We live in interesting times, in which one side of the business wants to keep all information forever and another wants it gone yesterday. And there are myriad other perspectives between the two extremes, depending on your job within the company. So how do businesses navigate and negotiate an ever-increasingly competitive and conflicting information-intensive business environment?
No one wants to peer into a volcano, especially one that could blow at any time. Yet, a lawyer’s job is, in part, helping the lawyer’s company or clients navigate the risks and potential liabilities of our new, ever-expanding information economy. Further, most large companies today have a host of complex and competing information needs and requirements that scream for legal guidance, whether the lawyers know it or not. And as corporations’ information assets grow in volume and value, these issues won’t go away anytime soon.
In this article, we will provide five steps for lawyers and others with information management obligations to more effectively manage their corporation’s information footprint, negotiate competing and conflicting business and regulatory requirements, and simplify the rules to help harness the value of information while making sure that companies comply with the expanding information volumes and the laws and regulations that mandate how information must be managed.
Step 1: Size Up Your Information Footprint
Understand What Your Business Does for a Living
To figure out how best to address the expanding universe of information, it is first essential to understand the company’s mission as that will inform what data it has and the laws and regulations guiding its management. In other words, the first step should be to assess what information a company has, what obligations exist with that information, how long to retain it for legal or business reasons, who should have access to it, etc.
While the executives of all companies generally understand what business activities they are engaged in, they rely on their leadership team to help them understand all the different business initiatives, relationships, contractual obligations, projects, and potential sources of revenue and risks across their company. This activity details how the organization accomplishes its mission and the information needed for execution. After all, it is essential to understand how the organization creates information and what information it creates, as well as when it needs it given its business activities, in order to manage the information footprint.
Understand How Activities Are Conducted
Given today’s complex technologies such as AI, IoT (“Internet of Things”) devices, pixel tags, etc., and the new ways that business is conducted, the task of identifying how business activities are conducted is challenging. The way that many businesses function or carry out their business activities has changed in recent years.
Third parties may now be in the “care, custody, control” of “your” information, and contracts may dictate that they can package it up and resell the information or not. The fact that a third party is creating and utilizing your company information may create new information security and privacy challenges that may need to be addressed via both contract and technology. Furthermore, the application of IoT devices means that a third-party smartish piece of technology is grabbing and transmitting data behind the scenes, perhaps without the company’s knowledge—which may be to the company’s detriment.
There are many ways to glean a deeper insight into company business activities to understand how they are conducted. It might be helpful to analyze the company’s annual report, external website, marketing materials, operational processes, workflows, and standard operating procedures (“SOPs”) and talk to the corporate secretary about external partnerships, collaborations, or joint ventures involving the company. Reviewing the company’s annual reports, financial statements, and corporate filings may disclose new sources of revenue, among other things. Additionally, interviews or surveys with key stakeholders can be beneficial to provide a deeper understanding of the various company initiatives and activities. For example, a recent conversation with a client’s general counsel unearthed a new business direction of packaging biometric data and selling it as a revenue stream.
Key business and legal stakeholders might not be aware that a particular business initiative is underway, but they need to be aware in order to properly assess the risk and liability. Advancing such initiatives without proper management and liability assessment can explode in the face of executives and impact company valuations and the court of public opinion. And these types of initiatives are part of the new corporate information volcano that can create seismic ripples through the business.
Inventory Information Assets
For every business activity, there is informational output. That informational output may be a record or a non-record. It may or may not contain a specific class of data, such as biometric data, personally identifiable information (“PII”), trade secrets, intellectual property, Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) data (protected health information (“PHI”)), or other sensitive data types.
For every record and specific data category, myriad laws and regulations will dictate how that information can be used, shared, stored, retained, and managed throughout its life cycle. Additionally, for each, there will be business folks who will only sometimes agree with the laws and regulations because those laws and regulations don’t allow them to garner the total value of the information.
For every non-record, rules should dictate how long to retain the information and when to dispose of it. For many corporations, a large percentage of their data doesn’t rise to a record level, and the noise it causes can be costly. Additionally, non-records can pose the same risk to the corporation as a record because they can contain sensitive information that could be damaging if exposed.
Regardless of whether something is a record or a non-record, getting a handle on the company’s information footprint is essential. Unsurprisingly, most companies need to know what information they have, where to locate it, and who has access to it. Information sprawl happens because more systems create information, more applications use information, and more employees access the information. Outsourced data warehouses collect data from many sources and combine them for insights. IoT devices collect and transmit data, and more third parties utilize or create company information on your behalf. What action can you take?
Conduct and document an inventory of supporting information assets created, used, sold, shared, relied upon, and received for each business activity identified. The inventory should determine where the information is stored; who has access to it; who has responsibility for it; what actions people take with it, e.g., selling or sharing the data; and what data classification (e.g., PII, PHI) and security classification (e.g., confidential, restricted) apply. This inventory will help inform the next step of knowing what laws and regulations must be considered. The greater the understanding of the information footprint, the more effective your program will be.
Step 2: Unearth and Understand Regulatory, Governance, and Business Requirements
Collect All Laws and Regulations That Impact the Business
Once you have compiled a comprehensive list of the company’s business activities and inventoried the types of information generated, used, sold, shared, relied upon, and received, you can then research the relevant laws, regulations, and industry rules that govern the management, protection, transmission, retention, and disposal of each category of the information. For most large businesses today, there will likely be hundreds, if not thousands, of laws and regulations that apply to the various types of information used by the business in the various jurisdictions in which the company does business. It’s key to look outside of the jurisdiction of incorporation to find all of the laws and regulations required to get information management right.
For each business activity, the company should document all jurisdictions that apply to it. This is often called a business profile. For example, product manufacturers should document the countries and states with manufacturing facilities. Later in the process, jurisdictions will inform what laws and regulations will apply based on where the organization performs certain business activities. Many laws and regulations that impact manufacturing facilities will be at a state or country level, so there is no need to include states or countries without manufacturing facilities. Similarly, if, as discussed above, the company is engaging in new activities—such as selling data as a revenue stream, implementing customer interactions, using sensors on products, conducting AI activities, exploring blockchain and cryptocurrency activities, handling privacy and biometric data, developing virtual and augmented reality technologies, or building autonomous products—those activities will dictate the laws and jurisdictions that must be considered.
Understand Business Needs
As the company evaluates and collects all of the legal requirements with which it must comply, assessing its business needs for the various types of information across the enterprise is also beneficial. This step is where the company should methodically collect the need for each data category and how long a particular business unit needs it. This step should involve “governance” business stakeholders such as privacy, records management, legal, cybersecurity, and other teams as necessary.
During this phase, it will become evident that different business units within the company will have different information needs. The marketing department may want ten years of past sales to unearth trends to improve future forecasting of raw materials for next year’s products. However, EU privacy staff may feel that the organization should only retain that information for a short time. This conflict can be solved by agreeing upon a period of time to retain the personal data, when it should be anonymized, and when the anonymized information needs to be disposed of. (We will return to this conflict issue in the next section.) In any event, creating a useful dashboard of inputs so that the company can see how information is being used and by whom will be very useful in determining the final company rules to manage information assets better.
Step 3: Harmonize Governance and Legal Requirements
As was alluded to in the previous section, gathering all the legal, regulatory, and governance requirements and various business needs related to each category of information helps the company develop rules that address all the inputs. One caveat: Making sausage is ugly. But developing information policy for large companies can make sausage making look attractive and seem easy. Given information volumes and the disparate uses of information in today’s corporate information ecosystem, making sense of and harmonizing the many inputs can be challenging.
Consider how different the EU privacy policy is from how Arkansas privacy laws expect organizations to manage PII. Or consider how contract retention requirements vary from state to state. Now add all the types of information, all the legal requirements in all the relevant jurisdictions (state, federal, foreign, etc.), and the business needs for the data. Now make a policy that addresses all the inputs.
Corporations that operate in a global environment must comply with legal and governance requirements across multiple jurisdictions. Corporations must take a harmonized approach to information governance, developing policies and procedures consistent across all jurisdictions unless there is a unique situation that doesn’t allow for it. As one such example, China’s laws for certain categories of information require permanent data retention. The company may carve out Chinese retention rules from the “harmonized” company-wide rules in such a case.
One often-used approach to harmonizing legal requirements in the privacy context is to gather all the high-level requirements of the various privacy laws and regulations from the various jurisdictions and develop a policy incorporating the letter and the spirit of the multiple requirements into one policy directive. Again, it is complex, but it is essential as the list of legal requirements mandating how organizations must manage information grows yearly.
To deal with the ever-evolving information legal landscape and advancing business practices, companies should have a process in place to monitor changes to ensure that they stay current with laws and regulations and business activities. As an example, a company could form a governance body made up of legal, governance, compliance, business, and operations representatives tasked with the responsibility of advancing the initiative.
Step 4: Simplify Rules for Employees and Technology
Corporations should develop clear policies, procedures, and rules that are easy for employees and technology to understand and follow. One way to simplify is to create one set of standard policies and procedures that can apply across the organization.
Recently, a company asked Kahn Consulting to harmonize the company’s multiple privacy and security directives. There were many competing directives, and the organization didn’t clarify the guidance as to which policies applied to each business unit. The employees didn’t follow any policies because they couldn’t determine which ones applied to their work.
Employees don’t have time to figure out what policy to follow, so make it brain-dead simple. In addition to fewer policy documents, the company should strive for shorter directives without complex legal language that may confuse the average employee. Furthermore, the simplification process will help technology seamlessly apply the rule without employee intervention (see Step 5). Employees have enough to worry about in their daily work without having to stop to consider legal policies. Also, technology is better and faster at applying rules to information at an application level, behind the scenes, so build a compliance process to let employees focus on their day job.
Additionally, organizations should eliminate rules that create complexity in their understanding and application. For example, applying “event triggers” to start the retention clock can create a challenge to determine when the clock begins to run on retention. Therefore, it can make applying the rule to relevant records nearly impossible. So, if you can get rid of complex rules, do it.
Finally, build “imperfect” rules that work with your technology rather than creating “perfect” rules that can’t realistically apply to actual business processes. In other words, strive for reasonable rules that work given technological realities and the company’s needs.
Step 5: Automate Policies and Procedures
Corporations can further simplify information governance by automating the application of company policy directives related to ownership, access, privacy, security, retention, disposition, litigation response, and other governance tasks. Advances in AI and machine learning give organizations the horsepower needed for such automation.
This approach means using technology to enforce policies and procedures rather than expecting employees to do the heavy lifting. For example, corporations can use automated data classification tools to classify data according to its sensitivity level. This automation can help ensure that sensitive data is protected appropriately and can reduce the risk of a damaging security event. Automate wherever possible, and use technology that makes your company rules workable, given the application’s functionality.
Conclusion
Managing information in today’s complex information ecosystem is a monumental challenge. One bad hack and the resulting information security breach could be that seismic event impacting valuation and reputation that every lawyer, privacy and compliance officer, and C-suite executive prays will not happen on their watch. Effective information governance is essential for corporations to protect their valuable information assets and comply with legal and regulatory requirements. And that starts with understanding what business activities a company performs, what information a company has, what obligations exist for each class of information, how long to retain the information for legal or business reasons, what management governance rules apply to it, who should have access to it, and where it is stored. Companies will be well served by thinking outside the volcano and anticipating the potential liability and risk associated with the explosion of information and the transformation regarding how business is done. This is a process, not a project, and lawyers and other stakeholders must be engaged in an ongoing basis. The information ecosystem is organically growing and expanding, and vigilance is necessary to stay on top of it.