The classical records management lifecycle (which consists of creation, classification, maintenance and disposition) is fine if there is a records management implementation across your estate that manages the important data.
If there is no recognizable records management lifecycle, what then is the fate of unstructured files and documents in your business?
At NOW Privacy, formerly known as DocAuthority, we spend a lot of time working with customers on their unstructured data and this is our approximation of the typical life-cycle for most files and documents.
Step 1: Access and enablement
Only a small proportion of files and documents in business are created from scratch and published as a wholly original product. However, in most instances, a dependency for the lifecycle to begin is for access to existing data to be granted. Equally, parties may be able or enabled to go and acquire new data.
Step 2: Generation, derivation and synthesis
I prefer to think in terms of originators, creators and owners rather than authors. Those files, documents or data to which access has now been given are analyzed, reviewed and inspected. Further content is then derived, inferred or synthesized from them.
Step 3: Publication, disclosure and transmission
Files and documents once created will be stored, accessed, emailed, printed, backed-up, migrated and copied. Any output will potentially be used to create further derivative files and documents
Step 4: Storage and proliferation
Storing data costs money. There is also the risk of sensitive data being disclosed for as long as the data is in existence. As the data becomes less accurate and any lawful basis for holding it diminishes, any regulatory risk grows.
You can read here in The True ROI of Information Governance, how the probability of re-using data drops to around 1% after 45 days and often, a lot sooner.
Step 5. Possible disposal
After step 4, the data may at some future point be disposed of. While the data remains in existence, any consequential cost and risk will remain too. Risk and costs grow as more files and documents are added over time. However, businesses who are burdened by years of inaction can realize significant benefits quickly and easily. There is some material here about how NOW Privacy is helping businesses to address years of data proliferation.
In conclusion, here are some useful talking points.
- Who owns the cost and risk of the clean up?
- Granting access to data, particularly if it is sensitive or has regulatory implications, needs to be controlled – this is where problems can start
- Derelict data (data to which only expired users and IT have access) is a special case – what is the plan for this?
- You can realize significant savings and reductions in risk through identifying and purging obsolete data – what is the plan for this?
- How do the principles of GDPR play out against this conceptual life-cycle?