to do it all again sooner rather than later. In 2018, CGOC stated: “In 2010, 98 percent of respondents identified defensible disposal of information as the desired benefit of an IG program, while only 22 percent had such a program. Yet in 2018, the number of companies with an automated defensible disposal program in place had risen to only 33 percent” (source). Meanwhile, total data created worldwide more than tripled during that same timespan. Simply put, once you’ve cleaned your house, make sure you don’t have to start over in a week.
Best practices for Information Governance
So, you’ve managed to install a steering wheel on a moving car. Now it’s time to learn how to actually drive the thing. Once put in place, the protocols associated with Information Governance should be relatively straightforward:
1. Ensure your Information Governance protocols and requirements are communicated clearly
Information Governance almost always has an impact on the way employees do their work, as it changes where information can be stored, how it can be stored, and for how long. Ensuring that those who interact with that data are aware of the expectations put upon them is key. Any effort to implement Information Governance without training the workforce is doomed to fail, so making sure everyone understands the requirements is paramount. You’ve already made the effort to audit, resolve issues and write protocol, so don’t skip the part where the people who make sure you don’t have to do it all again know what they’ve got to do.
2. Trust but verify with regards to compliance
As with any program that mandates a few extra steps and awareness, Information Governance needs to be followed up on consistently. Stakeholders, either the IG steering committee or the CIGO, should take care to remind team leaders to keep their protocols top of mind (both for themselves and their team members). In addition, it would be wise to set up a schedule of periodic spot-checks and small-scale data audits to act as an extra check on compliance. If compliance begins to wane, don’t hesitate to circle back to the training discussed above.
3. Measure results & take stock of improvement opportunities
At the onset of the Information Governance process, the business case and ROI calculations have been made based on projections and externally-derived data. Now that the program is up and running, it’s key to make the same calculations and measurements on the actual data. This will help to justify the continued effort required, but also help identify possible avenues for improvement.
Information Governance tools
What tools you end up using to facilitate your Information Governance efforts, is closely tied to your current setup. In certain cases, existing tools can be repurposed to assist the process, in others you may have to build from scratch. At the same time, what tools you choose to use is (to a certain degree) a matter of personal preference. For businesses, personal taste might not factor into tool choice, but just like for individuals, what tools a company uses serves as an expression of priorities.
For instance, there are tools such as Ethyca, who automate data mapping and focus especially on privacy law compliance, allowing users to save massive amounts of time on the initial data mapping efforts and the processing of Data Subject Access Requests. If you’re dealing with large amounts of data, in a lot of formats and locations, there are enterprise-level data integration tools like Informatica or IBM that seek to organize and consolidate data across large organizations. They aren’t alone in doing this, in fact, Gartner published an entire Magic Quadrant on Data Integration, which should give you a wide range of options.
For smaller-scale efforts, or if you seek an experience more focused on Information Governance and automating (parts) of the process, tools like OvalEdge, Collibra or may provide what you seek. There are also Open Source options, including Talend and Truedat.
Generally, Information Governance solutions tend to be end-to-end tools, the difference between them is mostly due to the amount of data they’re designed to handle, the degree of automation they provide (rule of thumb is the more data it wants to manage, the less automation it can offer). As always, prices vary wildly across the spectrum and with it the degree of support, features, and ingestion capacity. With so many options, it’s worth the effort to take a good look around and find the solution that works best for what you’re trying to achieve.
For many companies, legal and regulatory challenges are a fact of life. However, when they begin to deal with a case as it presents itself, their eDiscovery process often starts at the bright red box in the EDRM that says ‘Identification’. Although you have to start somewhere, there’s a reason Information Governance precedes Identification in the model. Without Information Governance, data stores are messy and disorganized, which makes finding relevant information much harder and more time-consuming.
None of this is news, of course, but the tough first steps that come with Information Governance have made companies hesitant to start. It is absolutely true that the initial effort can be truly daunting, which has had a significant impact on the general adoption of Information Governance, even if the ROI figures are encouraging, the business case is solid, and the measures are taken sensibly. In the survey we cited earlier by CGOC, only 7% of companies surveyed in 2018 had a mature, integrated Information Governance process in place.
All that said, Information Governance is still the first step to a consistent and reliable eDiscovery process, which is becoming increasingly important when it comes to dealing with both civil litigation and regulatory requests. With that knowledge in mind and the realities of data growth in support, the business case for starting now rather than later is increasingly compelling. With the right tools in hand, the effort of Information Governance isn’t even only cost-saving, it could be turned into a tool that enables data-driven decision making.
Should you want to learn more about how ZyLAB can help you improve your eDiscovery processes, don’t hesitate to reach out.