We are excited to introduce our new TCDI blog series: The Corporate Data Explosion. This series will explore the operational, financial, and legal risks that organizations are facing as a result of the continued rapid expansion of data types, data systems, data flows, and data volumes within a modern information technology ecosystem. At times, the risks (and even the mitigating solutions) appear to be quite transparent. Most of the time, however, the web of data and data flows across a patchwork of systems serves to obscure answers to even seemingly straightforward questions.

 

Who here knows how this data and its related systems all work?

One of the true market benefits of the rapid deployment of cloud-based systems is that organizations of all sizes can access the same high-end platforms to enable their business operations without making a substantial investment in the traditional infrastructure and human capital needed to implement and support such systems. The necessary corollary to this trend is that organizations (both large and small) now face a true knowledge gap regarding many of their information technology systems.

While new cloud technologies can be implemented within an organization often within days to weeks (rather than a typical months-to-years for a traditional hosted system deployment), obtaining true internal expertise about how a system really works is far more challenging. Such deployments rarely enable the necessary expertise to guide an organization through a legal matter or cyber incident.  

Who is using this data? For what ongoing business purposes?

The line between data that serves a current (or future) business purpose is typically, at best, murky. Data, especially data regarding products or customers, is often generated at a substantial organizational cost. Determining if such data has true ongoing value often results in a risk triage leading to a “retain it all” approach.

For many organizations, the inertia driving retention is countered by emerging “data minimization” requirements – often established via a complex set of domestic and global privacy and data security regulations, standards, best practices, and, at times, enforcement actions. These return us to the fundamental risk question – if we, as an organization, cannot articulate to ourselves our ongoing business need to retain the data, how can we ever hope to convince a regulator that such continued data retention is necessary and appropriate?

How will data/risk decisions be made?

To begin to answer that question brings us to another – where and how will such data/risk decisions be made within an organization?  Determining these structures and how they can support the identification, mitigation, and, at many times, acceptance of data-driven risk is critical.

There are no “one size fits all” answers here. There is only the perspective of where others have traveled – both to success and to something that may best be described as a “learning experience.” The conversation cannot be unidirectional – the voices of legal, compliance, IT, cyber, and most importantly, the business are critical for any meaningful set of structures and outcomes.

Introducing: The Corporate Data Explosion blog series

To that end, in this series, we will talk with legal leaders who help guide these data risk conversations as trusted internal or external advisors. We will seek to learn how organizations are operationalizing their data risk processes and seeking to place pragmatic governance around what, at first blush, appears to be ungovernable.

We will explore how global data flows introduce a myriad of new challenges. How can an organization develop global strategies and approaches in light of often contradictory localized requirements? How does the continually increasing mobility of customers and employees change how we view data locality?

We will dive into the one thing that may outpace the growth of data within organizations, namely organizational change itself. How can a governance framework and data/risk calculus be maintained through acquisitions, joint ventures, and collaborations?

We will ponder the fundamental issues of data as a source of organization (and evidentiary) truth especially under the emergence of AI-driven content creation. As data and data complexity continues to grow, how will the necessary use of AI-driven technology interplay with legal and regulatory requirements that data represent some form of truth? How can such truth be established or validated?

Finally, we will look at these, not just as intractable academic challenges, but as practical, everyday opportunities for an organization to balance data risk and data opportunity – to meet legal and compliance requirements, to mitigate operational risks, to control costs, and to maintain competitive advantage in the marketplace.

Above all, we will explore these challenges with an eye towards sustainability that views the “data explosion” not as something that must be “put back together” but as something that must be taken on its own terms. The lines between data, information, risk, value, and opportunity will continue to shape our modern environment. Thank you for joining us on this exploration!

Andy Cosgrove

Author

Share article:

Andy Cosgrove is the Chief Strategy Officer of TCDI. He is responsible for guiding the development of innovative technologies and strategies that enable TCDI clients to mitigate legal risks and minimize costs in the areas of eDiscovery, information governance, cybersecurity and data privacy.

Andy brings over 20 years of experience as both outside counsel at AmLaw 100 law firms and, most recently, as in-house managing counsel leading information governance and eDiscovery teams at Juul Labs and General Motors. Learn more about Andy.