Information Knows No Borders: Business Profile is a Prerequisite to Updating a Retention Policy
Updated: May 24
In today's rapidly evolving technological landscape, companies generate large volumes of data from various sources, including artificial intelligence, the Internet of Things (IoT), and pixel tags. While this data is critical to business operations, it also presents new challenges in information management and can become a liability. Companies must understand their information footprint and determine when information should be deleted to reduce risk and liability. Information's value decreases over time, and over-retaining it can have significant consequences ranging from damaging a company's reputation to privacy fines. Retention policies and schedules must include today's newly generated information to avoid legal and regulatory issues, cost, and litigation challenges.
This blog will focus on how a company should consider updating its retention schedule. Traditionally, updating a retention schedule involved researching relevant laws and regulations to identify any changes in retention obligations. However, this approach is no longer sufficient with the proliferation of new data, technology, and business activities. Instead, companies must operationalize the retention schedule update process, starting with building a business profile that outlines, at minimum, the company's activities and where they conduct those business activities. A business profile defines what a company does and where they do it. It seems simple, but information knows no borders today, which makes it very complicated. A business profile is necessary to reduce the risk of forgetting information that needs a predictable end-of-life established, especially if it contains sensitive data. Newly generated data is growing and moving fast.
Data no longer sits ideally in one environment; it is transmitted, shared, sold, etc., at the speed of light. It should be assumed that routinely a new type of data is being generated, used, received, sold, shared, etc., in the company.
Build a Business Profile
So how do you build a business profile? Collect knowledge about the company's business activities. The graphic below shows various avenues that can be used to collect data about what the company does and where it does it. The traditional approach of "inventorying" information assets through department representatives is not exhaustive enough in today's complex information landscape, and it can leave high-risk data ungoverned.
Before digging in, create a document, spreadsheet, or database that tracks what is being identified as business activities, what information it may utilize, and what jurisdictions are applicable. As you identify ways to explore your company's business activities, develop a process that can be operationalized. This will be discussed in more detail later in the blog. Keep it simple; don't over-engineer the process or tool to track business activities and jurisdiction. If you make it too complicated, operationalizing will be a bear.
Dig, Dig, Dig
As the graphic shows, there is no simple way to determine a company's business activities without doing some work. The retention program must lead the efforts to dig in through various avenues. Today, companies and information have no borders that keep them contained. It is impossible to understand what laws and regulations apply if you can't identify the business activity and where the company does it. Let's discuss some of the diggings that can be done to build the business profile.
Organization Charts & Business Activities
Organization charts are a great way to identify business activities. They help ensure that areas of the company are not forgotten. Start at the organization's top and work down and across to identify business units, departments, horizontal functions, and roles that may utilize information. For each of these, take a pass at identifying what business activities are performed. This can be done through interviews, surveys, or workshops, reviewing shared drive taxonomy and labeling, reviewing ECM taxonomies, reviewing processes, SOPs, and procedures for the area, etc.
Using the organization chart will help identify "hidden" activities or often overlooked activities.
For example, the innovation department or equivalent is typically in the R & D business unit and often overlooked because they are considered a "playground" and not a department that generates information that has a long-term business or legal value. Today that is an incorrect assumption. The innovation department uses newer technology like Artificial Intelligence (AI) to predict the future better.
The data used by AI technology can be bought, shared, analyzed, and sold – all these business activities involve information, and the company is responsible for managing this data, especially if it has sensitive health or private data.
Dig deep and wide, as some activities are so small, have high liability information under control, and employees may forget about identifying them. Be sure to look for outsourced business activities that the department manages. Outsourcing a business activity component is very common, where certain activities require specific expertise. However, even though it is done by someone other than one of the company's employees, the company still has management responsibility for the data. Identify it and vet the details of ownership later.
Conduct research to understand the company’s strategies and objectives in recent years and what they are currently. This knowledge will help unearth potential new activities, technologies, and practices. For example, a strategy to reduce manpower on the manufacturing floor may aim to implement automated quality review cameras. These cameras will generate a new type of quality data that a human reviewer didn’t generate (i.e., images, training/data models, etc.).
Publicly Available Information
Read, read, and read more about the company. Press releases, annual reports, the web, regulatory filings, etc., provide knowledge about your company’s activities. For example, press releases are usually issued when new products or services are introduced, and the company is divesting a portion of the business or acquiring another business. For example, Microsoft’s acquisition of Activision Blizzard expanded their business activities into the gaming industry, and Oracle’s acquisition of Cerner created a healthcare line of business for them. New lines of business are not always so large and prominent, such as adding transmitted data to an existing product (i.e., stove, microwave). Each new business activity, product or product enhancement, improved customer service, improved quality, reduced cost, etc., warrants investigating what further data is being utilized. Word of caution: Confirm and validate if the company doesn’t publish the data.
Contracts are a good source to identify information that the company utilizes, sells, shares, etc. Contracts can identify system acquisitions and licenses, new technologies, new storage locations, relationships that have a data component, product components that may store or transmit data, business processes that have been outsourced, data ownership clarity, etc. Contracts are often overlooked when companies build or update retention schedules. This kind of review continually exposes some high-liability information that needs to be addressed in policy.
Learn from existing policies and procedures across the organization. IT or the product business units are usually good sources to start with. Look at what they are governing as it relates to information and technology.
For example, IT usually has a policy or SOP about drones on-premises, and the product department may have a procurement policy for drones used in relation to customer activities.
IT usually has an asset inventory that includes systems, applications, cloud solutions, technology such as IoT devices, and pixel tags. Work backward from the list. Identify what business activities the application automates and what departments use the application. Additionally, business units most often have policies or procedures related to specific business activities that are a wealth of knowledge about what the business unit does daily. For example, you’re a payroll processing company with a customer service helpline. The customer service department will have a manual for all representatives, and in the manual, there might be a process outlining how to return a time clock for warranty repair. Who knew there was a small repair department sitting in the corner of the basement generating information and potentially handling private information stored on the returned time clock?
Explore the various ways technology and information can sneak into your company’s ecosystem. Entry points into an organization are not as clear as one might like. Below are points of entry to consider when building your business profile. For each point of entry, there is more than likely a formal process or “off the books” process that needs to be examined to determine what is funneling through it, what inventories or artifacts exist that would explain technology or data that came into the ecosystem through that route. And, ultimately getting a link to the process for feature knowledge.
Traditional Procurement/Purchasing Process: Business units use the traditional procurement process in the company to source technology.
Business Process Outsourcing: Business units outsource business activities to a third party and with the contract comes technology that the supplier uses to support the business activities.
Third Parties, Contractors, Third Party Administrators: Business units engage with businesses that provide administrative services on behalf of another company. Often the services require technology to support the data that is generated by the business process.
Android and iOS Apps: It is common for company’s to develop Android and iOS apps to create stickiness with their clients. These apps collect data, often sensitive data like geolocation, behaviors, etc.
IoT Devices: IoT devices come in all sizes and shapes and are used for many purposes. They can be used for internal activities such as monitoring inventory on racking systems or in products to monitor customer behavior. They can be hidden in products (i.e., trash cans that send an “I’m almost full” signal to waste management).
Artificial Intelligence, Machine Learning, etc.: AI, ML, and similar technologies allow organizations to be creative. Identifying where this technology is used and how it gets into the company can be challenging because it usually operates under another activity.
Acquisition or Sharing of Information: Businesses are always looking for data to acquire or share to advance their market position or reduce operating costs. Acquiring and sharing data can be buried deep in a contract, agreement, or standard operating procedure.
Shadow IT / BYOD: Employees can often use their devices and software to do their work more efficiently. Virtual workplaces have added to using personal devices to conduct company business.
Open-source software: Companies can use open-source software for free, without going through the purchasing department.
Cloud services: Many cloud services offer free or low-cost versions that can be used by individuals or small teams.
Crowdfunding: If a company wants to develop a new product, they can use crowdfunding platforms like Kickstarter or Indiegogo to raise funds from the public.
Hackathons (internal and external): Companies can host hackathons or innovation challenges to encourage employees and third parties to develop new technologies and products.
Gamification: Companies can use gamification to engage employees and encourage them to adopt new technologies or work processes.
Open innovation: Companies can use open innovation techniques to collaborate with external partners, such as customers or suppliers, to develop new technologies and products.
Data Transmissions: Data transmission is another activity that is often overlooked in the contracting and procurement process. Many products and internal process improvement solutions are transmitting data today.
Laws and Regulations
This will vary by industry and business activity, but some initial homework and research can find critical laws and regulations that can be reviewed to determine what they are governing. This can be thought of as working backward to determine what information a company generates.
For example, the insurance industry has model laws published by NAIC that state regulators can adopt. Explore the model laws to learn what business activities and associated information they recommend must be managed.
Validate the Business Profile
Once a draft of the business profile is complete, it should be socialized with critical stakeholders to ensure its accuracy. This may include senior leaders from each business unit, including IT, legal, compliance, and governance professionals.
Operationalize The Business Profile
Toward the beginning of the blog, developing a process that could be operationalized as you found a viable avenue to explore was recommended. For example, if researching the company’s annual report was valuable in determining new lines of business or new technology implemented, then have a process to know when the annual report is released each year and implement a review period immediately following. If reading contracts exposed data entering the company’s information ecosystem, work with procurement and legal to determine how you get into the review process or, at minimum, access to review contracts once they are sourced. If reviewing the IT project or information asset list provides knowledge of new systems or technology entering through IT, then work with IT to get a notification when these are moving through the approval process. Updating the business profile and schedule will become organic and not be a huge task every few years. It will also ensure newly generated data has end-of-life determined when it enters the company or shortly after that.
Business Profile Complete, Now What?
The business profile can be used for various purposes. Still, as it relates to the topic of this blog, updating the retention schedule, the business profile should be used to guide the organization through an inventory process to identify information assets, determine if the information is a record or non-record, storage location, security classification, etc. and confirm jurisdictions.
Each business activity identified when developing the business profile should have an information asset or many assets placed during the inventory process. If it does not, then further exploration needs to occur to understand why the business process uses no information. That seems highly unlikely, given today’s world. After all, information is identified, the existing retention schedule can be updated or created if the company doesn’t have one or wants to use a more modern style schedule.
The business profile can be shared with other information governance initiatives like privacy and security to ensure those programs have addressed all information assets.
Food for Thought
Many companies have advanced the purposes of a retention schedule. They are using the schedule as an “information asset inventory” that holds other information governance knowledge such as privacy (i.e., Personally Identifiable Information: Social Security Number, PCI: credit card number, Health Information: Diagnosis), security (Trade Secret, IP, Confidential), and storage location (i.e., SAP, SharePoint, Datawarehouse).
In conclusion, updating a company's retention schedule is essential in today's rapidly evolving technological landscape. Companies must start by understanding their business before understanding their information assets. By doing so, companies can be more confident that they have a predictable end of life for the information they are responsible for managing and protecting.