One of the most pressing problems facing information management professionals at organizations is orphaned data — data that has no owner.
Without an owner, organizations will experience difficulties managing orphaned data throughout its lifecycle. Organizations need someone to authorize classification by record type or security level, or to pull the trigger on disposition — either to long-term write once read many (WORM) archive or for defensible deletion.
And for most organizations, spoliation isn’t the problem, it’s over retention. They keep everything forever — from critical business data to junk files — and incur high levels of risk and cost by doing so.
For all these reasons, handling orphaned data is a mission-critical problem for most organizations. Without the appropriate policy infrastructure and technology capabilities in place, they can’t begin to address data with no owner, and thereby carry the undue risk and cost associated with it.
Let’s take a look at how organizations can get a handle on orphaned data and chip away at the costs and risks associated with it.
Create a Policy
Start by creating a policy that defines how you'll manage orphaned data. And while the specifics of every organization's policy will vary, the core of it will typically read something like the following:
Any documents that haven’t been accessed in X years will be considered “orphaned data” (i.e., having no business owner). The information management team will take ownership of all orphaned data and be responsible for managing it throughout its remaining lifecycle, including disposition (deletion or permanent archival).
Once the Information Management team takes over orphaned data, they'll determining whether it’s on legal hold.
- If it's on legal hold, it gets handled according to legal’s requirements.
- If it’s not, the information management team determines whether corporate records policy requires retention
- If it is, the team ensures retention for the required period and then disposes of it
- If the orphaned data is neither on legal hold nor required by corporate policy to be retained, they delete it — full stop.
You can make this approach more granular by including different time periods for different functions (e.g., Real Estate vs. Billing) or adding additional compliance decision points (e.g., EPA, NERC-CIP). But by finalizing a basic, tailored approach for your organization, you remove the need to ask whether you can delete orphaned data — you simply follow your organization's policy.
Choose Your Technology
With policy infrastructure in place, decide what technology you need to support your efforts. Even small organizations will have far more documents to assess than they could reasonably do manually.
At the very least, you’ll need a tool to scan your unstructured repositories to determine the last time someone accessed the documents, and a tool to act on the scan's results, moving orphaned documents to a new location where information management can manage them according to policy.
At that point, you have to option to get more sophisticated about analysis. For example, the ability to search inside documents for sensitive data, such as PII or PHI or to identify exact duplicates of other documents.
Moving the documents can also get more sophisticated. For example, leaving a stub that links to the file's new location so an end user can find it if they need it. Even more sophisticated are pop-ups that tell users to request access from information management when they click on the stub.
Deploy the tech that allows you to enforce your policy.
Manage Organizational Change
The third piece of the puzzle is dealing with organizational change. You'll ruffle more than a few feathers managing orphaned data in the way I’ve described here. And while no easy answer exists on how to address this challenge, you can anticipate a few usual suspects to react for these reasons:
- Legal may want to keep everything because 1) they think it will more often exonerate them than damn them and 2) they don’t understand how to create a defensible disposition protocol, so they fall back on over-retaining
- Records Management often feels that only the business can decide what is a record and what kind of record it is, so the idea of anyone other than the business owning documents is anathema to them
- End Users might be scared by using a protocol to delete documents without asking their approval every time – what if we delete something we need later?
- Information Security — if Information Security is more focused on protecting the walls than cleaning up what’s behind them, they may hesitate endorsing efforts to purge documents
- IT – although IT is always excited to have less data on the systems they run and maintain, they may feel uncomfortable taking such a confident stand about deleting data that “the business should own”
The Time to Start is Now
Although a successful approach to managing orphaned data requires much more than I can cover in a blog post, hopefully you’re better aware of the risks, challenges and opportunities orphaned data poses at your organization and have a basic understanding of what kinds of things you need to do to begin addressing it.
And while I haven’t seen a ton of organizations effectively addressing orphaned data, chime in and let us know where your organization is at with orphaned data — let’s get the conversation started!