Sure, Information Has Value, But Don't Forget the Risks

Enterprises are clogging their arteries with information, most of which has no real value but carries costs and risks. The CPO can help in disposing of that information that can only cause harm.

Deidre Paknad May 10th 2013
Deidre Paknad is the founder of the CGOC and vice president of Information Lifecycle Governance Solutions at IBM.

The inability to accurately identify the value of information -- and how long that value lasts -- forces most companies to retain far more data than necessary.

Most companies describe information as the lifeblood of the organization. But too many enterprises have clogged their arteries.

How can this be? Over time, the value of information declines, while the associated costs remain constant and the compliance and legal risks actually rise. This conclusion, based on research conducted by members of theCompliance Governance and Oversight Council (CGOC), implies that those who champion the defensible disposal of all information that has no legal, regulatory or business value can help their companies significantly reduce costs and risk.

The corporate officer best positioned to be such a champion is the chief privacy officer (CPO). Defensible disposal is a particularly appealing idea for CPOs, who already help their organizations identify information of value, catalog where that information resides, and determine how it must be managed and disposed of in order to protect the organization, its employees and its customers.

It's time for corporations to take the next step and give the CPO a seat at the information governance table as an ally and champion in developing information life-cycle governance (ILG) practices that transform the organization's information economics. Not familiar with information economics? Well, if economics is "the discipline of analyzing the production, distribution and consumption of goods and services," then information economics is the discipline of analyzing the production, distribution and consumption of information. Think of it this way. Organizations obtain value from the information they generate and collect, but this value is offset by the cost to access and manage it and by the risks associated with it, including growing privacy risks. The goal in improving information economics is to develop the ability to control information cost and risk while increasing the value derived from it in order to significantly improve the profit margin on information.

The CPO is key in achieving those goals. In fact, the growing importance of the role of the CPO in the information governance function led the Electronic Discovery Reference Model (EDRM) to announce that its Information Governance Reference Model (IGRM) project now includes privacy andsecurity as primary stakeholders in effective information governance.

Understanding Information's Value

Achieving a healthy information economy, where the value of information is greater than its costs and potential risks, starts with the ability to accurately identify information value. The difficulty with this is that the value depends on a variety of factors, such as the type of information, its stakeholders, the company's industry, its geographic location, and the duration of customer and product life cycles. For example, email (a type of information) may lose its business value very quickly but be relevant to regulators (one of the stakeholders, determined by industry and geographic location) for three years. As for product life cycles, design information for products with a short market lifespan, such as consumer electronics, is useful for a much shorter period of time than design information for products, such as aircraft engines, that are used for decades. Yet, in both cases, the length of time that back-office information is of value is likely similar. Meanwhile, information that is deemed to be clearly valuable can be extremely risky to hold on to. For example, marketing often wants to save all personal customer information in order to extract business value from it over the long, but this often conflicts with new privacy requirements.

The inability to accurately identify the value of information -- and how long that value lasts -- forces most companies to retain far more data than necessary. According to a CGOC Benchmark Survey on Information Governance in Global 1000 Companies, at any given time, typically 1% of corporate information is on litigation hold, 5% is subject to a regulatory retention requirement, and 25% has current business value. This means that approximately 69% of the data that most organizations are currently managing, protecting and storing is unnecessary. As discussed below, all this "data debris" represents a huge cost to the organization, but it also clogs processes, consumes resources, makes information protection more difficult and makes it harder for business users to find the valuable information they need.

In order for a company to accurately understand and fully realize the value of information throughout its life cycle and thereby identify what information can and should be eliminated, all information stakeholders -- including business users and the IT team that manages the data, but also those concerned with privacy, risk, security, legal matters and record keeping -- must be able to work together and align their needs.

Understanding Information's Costs

Many organizations assume that the total cost of storing information will go down because storage unit costs are declining. Unfortunately, the compounding growth rate of data in most organizations far exceeds the unit cost decline. In addition, storage hardware is really a small part of the total cost of retaining information. For example, application and infrastructure costs are significant and recurring, and organizations often have dozens if not hundreds of applications that are redundant or that remain active solely because it's difficult for IT to understand the specific legal, regulatory or business requirements for the application data. Such behavior only serves to exacerbate the problem, leading to an insatiable demand for more bandwidth, ever-increasing IT complexity and a greater cost burden.

In addition to these hard IT costs, there are soft costs associated with business users frustrated by the difficulty of quickly finding the information and insight they need across sprawling data shares. There are also significant (and often overlooked) costs associated with meeting legal duties for information, specifically, retaining data for regulators and for e-discovery and litigation. As data ages, it becomes increasingly expensive to gather, process, restore and review in investigations and civil litigation. The causes of this include the decommissioning of the technology to restore it, the difficulty of identifying its location and nature without restoring it, and the absence of any context for understanding it. Gartner (Gartner IT Key Metrics Data 2012) estimates the annual cost of e-discovery at a whopping $18,000 per gigabyte, and in "Hoarders: The Corporate Edition," Jake Frazier argues that the real total cost could be even higher. (Beyond these cost concerns, CPOs have a significant stake in litigation and e-discovery because U.S. discovery obligations for retention often conflict with national laws protecting the privacy of individuals.)

Looking at the various cost factors, it's easy to see that if 69% of a company's retained data has no value -- and even if that figure is "only" 50% or 40% -- then the company has very poor information economics, and a tremendous amount of money is being wasted that could otherwise be put to strategic use.

Aligning Cost to Value

The goal of an ILG program is to provide a framework and processes for defining and communicating information value while aligning information cost and risk to the value over time. Given the amount of data debris that most companies have, a core tenet of such programs is creating an organizationwide defensible disposal program that automates the elimination of information that has no legal, records, privacy/security or business value as the primary mechanism for improving the company's information economics. A fully operational defensible disposal program systematically eliminates unnecessary cost and risk, creates a self-cleansing information environment, and facilitates access to the remaining information of value.

The "Information Lifecycle Governance Leader Reference Guide," a resource developed by the CGOC, lays out the key levers, processes and operational capabilities required to operationalize defensible disposal and improve information economics. ILG leaders who have applied these principles have found that aligning the needs of information stakeholders is easier to achieve than they anticipated and that all stakeholders derive benefit from the improvements.

Because of the critical role they play in determining the value of information and the need to dispose of some data within set timeframes, CPOs must fully participate in any successful ILG program. In addition, they can offer significant insights, expertise and capabilities to the ILG leaders and CIOs who are actively driving the transformation in information economics. In return, CPOs will likely enjoy several significant benefits, including improved data protection practices, more institutionalized and automated privacy-related processes, and a far better understanding of privacy obligations by those who manage the data.

Deidre Paknad is the founder of the CGOC and vice president of Information Lifecycle Governance Solutions at IBM.