Better Business, Better Compliance Through Defensible Data Disposal
By Lorrie Luellig
February 25, 2011 | Expert Commentary | Pharmaceutical companies are drowning in data, but few organizations know what to do about it. That’s about to change. A new information governance strategy that supports “defensible data disposal” can help companies reduce the amount of data they retain. By doing so, they can utilize research data more efficiently, improve compliance processes, reduce legal and business risk, and save money.
Pharmaceutical companies have several justifications for not deleting data. Scientists may believe all research data has business value and is critical to regulatory compliance. The legal and compliance departments may believe that given strict mandates by the FDA, FTC, SEC, and IRS—and similar bodies around the world—deleting any data puts organizations at risk. Business users often save everything as a record of their activities. And many executives, believing that data storage is relatively inexpensive, save everything as a thrifty way to reduce multiple risks.
Even if these groups are able to identify redundant and valueless information, they often have no way to communicate their understanding to IT, which executes the disposal and, on its own, has no insight into scientific, business, legal, or regulatory value.
The solution is twofold. First, companies must recognize that saving everything is not only expensive and risky, but also makes it extremely difficult to extract new results from old scientific data. Second, companies must implement a robust information governance strategy that identifies the information with scientific value and achieves defensible disposal of the redundant and valueless information.
The True Costs of Too Much Data
Storing data isn’t cheap. Gartner estimates that IT shops spend between 2 and 3 percent of revenues on data management, and research firm IDC predicts corporate data volume, which grew approximately 50 percent in 2009, will grow by a factor of 44 over the next 10 years. Many firms, including pharmaceutical companies, have found that more than half of all their data has no legal, compliance or business value. In addition to millions of wasted dollars, keeping all this data limits the ability to find and utilize existing research data, comply with complex regulations, respond promptly to requests for legal holds, and locate high-value business information efficiently.
Studies by the CGOC (Compliance, Governance and Oversight Council) validate the importance of letting stakeholders instead of IT determine what should be disposed of. Established in 2004, the CGOC is a community of information governance experts providing corporate litigation, discovery, IT, and records management leaders and practitioners with the insight, interaction, and information they need to develop information governance best practices. According to the CGOC, IT typically has no practical method to determine what can safely be eliminated. For example, even in relatively small firms, IT may need to know which of 100 legal holds and 300 record categories apply to which of 10,000 people working in which of 2,000 departments whose data is located in which of 1,000 servers or apps.
Even worse, these companies lack any systematic linkage between IT and the information stakeholders. In a recent CGOC Benchmark Report on Information Governance, 85 percent of legal, records management and IT staff surveyed viewed the lack of consistent collaboration as the single biggest barrier to defensible disposal and a source of risk.
Information Governance and Defensible Disposal
To eliminate unnecessary information, an organization must acquire the tools and create the processes that allow each stakeholder to determine what information must be retained, managed, archived and disposed of, and then communicate this to IT; that is, it must create and implement a robust information governance program that identifies the information with scientific value and achieves defensible disposal of redundant and valueless information. The key building blocks for such a program include:
- Commitment from senior management.
- Easily understood and robust information governance policies and procedures that address each stakeholder’s data value and retention challenges given the diverse nature of regulatory bodies and differences by region.
- Inventory of value (scientific/business) and obligation (legal/regulatory).
- Core working group of stakeholders, including scientists, to provide guidance, tools, job aids, training, and communication, as well as policy, procedure and program feedback.
These elements will help establish strong linkages among the information stakeholders, but there must also be targeted investment to:
- Deploy software that links the business processes in science and research, legal, records information management (RIM) and IT to provide structural and automated collaboration and transparency with systematic workflow.
- Create transparency into how IT manages valuable scientific information to not only prevent data proliferation, but also ensure accessibility by future generations.
- Modernize the records management program so it provides reliable, actionable information procedures to IT.
- Treat legal holds as an enterprise process rather than a legal department task.
- Ensure IT can determine—using its terms and without interpretation—who and what is on hold, what is of value and what is subject to regulatory obligation.
Lorrie Luellig, Of Counsel to, and a founding member of, the Ryley Carlock & Applewhite Document Control Group