James Dawson, CSSLP®, IGP®Director Forensic Technology

KPMG LLP

2

Governance Risk: Privacy's Fit within the Data Lifecycle

(ISC)2 Educational Session 4337Wednesday, September 14, 2016

3:30 PM-4:30 PM

Where does privacy fit within the Data Lifecycle?This presentation will outline privacy within the entire data lifecycle, from creation to data destruction. The presentationwill include details on compliant data privacy around the full universe of information governance needs, including the rightto be forgotten. Attendees will learn practical and simple record data element controls to meet global privacy where theremay be conflicts in recordkeeping retention requirements. The presenter will detail how to effectively manage privacy,confidentiality and conflicting retention requirements imposed upon large and unmanageable information volumes whencertain data elements must be redacted to meet global privacy requirements. The presentation will incorporate specificindustry knowledge and leading practices that have led to actionable recommendations for Fortune 100 organizations.

Learning Objectives» Understand traditional "secure" data management addresses only 5 percent of corporate information.

» Understand WORM and what is data garbage that is redundant, obsolete or trivial (ROT).

» Where does privacy it within the Data Lifecycle?

3

“Why is privacy important in the data lifecycle?”

“The Why”

Ris

k

Value

Other Useful Data or Files that may include

PII

70% ROTRedundant, Obsolete

or Trivial Data

First differentiate between what is private (or contains PII) and what is Garbage

1% is on legal hold

4% is subject to regulatory or Legal retention requirements

25% has business intelligence value

Leaving 70% as ROT (Garbage)

Data Governance programs do not address 90-95% of an organization’s data! There is no holistic view to information governance. In Global 1,000 companies at any given time:

The point: Do not get too far into your security program untilyou can find and eliminate garbage, then do the hard work.

All Structured, Unstructured Data Electronically Stored Information (ESI)

Potentially Governable Information, Records and

Business Intelligence

Secure Data and Records

“Keep everything” strategy is bad business

eDiscovery cost

eDiscovery costs average $10 million per TB of reviewed

documents.

IT storage and backup cost

Storage costs averages about $5 million per PB of data

stored.

Information overload

Users waste 30 minutes a day (16 days a year) searching for

documents.

Privacy and security threats

Over 169 million personal records were exposed in 2015

(with an average cost per record of $154), stemming from 781

publicized breaches across the financial, business, education,

government and healthcare sectors

Sto

rage

Re

qu

ire

me

nts

(TB

)

1 2 3 4 5 6 7 8 9 10Year

45

40

35

30

25

20

15

10

5

0

Data Security Cost with or without Destruction

$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

2015 2016 2017 2018 2019 2020

Yearly Cost with or without Destruction

With Destruction No Distruction

The Digital Universe Paradox

$-

$1.00

$2.00

$3.00

$4.00

$5.00

$6.00

$7.00

$8.00

$9.00

2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

Falling Costs, Rising Investment

Cost per GB Total Investment

we and Source: IDC, The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East (Dec. 2012)

$9,000

$8,000

$7,000

$6,000

$5,000

$4,000

$3,000

$2,000

$1,000

What Causes Data Garbage?

Dispersed Content

Undefined Records and non-records

Inability to find definitive content

Critical content dispersed across the enterprise

Isolated Application & Data silos

No record code assignment

Disconnected applications

Inconsistent data quality

Standalone Processes

Spaghetti processes

Manual workarounds

Rework of ROT

Broken Collaboration

Tribal knowledge

Inability to preserve institutional memory

Lack of professional networks

Information governance helps our clients achieve tangible benefits

— Curtail information growth – by reducing redundant, obsolete and trivial data

— Improve efficiency – by improving accessibility, increasing responsiveness and reducing time to find business critical information

— Reduce costs – by reducing costs of storage and eDiscovery

— Reduce risks – by improving protection against inadvertent data deletion, breaches and by improving protection of privacy

Manage information growth

Be

ne

fits

Reduce costs Reduce risksImprove efficiency

Industry Problem, Need and Challenges

Unsupervised administration of regulated records accompanied by unrestrained data growth resulting in the accumulation,

retention, and mismanagement of vast quantities of physical and electronic data.

The Problem

The Need

The Challenges

Address unrestrained data growth and retention of required regulatory and business records, in both paper and electronic formats, across

different types of physical and electronic media, while increasing business value and decreasing associated costs and risks.

■ Lack of policies and procedures around the management

of information throughout its life cycle (creation, storage, use,

retention and disposition)

■ Inaccurate application of regulatory and legal mandates and

record retention schedules that address records across

functions

■ Lack of clear definition and enforcement of records and

information governance policies or procedures

■ Difficulty responding and adhering to regulatory, legal and

operational demands for immediate record productions

■ Defensible reduction of records

■ System and storage media limitations holding records and

data

■ Inability to guard against privacy, confidentiality and

intellectual property breaches in customer data

■ Inability to curtail Electronic Stored Information (ESI) data

growth and costs

■ Difficulty finding and sharing business-critical content to

improve decision making and preserve institutional memory

■ Increased technology costs and overall operational costs

due to lack of standardization

The True Cost of WORM for Private Data (not just hardware costs)

» But this 1 TB costs …. Storage Tier TCO/TB/Year WORM TCO/TB/Year

Primary/Tier 1 $12,000 - $16,000 $60,000 - $80,000

Mid-Tier $6,000 - $8,000 $30,000 - $40,000

Archive $1,000 - $2,000 $5,000 - $10,000

60%

15%

8%

7%

7% 3%

Staffing

Downtime - userproductivityIT staff training

Server hardware

Source: Awaiting Confirmation

“How does Privacy fit in the data lifecycle?”

“The How”

The Vision and Scope of Information Governance:

The VisionDevelop a consistent global information governance program that will empower your client’s

business teams to manage (protect, retain and delete) information assets as required by

law, regulation and business needs so that cost are reduced and risks are mitigated

Goal

Protect Information

Goal

Retain Information

Goal

Delete Information

• Assign security, privacy, sensitivity, and retention classification to data

• Develop and publish global policies and schedules

• Retain data per its lifecycle

• Delete data at the end of its lifecycle

Means of Achievement

Operating

ModelGovernance

Technology

SecurityPolicy &

Schedule

People and

Change

The Scope

The Tactics Metrics and

Controls

Determine the PII Data Elements

Publish the purge report to the

retention archive

Identify Workday data set by leaving Employee ID

Confirm that the Employees is not on

Legal Hold

1A

Request Data Report for terminees

Template de-identification process be made available within the self-service

purge tool

Design on-line Self Service Templates2e

Review report of purged PII

Request any re-purge of missed PII

Identify days to implement purge(i.e. 30 Days)

Workday Determines Data to Remain

Confirm Statistical Crew Data to remain

2b

Mark Remaining Data elements

Memorialize the Disposition Action1B

Workday Assess Crew Data Set(s)2A

Identify PII Data Elements

Tag to be purged Data elements

Respond to Workday with any exceptions

Workday Builds Historical Reference

Add remaining reference data to Smart Client overall Historical data set

2c

Catalog purge elements

Design WD24 Enhancements2d

Develop integration strategies for Self-

service

Communicate the PII purge in a report to

Management

Request Reporting3A

Archive the Workday Report3b

2. Workday De-Identification and Purging

1. Employees Leaving 3. Verify Purge

Inform Workday or any process changes

List and process steps needing adjustment

Prepare the support ticket to Workday to have PII data permanently purge

Submit the “de-identify personal information” request to Workday Support

These tasks are the responsibility of

Workday Support

Privacy's Fit within the Data LifecycleData Elements in WorkDay

Page 16

Define the Capabilities: What does your client need to Protect, Retain, and Delete Information on a global scale?

Metrics and ControlsSpecific metrics, controls and reporting requirements that are needed to justify spend or cost

avoidance and foster protection, retention, and deletion compliance at all levels of the organization.

Policy and ScheduleThe Global Policy and Master Retention Schedule memorialize the standards, principles,

procedures, and expectations for managing information assets.

Operating ModelHow the Information Governance capabilities, initiatives and services are to be

delivered to manage information assets consistently.

TechnologyThe tools and infrastructure necessary to delver Information Governance goals and capabilities.

People and ChangeThe personnel, communication, and training necessary to facilitate program

adoption and continuous improvement enterprise-wide.

GovernanceHow Information Governance initiatives are developed and managed globally.

Governance guides the Information Governance journey and removes organizational hurdles over time.

Me

ans

of

Ach

ieve

me

nt

Key Components of Global Information Governance

Policy and ScheduleThe Global Policy and Master Retention Schedule memorialize the standards, principles,

procedures, and expectations for managing information assets.

Operating ModelHow the Information Governance capabilities, initiatives and services are to be

delivered to manage information assets consistently.

TechnologyThe tools and infrastructure necessary to securely delver Information Governance goals and

capabilities. Supporting systems to be archived on write-once, read-many media or “WORM”.

People and ChangeThe personnel, communication, and training necessary to facilitate program

adoption and continuous improvement enterprise-wide.

GovernanceHow Information Governance initiatives are developed and managed globally.

Governance guides the Information Governance journey and removes organizational hurdles over time.

Steps

Setup governance bodies

Governance will be key to reposition decision making with the business.

Recommended governance bodies include:

1. IG Executive Committee – Provides overall guidance for IG.Balances priorities across business units and acts as the approving body for major Information Governance expenditures. Re-orients strategy when needed.

2. Senior Advisory Group– Develops new Information Governance initiatives and directs resources to pipeline.Builds and maintains the initiative pipeline. Galvanizes support within the business lines and regional entities. Provides staff and support as necessary.

3. Working Group – Provides inputs and insights to set overall strategy & direction. Assesses new proposals for compliance to technology blueprints and standards. Notifies Senior Advisory Group when triggers such as request for funding appear.

4. IG Leader and Staff – Oversees and manages the performance of Information Governance program delivery and provides an ongoing health check of the entire delivery portfolio.

• Formalize and setup governance bodies including booking of meetings in calendars, setting agenda, etc.

• Establish decision making, exception, and escalation procedures within each governing layer.

• Produce standard templates for status updates.

• Catalog the specific problems the Information Governance group is seeking to solve (this list will drive the initiative pipeline)

Quick Wins:

Leverage an existing global governance model that already exists at your client.

• Option 1 – Join an existing global program and utilize the group’s pre-existing sponsorship, budget, and meeting structures; or

• Option 2- Use other global programs at your client as a reference model. Find out what works and what doesn’t.

Working Group

Governance

ITRecords Liaisons

Information Governance Executive Committee

Privacy Security

Legal

Senior Advisory Group

Internal Audit

LOB Liaisons

IG Leader and Staff

Body Membership Meeting Cadence

ILG ExecutiveCommittee

C-Suite executives within Corporate --CFO, CIO, CHRO, General Counsel

Executive Committee meets with Advisory Board once or twice a year.

Senior Advisory Board

Business line leaders within Corporate

Advisory Board meets with Working Group once a month.

Working Group Business line and functional experts within Corporate and Local Markets

Meets once every two weeks initially.

Next steps

Establish global policy

A global policy will be a first step to maturing the Information Governance program. The global policy should provide a clear definition of “Record” and “Non-Record” and address critical topics such as:

• The purpose of the policy

• The scope of the policy

• Relationship to other applicable policies

• Roles and responsibilities

• General guidelines applicable to all countries

• Retention and storage standards

• Protection standards

• Deletion and disposition standards

• Training requirements

• Definitions

• Compliance timeline

• Compliance monitoring, reporting, and enforcement standards

• The regular update of the policy

Establish global retention schedule

A single global Records Retention Schedule of approximately 300 to 350 record categories, which addresses every aspect of the record/non-records lifecycle:

• Retain

• Clearly define a retention period that applies globally (or regionally) to records and non-records.

• Identify the system on which the information is stored and enable automated retention.

• Protect

• Assign security, privacy, sensitivity, and retention classification to each record/non-record category. Embed the classification definition in the policy and schedule so it is easy to follow.

• Example: “1” = Non-sensitive (No PII). “2” = Sensitive (Credit Card Numbers, Passport Number). “3”=Highly (Sensitive, SSN, Ethnicity, Medical Information).

• Delete

• Clearly identify time and event based triggers for the retention period start and end.

• Delete non-records and records per their retention lifecycle identified on the retention schedule that are not on Legal Hold.

• Develop a global retention and disposition policy that spans record and non-record lifecycles.

• Develop the global retention schedule.

• Secure corporate level approval of the policy and schedule.

• Conduct global policy and schedule acceptance meetings.

• Solidify global policy and schedule acceptance and assign accountability to regional points of contact.

• Publish the policy and schedule.

Quick Wins:

• Adapt and adopt an updated records management policy for global use.

• Re-appropriate the record inventory created during the GERRP initiative where possible and reconcile it with the US and German Record Retention Schedules to create a foundational Global RRS.

Policy and Retention Schedule

Next steps

Centralized Model - Corporate Information Governance guides,

implements and maintains all aspects of information management.

The centralized Information Governance function based in Germany

owns the requirements, outcomes, and implementation of the

Information Governance strategy. Corporate Information Governance

will issue policy directives and rationalize business requirements across

the all global business units. Corporate Information Governance will

implement the strategy and maintain ongoing ownership of all

Information Management systems and ongoing Information

Management tasks.

Hybrid Model - Corporate Information Governance guides the information

management strategy; other Corporate Functions and Country level functions

operationalize the strategy.

Corporate Information Governance will remain focused on strategy and

results. Corporate Information Governance will issue policy directives, while

country level Information Governance functions operationalize the

directives. The Corporate Information Governance function rationalizes

requirements and consults with Country level Information Governance

functions in implementing them.

• Adopt a hybrid model

leveraging US Information

Governance team and build

out appropriately-sized

operational models for

other countries.

• Establish clear lines of

communication and

governance processes

between corporate and

country teams.

• Develop processes for

standards exceptions and

escalation to handle

conflicting corporate and

country priorities.

Quick Wins:

• Leverage current US

Information Governance

team structure as a

template for building out the

global hybrid operating

model.

Operating Model

Pros Cons

• Local countries achieve cost savings as Corporate’s involvement grows (economies of scale).

• Functional requirements are rationalized across regions.

• IG corporate makestechnology selection decisions and establishes uniform environment across systems.

• Centralized approach can produce a great deal of cultural pushback.

• Centralized approach has high staffing requirements within the corporate Information Governance function.

Pros Cons

• Country level Information Governance function enjoys some autonomy.

• Corporate Information Governance function can pivot efforts towards less mature markets as needed.

• Easily scalable to “pure” Centralized model if desired.

• Utilizes labor within other regional entities (Labor arbitrage).

• Divergent and redundant

technology environments

could proliferate.

• The hybrid model, as

currently envisioned, can

only push out standards.

The team will not be

responsible for

implementing policy,

strategy, or technology.

Next steps

Capabilities

Information governance across the following nine key capabilities should be included in the scope of the program

1. File Shares – Leverage file shares for non-record storage only. Do not allow record storage on file shares. Enforce via global policy and perform quarterly audits.

2. Email Management – Develop Email records and archiving requirements. Develop reference architecture to manage emails and records content

3. Content Management and Archive– Establish requirements and reference architectures for storing electronic documents and records. Systems archived on write-once, read-many media or “WORM”.

4. Physical Records– Develop technology architecture to manage physical records

5. Mobile and Social Content– Develop policies and architectures to manage mobile and social media (yammer, wikis, and networking sites)

6. Defensible Deletion– Establish requirements and build out reference architecture for defensible deletion

It is critical for your client to understand the effect of IG on Security. We recommend your client:

• Establish information lifecycle requirements and policies that easily scale to the new capabilities.

• Establish how a records/non-records will be declared, secured, retained, discovered and deleted within each system.

Additionally we recommend that your client:

• Incrementally develop requirements and reference architectures for key capabilities such as content management, auto-classification, and defensible deletion.

File

Shares

Email

Managem

ent

Content

Managem

ent

Mobile

and

Social

Cloud /

Collabora

tion

Physical

Records

Internet &

Web Content

Management

Desktop

Auto-

classifica

tion

Defensibl

e Deletion

Policy and

Schedule

Technology

Next Steps

Sell Up

Sell Information Governance to your client Leadership Senior buy in is critical. Change management starts with the executives. Educate them on the problem, explain the solution, and unravel the costs. Highlight the positive impact of IG.

Justify the investment in Information Governance in terms of Risk, Utility, and Value and seek approval to move the program forward.

RiskA properly executed Information Governance program proactively mitigates breach and disclosure impact.

Sell Across

Identify allies and generate support. Identify key personnel within your client’s business lines and local markets.

Explain their role within Information Governance and enable contribution.

Explain how each stakeholder can contribute to Information Governance within the context of their own function at your client (Cite specific tasks and business processes directly relevant to their day-to-day work and demonstrate “what is in it for them”).

Highlight the Positive Impact of IG.• New Drug Development: “IG is here to take the

pain out of information management, so your client’s scientists can focus more on drug development and less on compliance issues.”

Sell Down

Sell Information Governance to your client employee community

In reality, Information Governance is one large change management project.

Establish commitment from the employee community early on. Generate buzz and ask for feedback through a “Roadshow” campaign. Make the employee community feel a sense of ownership in the program’s development.

Conduct town halls, interviews and surveys within all levels of the organization.

Develop community commitment

As new initiatives are complete, continuously track progress and reward high performing individuals, departments or business units.

• Clearly define roles and responsibilities of embedded Information Governance Change Leaders and Champions within the business units/functions.

• Create a stakeholder tracking catalog to identify key stakeholders and determine targeted strategies to ensure their highest level of engagement.

• Assign accountability for Information Governance functions to appointed resources.

• Develop specialized training for record coordinators.

• Develop high-level training standards for each Information Governance initiative.

• Mandate each region to create training material as new initiatives are rolled out.

People and Change

Next Steps

Establish Baseline

• Assess where you are to establish benchmarks:• Data volume • Millions in Cost Savings• IT costs• eDiscovery costs• Risk control and mitigation process costs

across legal, records, privacy, business and IT

• Define the specific cost and risk reduction quarterly and/or yearly objectives and fiscal milestones for achievement per Information Governance initiative.

• Establish audit, compliance and testing metrics such as inventory counts, growth rates, classification rates, training rates, disposition of inactive records reductions.

Measure Progress

• Mandate global adoption of baseline testing methodology, requiring all regions to submit metrics on a quarterly basis.

• Conduct analysis of policy adherence on a quarterly basis, measuring Information Governance program success over time.

• Leverage findings to assist the Advisory Board in prioritizing the initiative pipeline over time and report to leadership during oversight committee meetings.

• Continuously track and maintain an estimate of cost reduction and cost avoidance.

• Establish program benchmarks.

• Embed reporting mechanisms throughout the Information Governance processes.

• Perform yearly Information Governance program audit.

Metrics and Controls

Data Governance Recommendations» Take out the garbage (destroy the ROT data)

• Get rid of ROT before you begin the heavy lifting of protecting your critical data assets

» Make Information Governance a continuous process.

• To realize true long-term benefits from the IG, adoption should not be viewed as another technology implementation project, but rather a transformative journey spanning from strategy through execution.

» Drive Information Governance Adoption from the top.

• Decentralized operation will hamper successful operationalization of IG. Organizations should manage Information Governance centrally, with a senior-level team that oversees the transformation process and guides strategic decisions to the larger employee community. Leaders at the highest level of your client should visibly promote and support the Information Governance program.

» Focus on strong leadership and engagement.

• Cultural alignment through all levels of the organization is essential to managing the change associated with Information Governance program adoption. Executive management should work to establish an aligned corporate culture at the outset, focusing first on getting the buy-in and support of cross-functional business leaders.

» Avoid silos.

• Information Governance succeeds when organizations are able to easily embed information management practices (protection, retention, and deletion) into every aspect of the business. Silos hamper global adoption, but collaboration powers it. Legal, Business, IT, and Records Management should work side by side on all IG-sponsored initiatives.

» Measure success.

• Your client must develop realistic and measurable outcomes for its Information Governance program. These measured outcomes must tie back to key business objectives and clearly indicate success or failure.

• A value-added, metrics-driven approach to Information Governance enables the organization to stay focused on achieving strategic goals and understand when milestones have past.

» Continue to take out the garbage.

• Cleaning up unnecessary data is not a one time thing. Think of it as a corporation brushing it teeth each morning. Data Governance must be a continuous regular event in the success of the organization.

Reasons, Costs and RiskPaper transactions are 24 times more expensive to process than electronic (AIIM)

Paper-Based Transaction Costs

30% of all employees’ time is spent looking for documents (Boston’s Delphi)Finding Documents

$2.75 million sanction: Failure to comply with “print and retain” policy for email. Plus, exclusion of

testimony (U.S. v. Philip Morris (2005))Compliance Failure

$20 million verdict in punitive damages: Judge instructs jury that they can presume the email

destroyed was damaging (Zubulake VI v. UBS (2005))Destruction Policy

$15 million SEC sanction and judicial adverse inference: Deliberate failure to produce all emails and

attachments (Coleman Holdings v. Morgan Stanley (2005))Policy & Delegation of

Authority

Average processing cost (for eDiscovery) is $1,800 per GB and overall GB cost for compliance or legal

recordkeeping is $10,000 per GB (Forrester)Average

Processing Cost

$25 million to fully review 100,000 tapes to determine relevance to discovery or compliance requests

(EMC)Review Costs

$250-$325 per hour for outside counsel to review documents and determine relevance to case (EMC)Inspection Costs

(Source)

Cost Unit

Cost Unit

Future Risk

Future Risk

Future Risk

Cost Unit

Cost Unit

Cost Unit

What can be saved by managing privacy?

GB of unnecessary Data Reduced each year after plan is implemented: 500 GB

Cost to maintain ROT per GB: $1,000 (Cost per GB per yearof Data in global enterprise)

Cost to maintain unnecessary Records per GB: Mostly obsolete: $10,000 (Cost per GB per year of Record or Discovery Data in global enterprise)

Of the data collected to be deleted, Percent of Data that is ROT 95% (30/70 percent split Records to ROT respectively)

Yearly savings: $725,000 Per Year

Savings after 5 years: $3,625,000 Over 5 Years

Number of Regulatory Exams per year (global regulators): 16 4 exam in 4 global regions

Number of Global Active Matters: 50 Matter workload annually

GB of Data per Matter not collected due to project: 30 GB (data not collected or entered into matter workflow)

Cost to maintain unnecessary Records per GB: $10,000 (Cost per GB of Record or Discovery Data in global enterprise)

Number of Leavers per Country (Employees per year) 4 Employees per country

Number of customer Leavers per country 1,000 Customers leaving per country

Number of Secondary or Support Systems that should be on WORM: 4 Systems

Estimated Cost Avoidance (avoiding Fines or Penalties): $3,600,000 Based on Recent SEC Fines for failure to use WORM storage

Yearly savings for maintaining an IMHO: $4,500,000 First year

Savings after 5 years for successful and continuous IMHO: $22,500,000 Over 5 Years

Savings Opportunities: Over-Retention

$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

$3,500,000

$4,000,000

2012 2013 2014 2015 2016 2017

U.S. Legal Entity – Equities Orders Disposition Cost Avoidance Opportunity

+6 Disposed +3 Disposed

- Cost optimization is a strategic enterprise initiative

- Retention policies are maintained but structured data has not been classified

- Legal holds are not directly tied to systems or records

- Data is growing at a rate of 57% a year

- Lack of desire to make sizable capital investment in “solve world peace” software solutions

Cost Avoidance Opportunity■ Savings at the individual application or database level may not be very compelling, but when

aggregated across tens, hundreds or thousands of applications or databases, the opportunity is significant

■ Peer project case study – Tactical and simplistic approach to optimizing technology storage spend and generating sustainable cost avoidance

– 7% storage cost avoidance identified on production databases using conservative +6 disposition due to 17a3/17a4. Effective archiving strategy would have allowed for 17% savings (Regulation limit for trade confirms and tickets is 3 years)

– Does not include savings associated with eDiscovery, legal costs and settlements, regulatory compliance, IT administration, loss of productivity/performance and allocations (such as software, real estate, power, etc.)

Situation

Savings Opportunities - Details» Savings at the individual application or database level may not be compelling, but when aggregated across tens,

hundreds or, thousands of applications or databases, the opportunity is significant.

Cost Driver Characteristic Common Responses Savings Opportunity Benefits

Redundancy

Copies of reference data across disparate environments

Application rationalization$500-$1000 per app server

■ Improved process and reporting accuracy

■ Improved data quality

■ Centralization of support resources

■ Rationalization of tools

■ Simplified data ecosystem

Copies of transactional data Data rationalization

$5,000-$10,000+ per database

Data mart sprawl Data strategy

Unrestricted end-user entitlementsEnterprise maintained access methods

Over Retention

Unenforced retention limitsDisposition framework, contract and process

Up to 30-50% of storage costs

■ Reduced eDiscovery costs

■ Reduced external legal expenses

■ Reduced legal exposure

■ Reduced BAR costs

■ Reduced risk of inadvertent disclosure

Slow or nonexistent release of legal holds Legal hold workflow process

Over engineered backup and recovery (BAR) keeping copies of data for all production systems

BAR Strategy

Definition of Data as a Record

“Records – documents or information, in any format,

created, transmitted or received in the course of your

client business, and included in the Records Retention

Schedule because they must be kept for legal,

accounting, tax or other regulatory or compliance

requirements, or an approved business need.”

Everything else is GARBAGE!

The Design Strategy

Record Format

Structured

Option # 1 (System or Archive

Report Out)

Option # 2 (Systems of Record)

Unstructured

Option # 1 RM enabled

Option # 2 RM not enabled

Use native RM functions

Use manual process or migrate or move records to a

RM enabled system

Application of Retention

• Apply to report/• Apply to system • Apply to data

Dispose

Option # 3 (Online)

RRS mapping to source system

Unstructured and structured electronic data

30

The information contained in this presentation is of a general nature and is notintended to address the circumstances of any particular individual or entity. Althoughwe endeavor to provide accurate and timely information, there can be no guaranteethat such information is accurate as of the date it is received or that it will continue tobe accurate in the future. No one should act on such information without appropriateprofessional advice after a thorough examination of the particular situation.

Restriction on Disclosure and Use of Data – This document contains confidential orproprietary information, the disclosure of which would provide a competitiveadvantage to others; therefore, the viewer or recipient shall not disclose, use, orduplicate this document, in whole or in part, for any purpose.