Tech Trends:
5 Steps to Compliance: Building an Automated Data Map

In a litigious business world awash in electronically stored information (ESI), the need to access and analyze data in a usable format is clear. Unfortunately, many organizations’ choices have been limited to reactive, fire-drill style processes. Ad hoc responses to e-discovery often lead to impartial or inaccurate production, an inability to prove inaccessibility, inadvertent noncompliance, and skyrocketing risks and costs.

Bobby Balachandran

Bookmark and Share

With recent rulings on e-discovery procedure requiring organizations to have defensible knowledge of their data infrastructure, the logical starting point for a litigation response plan is an enterprise data map. A data map can quickly answer these questions: Where is the data stored, and how can I access it, if at all? Who controls this data? What policies govern it?

The enormous amount of ESI and paper-based documents stored in disparate locations, the prevalence of hard-to-track shadow data systems and individual data marts, the complexity of records management policies and regulations, data churn, and human resources turnover make answering these questions extremely difficult, if not impossible, without the aid of technology.

Unfortunately, until recently, there haven’t been any tools, applications, or solutions available to organizations looking for a proactive approach for tracking and analyzing their data sources, custodians, IT personnel, or change histories.

Defining a Data Map

A data map is a comprehensive and defensible inventory of an organization’s IT systems; it is a repository for data and information mapped to business units, data stewards, and custodians; and it is a critical component of a proactive litigation response plan and essential to a number of other important business processes.

The benefits of a data map are many. A data map aids with:

  • Risk mitigation and compliance management
  • Collaboration between internal and external teams
  • Legal response to discovery requests and regulatory inquiries
  • U.S. Federal Rules of Civil Procedure Rule 26(f) meet-and-confer meeting preparation
  • Targeting hold recipients quickly
  • Avoiding inconsistent or inaccurate representations
  • Mitigating spoliation risk
  • Lightening infrastructure architecture development burden
  • Interrupting document destruction schedules for preservation in a timely manner
  • Identifying redundant data sources
  • Addressing potential data anomalies and outliers

Manual Processes to Address Data Management

Many organizations have developed home-grown, ad hoc processes for addressing data management.

Most legal departments will create a partial data map. When a trigger event occurs, such as a letter arriving that threatens legal action, organizations must locate relevant data, custodians, and data systems and implement a legal hold. Legal teams learn over time where the highly litigious data resides and can get a feel for who manages it and whom to ask when they need to access it for discovery.

Organizations often also have IT inventories. For example, financial and human resources systems are typically well-documented due to corporate and records retention policies. Others grow up due to the needs of the business and exist in sub-organizations or as project resources and are largely documented through tribal knowledge.

The end result is ESI scattered across the organization, undocumented, and often in a format that cannot be readily preserved or produced. Litigation, regulations, and personnel changes add to the complexity. Organizations must be able to track changes in ESI and IT systems, but these changes exceed human capacity to track it effectively.

Although the IT and records management departments each have pieces of a data map, most organizations have not developed proactive policies around information governance. Often, communication between IT and legal teams is so disjointed that critical information is deleted or legal teams unknowingly make unreasonable requests of the IT staff.

Ad hoc data maps and discovery solutions face some serious challenges:

  • Lack of documentation
  • Duplicative background work in response to each request
  • Cross-departmental redundancies
  • Critical information stored as easily lost tribal knowledge
  • Risk of human error, incorrect or incomplete production, and costly sanctions
  • Time-consuming data searches that lead to missed deadlines and higher costs
  • Heavy burden on IT as they may be tasked to find information they didn’t know they needed to save, or they may be asked to save everything, increasing storage costs and barring timely data disposition

Consultant Processes at Work

Big Four consulting firms are often called in to do the manual work of building and implementing enterprise data maps, and they bring established methodologies to the project. Most conduct extensive interviews with key constituents, determine the best approach for the company, and then, together with key constituents, drive the majority of the data mapping process.

At one consulting group, for example, a team of consultants interviews a company’s key constituents – leaders from the IT, legal, and records and information management (RIM) departments, as well as executive – to understand business drivers and risks, determine scope and appropriate level of granularity, and identify key business units.

Next the team conducts workshops to define key ESI, business and process owners, and subject matter experts. The bulk of data gathering is done through questionnaires and surveys, and then it is analyzed and refined through follow-up interviews. The team then determines tools and technology that can be used to house and maintain the ESI on an ongoing basis.

Automating the Enterprise Data Map

A usable data map must be agile enough to adapt to constantly changing data, litigation profiles, retention policies, HR information, and regulations. Combining established processes and best practices with automated data mapping technology is the best way to achieve this needed agility.

Today, dynamic data mapping software facilitates the data mapping process through standardized, intelligent workflows to produce a comprehensive, evergreen data map. Built-in checks and balances eliminate human error and manage compliance, and an automated refresh process delivers an up-to-date and accurate data map ready for use.

An automated data map will:

  • Streamline processes by building, analyzing, and refreshing the data map automatically
  • Enforce compliance with data policies and processes
  • Facilitate efficient legal processes, from risk assessment and litigation profile building to legal hold creation and discovery
  • Reduce downstream staffing needs
  • Reduce risks like data loss and spoliation
  • Facilitate data disposition
  • Provide a solid foundation for litigation preparation, legal risk assessment, and discovery response

Today, consulting companies and leading experts recommend the following five steps to create and manage a data map:

  1. Define
  2. Assemble
  3. Analyze
  4. Automate
  5. Refresh

1. Define: Preparation and Design

In order to begin a data mapping project, it’s important to ensure three things:

  • Buy-in from executives and employees
  • Access to an automated system of alerts to enforce and monitor compliance
  • Time and resources needed for a comprehensive project

The importance of buy-in can’t be overstated. In a recent panel presentation, Cheryl Strom, senior manager of records information management at McDonald’s Inc., provided the following guidelines for securing buy-in from upper management:

  • Identify cost savings in hard numbers.
  • Bring in an outside expert to explain the risks and benefits.
  • Show how benefits of a data map can be leveraged across the enterprise.

Next, organizations must choose a dynamic data mapping process-control solution. By providing a solid, centralized framework for a data map project, an automated data mapping solution cuts down on the time and money spent on this difficult initial phase and each of the following steps by:

  • Institutionalizing roles
  • Providing timeline and task alerts
  • Planning and budgeting tools
  • Enabling project managers to monitor and enforce compliance with roles and duties
  • Providing a centralized location for custodian and data source information

Next, companies must create a project team comprising key stakeholders from departments most affected by a data map – IT, legal, and RIM. Hold one or more initial meetings to:

  • Determine project objectives, define scope, identify key and high-risk business units, and determine the appropriate level of granularity
  • Assign roles and responsibilities, determine clear timelines and deliverables, and create a detailed project plan and budget
  • Designate a data comptroller for the data map

2. Assemble: Identification and Data Gathering

A thorough process is essential to creating a comprehensive catalogue of data sources and custodians; it ensures no shadow or paper-based data systems are missed. Distribute questionnaires and surveys, conduct workshops and interviews, and follow up with secondary interviews.

Through automation, the number of staff hours needed to gather this information decreases, accuracy increases, and costs are reduced. Automation:

  • Provides automated information request notifications and reminders
  • Automates interview, questionnaire and survey templating, management, and self-submission
  • Tracks and manages responses to questionnaires, surveys, and interviews, and it monitors compliance with data mapping requests
  • Integrates with HR and IT systems to find up-to-date lists of custodians, servers, etc.
  • Builds compliance into daily workflows
  • Allows custodians and data stewards to self-upload information through a compliance portal
  • Allows managers and data comptrollers to track and manage compliance easily
  • Auto-populates the data map

Often, ESI is stored centrally in a data warehouse. However, many people will keep their own copies and set up shadow systems or data marts on desktops, removable storage devices, or in hard copy format.

An automated data map can account for private copies that are outside the normal parameters of a manual data mapping system. The best source of information for shadow data systems are individual employees, and it’s important to ask them pointed questions, such as:

  • Where do you store data other than central, non-custodial data sources?
  • Do you have a filing cabinet or paper-based storage system?
  • Do you use spreadsheets? Access databases?

This enables two-part automation: 1) When it’s time to refresh, shadow data sources are automatically accounted for; and 2) shadow data systems are searchable and can be exported to Excel or other reports, therefore ensuring no data will be missed during discovery or regulatory inquiries.

3. Analyze: Compile, Analyze, Synthesize Information

It’s not enough to gather the information; it must be organized in such a way as to maximize usefulness to key stakeholders. Automated solutions enable users to filter information by risk level and litigation profile, retention and governance policies, department or business unit, custodian or data steward, and discovery or hold history. A good automated data map solution should provide:

  • Intelligent data sculpting
  • Navigation dashboard
  • Reports and analysis that can be exported to Excel, etc.
  • At-a-glance views of overall data map structure, as well as the ability to drill down into business units, litigation profiles, and individual employee histories
  • A way to indicate legal holds on data systems, data stewards, and individual custodians

4. Automate: Tools and Technology

Tools and technology are utilized throughout the data mapping process – and, in fact, this step must be conducted in concert with all the other steps. Until recently, options for tools and technology have been limited to Word documents, spreadsheets, MS Access databases, custom or homegrown systems, or existing IT configuration management and tracking systems.

However, these tools are ineffective and do not offer an effective means of maintaining information from the data mapping process. It’s important to take into account pre-existing IT configuration management and tracking systems, which can serve as a frame of reference during the initial launch of a data map. However, these tools paint an incomplete picture of a company’s data universe. What leading consultants recommend is a compliance process control solution designed specifically to manage data mapping projects.

5. Refresh: Maintenance and Governance

The data map is a living document that must be consistently maintained to ensure accuracy, and the best, least painful way to ensure maintenance is through automation. An outdated data map represents a substantial legal risk that directly affects counsel’s ability to provide timely and accurate information required for judicial proceedings.

In the past, maintaining a data map was a painful, protracted process that required a massive, quarterly, manual effort. Often, many companies left their data maps to flounder rather than incur the costs in time and effort of keeping it up to date.

To keep the data map updated with an automated data mapping solution in place, all stakeholders must do is monitor compliance with processes set forth at the outset of the data mapping project. A good solution will provide alerts and notifications that make it easy for managers to monitor and manage compliance.

Business events, such as the addition of a new data source or system or HR changes, trigger intelligent workflows. The automated data mapping system can automatically send questionnaires and interview requests to employees, IT personnel, and other key data stewards, or it can search and crawl a company’s data sources periodically in order to ensure an up-to-date data map free from costly inaccuracies. Additionally, supervisors may log into the centralized system at any time to see and take action on detailed progress reports.

Result: An Evergreen Data Map

With the right mix of established methodology, tools and technology, the resulting data map should be self-sustaining, requiring little manual intervention to remain an up-todate, relevant tool for data analysis, litigation preparation and discovery, risk and compliance management, and IT processes. An automated data mapping solution is the only way to achieve an evergreen data map that provides the collaboration and visibility required by all the involved parties.

Bobby Balachandran can be contacted at bbobby@exterro.com.

From November - December 2009