Companies are starting to get very nervous. They know that GDPR is right around the corner, but they aren’t prepared. They aren’t completely sure how to get prepared, especially when the new regulations are applicable only to EU customers. These companies store a lot of data on their customers, and to make it even more challenging, much of it is stored in file shares, and cloud drives with no audit trail of what is where. It is a troubling situation. And it’s why an information assessment is so important.
Even if a company isn’t affected by the new EU privacy regulations, there is still the concern of the amount of confidential information stored in many locations across the enterprise putting the company at risk of data theft and exposure of confidential customer information.
A process without a plan
The time to act is now. But here’s the problem. Too many companies are implementing policies and procedures without a clear plan or little understanding of the information they are storing, and where. This is not a time to rush head down into implementing a process just to get something in place. Things will get missed. Money will be spent that might be better used elsewhere. Complicated processes may get put in place for information you shouldn’t store in the first place.
First – assess your current situation
Before you set out to adapt your current policies and procedures or add new ones, you need to know what information you have and where it’s located. With that clear view of your information in place, you can make better decisions on how to manage that information properly.
This is the assessment phase you must adopt to ensure successful governance of your information and adherence to regulations like GDPR (and you can expect will come in the future).
What does a proper assessment look like? It will differ depending on your company, but there are several key steps you should take.
Connect your information silos
Customer information is stored in any number of applications and repositories across the company. Some you know about, others you may not. As employees work with customers, they create content in the form of documents, emails and other content. They also pull files and store them locally to work on, whether that’s on their shared drive or in a cloud drive. They may even create copies and store those on their shared drives.
It’s a typical scenario for many companies. Your first step is to find where all this information is stored and connect it so that you get a 360-degree view. It’s safe, at this point, to say you will need some kind of file analytics solution that can connect to all types of applications and repositories to give you that single view. The key is to leverage a file analytics solution that can connect both structured (application) data and unstructured information (documents, emails, etc..).
Analyze what information you have
Now that you have that 360-degree view, you need to know what information you have and where it’s located. Your file analytics solution plays an important role at this point. It will analyze your information, extract its associated metadata and automatically classify it.
There are different levels of classification depending on how much your file analytics solution is capable of doing. Surface-level classification classifies information according to metadata such as date created, created by, last time accessed, format, language, named attributes and other high-level classifications.
Deeper scans look into the content itself and enable you to recognize personally identifiable information such as names, account numbers, addresses, credit card numbers, and more. This level of analysis is supported through defined taxonomies and ontologies, dictionaries, pattern extractions or a semantic repository. Machine learning can also help automate the classification process, learning and improving classification as more information is analyzed.
Identify ROT (redundant, trivial and obsolete)
Now it’s time to clean house. Identify what information is redundant – you don’t want to keep copies, what is trivial – it’s not critical to your work today, and what is obsolete – you no longer need it.
Bassam Zarkout defined ROT well:
Organizations may have different definitions what is and what is not ROT, but in a nutshell, it is as follows:
- Any content found to be responsive to litigation and ediscovery situations (ESI) is not ROT (by definition).
- Of what is left, ROT is content that is not needed for business, not needed for compliance reasons, not accessed for a long time, is an exact or a near duplicate, etc
ROT is information you don’t need, and in many cases, you can simply delete. But not all ROT is the same, so you need to think about this information and what you want to do with it. Again, Bassam provides some guidelines to help in this post.
Do this step before you start applying new policies and procedures so that you aren’t wasting time on information you don’t need, and you can ensure its defensible destruction.
Keep in mind that with GDPR, you should only be storing customer information you need to provide services and support to the customer. So if you have a lot of information about the customer that provides no value to how you support them, destroy it.
Taking care of the rest
You’ve cleaned out your information. Now you can start thinking about how to deal with the rest of it. If it’s not information you need for running the business today, but you are required to keep it for compliance and other legal reasons, consider archiving it.
Archiving lets you manage the information properly, yet reduce storage costs by placing that information in less costly storage locations. Proper archiving also allows you to retrieve that information quickly if it’s needed for some business opportunity or legal dispute.
At this point, you are ready to apply your policies and procedures to your business information. These policies may relate to GDPR, or they may relate to compliance and other legal regulations. The key is to make sure the information you need to manage is properly managed on an ongoing basis.
Focus your efforts for success
While the assessment phase is always your first step to successful information governance, it’s not a one-time effort.
Regularly assessing your information across the enterprise is critical to ensure you are managing all your information properly.
It helps you:
- Identify ROT and remove it regularly.
- Find situations of non-compliance, so you can deal with them before things get out of hand.
- Mitigate risks related to exposure of confidential information, including PII and PCI.
- Better manage storage but moving information to storage facilities based on its importance.