Marie Kondo is an organizing expert, author and host of her own show on Netflix entitled, “Tidying Up with Marie Kondo.” The premise of her organization system called KonMari method is that once you gather all of your belongings, you should go through item at a time by category to determine which items, if any, bring you joy. If the item brings you joy it should be kept, and those that don’t should be purged. With spring in the air, the Sedona Conference appropriately released its second edition Commentary on Information Governance (IG) just in time for spring cleaning. And while we can’t use the KonMari method of organization to clean up corporate data, the Sedona Conference does nicely lay out principles for a joyful IG implementation experience.
The new Sedona commentary provides eleven principles for any IG program with three overarching takeaways. A well-organized IG program should be proactive, reasonable, and comprehensive.
While eDiscovery is reactionary, IG, on the other hand, is proactive. Information Governance is about getting your corporate house in order and tidied up before there is a data breach, litigation, or an investigation, whether initiated internally or by the government. In 2014, the Electronic Discovery Reference Model (EDRM) was first updated to include IG on the far left and thus occurring prior to eDiscovery. The EDRM now includes a separate model specifically for IG, which includes all the reasons for retaining data - legal duty, business value, or vital asset. The legal duty correlates to a litigation hold or regulatory requirement whereas the business value and vital asset categories are harder to define. A vital asset is information that an organization cannot function without nor can it be re-created from any other source. Thus, vital assets generally comprise less than 5 percent of total records for a given organization.
There are other forces that drive organizations to proactively relook at their IG programs, such as the implementation of Microsoft Office 365. With moving to the cloud and the advent of O365, organizations have been forced to revisit which records must be migrated and which records can be defensibly deleted. To do this, organizations should classify their data by category to get a handle on what they have, what they need to keep and what can be purged.
Disposition and reasonableness go hand-in-hand. The reasonableness standard is discussed throughout Sedona’s IG Commentary. First and foremost, the legal reasonableness standard is applied in determining the defensibility of an organization’s IG program. Sedona confirms the importance of disposition with principle six, “[t]he effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.” This acknowledges that the days of corporate data hoarding are no longer the standard, but knowing the appropriate, effective, and defensible disposition of data is not necessarily a simple answer. About a week after publishing its latest edition of the IG Commentary, Sedona published updates to its Defensible Disposition Commentary. Generally, organizations may dispose of data once there is no longer any legal, regulatory, or operational requirement for retention purposes.
A question that still arises is whether there is a return on investment (ROI) for an effective IG program including data disposition in lieu of over-retention. In addition to storage costs, there is also increased eDiscovery risk and cost with an ineffective IG program. This includes but is not limited to poor raw data quality concerns with gathering corporate analytics, search inaccuracy with sifting through the ROT (redundant, obsolete, or trivial data) as well as reduced personnel productivity, and privacy regulatory concerns with over-retaining personally identifiable information.
Remember the reactive approach of eDiscovery is only for the benefit of the individual event and document request, but an effective IG program is for the benefit of the overall organization.
In assessing a realized ROI, an IG program must be comprehensive, which brings us to our final takeaway. An effective IG program must be independent of any single department with the benefit of the entire organization in mind. Thus, executive sponsorship is a must for an IG program. IG may begin as a corporate initiative, but it must be a continuously improved upon program. While IG isn’t effective if siloed to individual departments, the CIGO (Chief Information Governance Officer) also doesn’t function in a silo as the IG committee includes stakeholders from an organization’s various departments. Further, the fourth Sedona principle notes, “The strategic objectives of an organization’s Information Governance program should be based upon a comprehensive assessment of information-related practices, requirements, risks, and opportunities.”
At the heart of this comprehensive approach is the collaboration required within a single business function, but even more important, across business functions. The IG Committee and Executive Sponsor are addressing institutional information challenges that will affect all business units and the effective communication and collaborative between the units is imperative. The IG Committee and especially the Executive Sponsor are imperative for successful IG program implementation. The decision-making process promotes enterprise-wide strategic planning which includes more efficient data privacy, security, and information technology teams, streamlined workflows, a holistic view of the organization and its data, and improved corporate data analytics.
While the Sedona Conference doesn’t advise us to hold each piece of data to determine whether it sparks joy, the Commentary does provide thoughtful insights and advice for a joyful IG implementation experience. This joy can be appreciated in the form of realized ROI, increased productivity, and decreased infrastructure and eDiscovery costs. Happy organizing…
This article was first published on Epiq blog page