10 ways organizations can succeed with data remediation
Taking control of enterprise information through a data remediation program can dramatically reduce enterprise risk and costs.
Building a business case, ensuring executive buy-in, training staff and executing a program to address today’s and tomorrow’s challenges are not always easy, but important roadblocks that legal and information governance teams must overcome. When corporations are able to successfully execute a remediation program, they achieve much better footing to handle future challenges as data volumes and formats continue to expand.
Earlier this year, the Advice from Counsel study, which examined data privacy and security concerns and best practices among counsel at large U.S. corporations, reported that more than half of respondents have successfully conducted data remediation projects. They reported benefits including better protection of private and sensitive information and lowered storage costs. Interviews conducted for the study also revealed the strategies successful teams had utilized.
Following are the top 10 tips offered for getting a project done.
1. Figure out what exists. It is impossible to conduct thorough and accurate record destruction without knowing the full scope of what exists in the first place. Conducting a data mapping exercise is often the first step in identifying redundant, old or trivial data that is ready for remediation. We find these data maps can serve many other purposes and stakeholders, such as GDPR, e-discovery and records management to name a few.
2. Minimize business disruption. When it comes to internal data remediation, a project has a greater chance of success if it can be customized to how employees work, and disruption can be minimized. End users would rather be touched once with a single process or tool than 12 times with multiple processes or tools. The decision-making process should also be as easy as possible for employees. People who are not in IT don’t want to be responsible for activities they think IT or information governance should do, so remediation teams should make every effort to work behind the scenes.
3. Future-proof the program. It is important to ensure that fewer data pools are created in the future. IG teams should build controls into any new initiative before it is launched, so the disposition plan and requirements are already in place. It is very hard to do this retroactively after volumes of data have amassed.
4. Look beyond email. In IG, there is a tendency to focus just on electronic data, but information in paper documents and unstructured databases must also be addressed. Recognize there is legacy information (such as old payroll records or W2s) that must also be remediated and/or protected.
5. Aim for quick wins. For some, starting a small project can help the team learn about what works and build momentum. Start small and work with a dedicated team or business unit with which the legal team has a strong relationship and use it as a pilot partner. Once successful, that project can be the jumping off point for executing on a broader scale. Many times, companies already have technology options in-house so the startup expense can be minimal.
6. Make the most of bad events. When a company or even its competitor faces a significant event, such as a data breach, it should be a catalyst to advocate for change. According to one assistant general counsel interviewed in the study, “Your business case has to come after an adverse event. When the company hasn’t implemented a program and hasn’t had the e-discovery issues that other companies have had, I think you need an event to motivate change.”
7. Target PST Files. PST files are low-hanging fruit when it comes to data remediation, and efforts here can have a big impact. A PST is usually a huge file with each employee having many of them. PST files allow an employee to save individual messages to their hard drive or copy all of their personal folders to a PST, circumventing archiving efforts.
8. Training is critical. Train staff on the company’s retention policy. People should be more trained and aware of the need for document retention due to the significant risk and potential penalties in certain jurisdictions for improper data management. It should be approached with the same rigor as any part of the compliance program.
9. Consider Automation. Developing a policy is one thing, but executing it can be a challenge. Respondents reported success in using a wide variety of software tools to set a data remediation schedule and actually implement it. One said, “Automated systems are increasingly used and serve as the only way to get people to pay attention.”
10. Find partners to secure buy-in. Projects have greater chances of success when they are sponsored by multiple teams or have the support from executives that can convey a message for data remediation throughout the company. Sometimes funding data remediation is a challenge and partnerships can make it easier to obtain financing since others can advocate and help explain the need for the investment.