In the second half of our two-part series, I highlight the remaining steps businesses should take to effectively control their data.
3. CHARACTERISE, CLASSIFY, ACT
After your company has taken the first few steps towards getting a grip on its data, the next stage is classification. Given the amount of information typically at hand, organisations must be willing to sacrifice exact classification in favor of characterisation.
Characterisation aims to sort information within a margin of risk tolerance defined by the organisation and particularised in the context of the information at issue. Characterisation allows you to associate information with general retention policies and procedures, and then consider taking action against it.
After characterisation or classification, corporates need to act on that information. All actions should be defined, documented, and communicated to any information stakeholders through a defined communication plan, audience-appropriate training, and on-demand support. Information stakeholders include everyone involved in both the data governance initiative and in the daily creation and use of unstructured information.
Taking action on information assets without the adequate involvement of the information stakeholders is sure to raise issues. The same tools that can help to identify and characterise the information also may be able to act upon it. Depending on the tool and the desired action, many tools can move or remove selected data at the push of a button. But action should be taken only according to your overarching plan.
Take personal data as an example. The Hong Kong Personal Data Privacy Ordinance was amended in 2012, which drastically increased penalties and introduced new offenses particularly focused on direct marketing and unauthorised disclosure of personal data. By adopting stringent control over the characterisation, classification, and action of sensitive personal data, companies can better protect themselves against a maximum penalty of up to HK$1 million and imprisonment of up to five years.
4. IMPORTANCE OF A DOCUMENTED PROCESS
Ultimately, you will need to decide what stays and what goes as a result of your analysis. Each category should be the result of a deliberate process — one that is well-defined and documented, and one that closely mirrors existing records retention approaches.
Decisions should be driven by legal, technical, business, and risk considerations. For example, Hong Kong’s Securities and Futures Commission states that record-keeping is an essential part of the audit trail for the detection, investigation, and confiscation of criminal or terrorist property or funds. When deciding what data to dispose of, enterprises in Hong Kong should ensure they’re not deleting a precious part of their audit trail without carefully documenting their actions.
Accountability should also be defined, documented, and well-known. Information stakeholders should be aware of the cost, risk, and value inherent in creating and storing data, because that information belongs to the organisation, and whether it is an asset or turns into a potential liability should be everyone’s responsibility.
DATA MANAGEMENT ROI
So what benefits can corporates expect from conquering their data? Taking action can reduce the cost of information storage, back-up, and disaster recovery by reducing the amount of data that needs to be stored.
Right-sizing an organisation’s information repositories can also reduce the cost of complying with regulatory or legal requests as well-organised and appropriately sized data are easier to navigate and cheaper to collect, process, and review. It is especially true in highly regulated industry such as the FSI, in which regulatory body like the HKMA has the power to collect prudential data from authorised institutions on routine or ad hoc basis.
A successfully implemented data management plan also reduces risk by reducing exposure. For example, by disposing of information defensibly that is not subject to a retention period or legal hold rather than storing it indefinitely, organisations could reduce their exposure to future litigation or costly discovery requests.
A well-run data management program also can increase business agility by making it easier to locate critical business information and improving reaction time. How many “final,” “really final,” and “really, really final” revised documents do you need to sift through before you find the one you need?
In today’s information-fuelled society, Hong Kong organisations cannot afford to be in the dark about their data. Creating written policies and well-understood workflows around data management is a must.
Well-crafted and diligently implemented data management plans will help businesses avoid potential sanctions and administrative headaches, while reducing costs. Taking proactive steps with data management also pays big dividends for IT infrastructures and future workloads.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Hongkong Business. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.
Celeste Kemper is the Director of Document Review Services Asia for Epiq Systems. Celeste manages multilingual teams of lawyers and paralegals for document and audio review projects in Hong Kong, and assists law firm and corporate clients in the creation and implementation of review protocols, training materials and best practices. Prior to Epiq Systems, she was an Assistant Attorney General at the Texas Attorney General’s office where she was responsible for investigating and prosecuting health care fraud cases.