by Lee Meyrick, Director of Information Management at Nuix
Finding an important document is no longer as simple as heading to the filing cabinet, looking for the right colour-coded label and extracting a paper copy, where the filing clerks neatly put it away in alphabetical order. Digital storage is getting cheaper and the volume of electronic documents created each year is increasing rapidly. That means organisations are simply loading more and more data into storage systems, email databases and archives, without taking the time to organise their information.
Today we are all filing clerks. And we’re very bad at our jobs. If you don’t believe me, see how long it takes to find the notes you took in the meeting about your goals for Q3 last year. I’ll go put the kettle on while you’re doing that.
Even at an individual level, it’s a poor assumption that you can easily find a document when you need it. But when an organisation is forced to respond to litigation or a compliance request, legal teams have to scramble around, trawling through mountains of data to find the crucial pieces of information they’re looking for. Storing the data may only cost hundreds of pounds per terabyte, but lawyers charge hundreds of pounds per hour. If organisations haven’t taken the time to manage their information before storing it, the price they pay is a costly eDiscovery process.
First, understand what you have
So where do you start? A necessary first step is to scan through all of your organisation’s data, get rid of what you don’t need and make sure what is left is properly organised and easily searchable. Information governance, as it’s called, may not sound exciting. But the next time you get a call from general counsel with an urgent eDiscovery request, and have to reactively scramble to find key evidence, you’ll understand why it’s necessary.
The biggest concern many organisations have is that so much data is discoverable. In the event of a court case, regulatory inquiry or high-profile scandal, they will likely have to search massive amounts of data across multiple repositories to find key evidence. Often data is duplicated in many places and never deleted. The current trend of moving data into the cloud in many cases doubles the volume of data that needs to be searched through, because most organisations don’t delete the original copies in their data centres, just in case. That ‘just in case’ has a cost too.
Reduce your unnecessary data risks
A lot of old data has no business value; it just sits around wasting money. But it’s not just costs organisations need to think about. That data can also contain business risks.
The term “risky data” encompasses things such as personal information – like dates of birth, national identity numbers and credit card details – an organisation stores about its customers or staff. Organisations should know exactly where this information is stored – which should only be in encrypted and tightly controlled repositories – or preferably not keep it at all beyond the bare minimum needed to do business.
Most organisations have strict compliance rules about retaining certain types of data such as customer records for a number of years. But once the retention period is over, the risks and costs of keeping that data greatly outweigh any residual value. It just sits around waiting to cause trouble. Even if you didn’t need to keep certain information, the fact that you did makes it discoverable.
In reality, most of the information organisations keep is irrelevant to running the business or to any legal proceedings. It’s duplicated, trivial, no longer used or past its retention period. Deleting this low-value data, according to predeﬁned and legally sanctioned rules, reduces risks and also minimises the volume of data that could be compromised in a security breach. It also makes responding to discovery, investigations and information requests quicker and more targeted because there’s a whole lot less data to consider in the first place. At the very least, it will reduce legal costs because the discovery process is more efficient. But it can also mean the difference between incurring or avoiding fines or legal damages.
Take control of your data
Most organisations, I’m sure, would rather reduce the volume of data they store than allow it to spiral into a massive, potentially discoverable information minefield. Even if your organisation hasn’t properly applied data retention or lifecycle rules in your storage systems – and most haven’t – you can still implement an ongoing deletion policy.
Advanced technology can rapidly and automatically index the data stored in enterprise repositories including Microsoft Exchange, SharePoint and Lotus Notes Databases, as well as many archive formats. This makes it possible to classify the documents you must keep and those you can delete, apply policies and only retain the information you need.
What’s more, once you have indexed this information, you can instantaneously search it when the need arises. In some cases, you can delete duplicates to save storage, as long as you have retained one backed-up and indexed copy.
Put policies in place for the future
Once you have cleaned up your historical data, you can put in place retention policies for everything your employees create in the future. You can regularly and incrementally review new information, ensuring it is retained, dealt with or destroyed in an appropriate manner.
Keeping retention and security policies viable in the face of so much data requires a compromise. Manually classifying records is overly labour-intensive. But retaining everything is overly simplistic, not to mention costly and risky. By using advanced indexing, search and classification technologies in conjunction with manual reviews, organisations can profile data into big ‘buckets’ of essential record types such as contracts, policy documents, financial, legal and intellectual property – each with its own retention schedule.
Realising greater benefits
Proactive information governance makes life easier for everyone. Fast and precise access to information has huge impacts on a business. Litigation budgets and storage spending are reduced, while risk management is improved. With these benefits, information governance projects very quickly become self-funding. They can also become a source of business value as employees can quickly find the information they need day to day and the organisation as a whole gains knowledge from understanding its own data.
There’s no question that organisations facing frequent litigation or regulatory action have a clear business imperative to put in place information governance programs. The challenge is taking the time to define a set of practices to put governance into action. This requires someone who can articulate what process the organisation should follow and explain the reasons behind it, for instance because retaining multiple just-in-case copies will increase eDiscovery and compliance costs.
Organisation’s electronic data stores are only going to get bigger, and eDiscovery costs will continue to rise accordingly. If organisations don’t take a proactive approach, to manage and understand their data now, they will end up paying lawyers to do it for them. Perhaps it would have been cheaper, after all, not to fire all the filing clerks.
by Lee Meyrick, Director of Information Management at Nuix