At the end of an information governance webinar we hosted with Bennett Borden from the IGI last month, attendees had the opportunity to ask us questions about data remediation and IG processes—and we got some great ones. Here are the answers to some of those questions to help start a dialog in your own organization.
Which department in an organization should take ownership of an IG policy, if any? Do you think records and information management should be a contributor in addition to IT and legal?
Bennett: They’re definitely a contributor. IG has been a big boom to records management (RIM). Frankly, RIM’s been ignored for a lot of years by companies, and this new focus on IG will be a breath of life to these really smart professionals. They’re about what to keep and what not to keep—and evaluating what’s important and what’s not based on how it affects the objectives of the company. So their input is really important to have in IG, especially data remediation projects.
As far as who runs IG, we’ve found it’s all over the place inside of companies. The critical thing is that you’re able to balance these stakeholder voices and you’re willing to seek them out. When you have an information-related decision like this to make, you want to be able to elicit all of these stakeholder opinions and also balance them. Sometimes all of these interests don’t align, and when you make a choice you’ll be taking a risk of one kind or another. Eliciting and balancing these voices—and having someone running the group with the right authority to effectuate the decisions—will help you address how your organization can handle each decision and its risks. Mostly we see some combination of legal, IT, and sometimes information and records management, privacy, and security teams.
That combined group will function as a steering committee, and at that level, will identify a project—to remediate a particular archive, for example—and then put together a team of folks from all these groups to handle that project. They have a team lead who will report to the committee, and they’re given the resources and budget to make it happen. This team and project approach is the most effective way we’ve seen it. Part of the process is to build a robust project plan and assign folks to the right actions and milestones of the overall project, including who to pass it to next.
What are some common mistakes made by organizations first trying a data remediation project, and how can they be avoided? How should legal holds affect this process?
Bennett: That’s a great question—when you’re doing data remediation, one of the most important things to consider is what pieces of the data you’re looking at are under a hold. One of those common mistakes companies do make is not understanding all potential legal hold situations at play. That means not just the times you’ve been sued, but also any ways you’re developing as a company that might lend themselves to making you a plaintiff in a case. In addition to active, formal holds, have there been any HR-related complaints or other circumstances that haven’t yet developed into a lawsuit, but may have triggered a duty?
Avoid this mistake simply by understanding what triggering events have occurred and what scope they have on the data you’re analyzing. Look for data that’s relevant to the subject matter of your current business needs, in addition to a particular record class or a case—active or incoming.
The other mistake we see is not getting all the right people at the table. That could include security, privacy, compliance, and HR, but also the right business people—the whole point of IG is aligning to business purposes. Many times folks put together a committee of the compliance and security people, but not the business people.
What is the difference between records and information management (RIM) and IG? Which should come first?
Bennett: To me, RIM is different than IG. If you think about it where we started, info management is more about where data lives and how long it lives there—it doesn’t always take into account why the information is there in the first place. That, however, is the whole point of IG. I’d say the RIM function is one of the pieces that goes under the IG umbrella.
As far as what comes first, RIM is about managing what stuff is being kept for how long—it’s a critical part of IG, but I’d say IG is the larger umbrella.
Since your e-discovery tool is working with copies of your data, how can you connect your decisions to the original source?
Rene: In the demo, I was using a copy of live data, not the live data itself. The software allows me to grab an unaltered copy—with original metadata like file name and location—and this lends to some of the things you want to build in place in an initial remediation project. As you’re going through this, you’ll be building the process that works for you. So here, I’ve built this workspace myself, so I can build everything as I need it, remove things I don’t think I’ll need—and know I can put it back if I need it after all. That’s a function that’s particularly nice, because even if I bring in these documents with a baseline workspace for data remediation, if some of this turns into an e-discovery project because of say, some of those active holds, I can add back in the right functionalities for that part of the business, too. The point is, I have flexibility in the tool to work with the data without harming the original data. Along with that, Bennett, what have you seen in projects you’ve worked on?
Bennett: There are some tools out there that can tell a repository to take an action like keep, delete, or move, but it’s rare and can be dangerous. We’ve done it, but it requires caution because it doesn’t give you an extra layer of protection while you’re learning this stuff. More commonly we move the data out of the repository like this, to practice and work with the data without fear of altering anything. Alternatively, we might crawl and index metadata to make decisions without touching the content, and add metadata that helps capture any foldering decisions. We could also pull doc IDs to identify the right ones to reference for IT. It’s a separate process to bring those decisions back to the repository to use. That’s a very common way to do this.
How will the proposed revisions to the Federal Rules of Civil Procedure (FRCP) affect evolving IG policies?
Bennett: The two major revisions or amendments are to rules 26 and 37, and these will almost certainly be approved by around May and go into effect sometime around December. The main effect of 37 is that it changes the sanctions or level of culpability for data loss to a prejudice evaluation. It takes a look at this question: if you’ve lost data, what effect does that have on the other party?
I think that’s going to have a fairly significant effect on e-discovery. Proving prejudice is quite difficult and losing some piece of information to the point that it’s not findable through other forms of discovery is quite rare. I think the fear of sanctions will go down a lot, but it will also change the impact of IG. If you’ve got good policies about why you’ve kept something or haven’t, it changes the impact of the new sanctions rules because that policy will definitely speak to the prejudice question.
Couldn’t make the event? Want to share it with your colleagues? For the rest of the discussion and a demo of how a real data remediation project might look inside e-discovery software, check out the full webinar.