Erin Lamb is a business intelligence solutions consultant. She spent ten years at Yahoo! where she was responsible for several large scale reporting solutions. She applies her experience to help organizations proactively manage data by identifying, analyzing, and preserving information that is considered an asset. She also consults with organizations regarding information that has lost its value, and has become a liability for the organization. This type of analysis enables defensible deletion.
How Does the Advent of Cloud-Based Client-Side Applications Impact eRisk?
BY ERIN LAMB ON AUGUST 2ND, 2013
Cloud solutions enable individual departments from Marketing, Sales, Finance, Procurement or Operations, to engage directly with application providers and manage significant business processes outside of the organization. Some of these vendors emphasize freedom from IT as one of their key selling points; “Get around IT with quick-to-implement solutions on the cloud!” for example. As solutions move outside of your company, and data related to these solutions is generated, how do you ensure compliance with your policies?
In many cases, budget ownership is departmental and vendor selection is taking place with limited IT involvement. Legal is brought in only to finalize contracts. Business people with titles of VP in Product Management, Sales, Marketing, etc. are making high-stakes decisions about technology and venturing into risk areas related to data policy and compliance without even realizing it.
Historically, business users have relied on their IT organizations to build applications and deliver data through traditional data warehouses and datamarts with secure reporting and analytics tools. Compliance and information governance policy ran through IT in the form of retention and deletion policies. Data access was governed through auditable admin tools with approval matrices.
With this new shift in technology acquisition capabilities, people outside of the traditional domains of IT and Legal need to understand your policies regarding data capture, use, access, retention and deletion. Compliance policies need to be required of anyone in the organization engaging with third parties for cloud-based applications or data solutions.
There are several ways an organization can approach the problem of ensuring compliance with hosted applications.
1) Establish an applications data governance and compliance team
The governance and compliance team consists of one or more members of the Legal department that have specific expertise in the area of data security, compliance and risk. This includes not only knowledge of SOX and PII, but also the ability to provide guidance on overall application data access, use, retention and deletion policies. Functional representatives on the team include members from key departments such as product, IT, Marketing, Sales, Operations, and Finance. This core team represents the corporate experts in the area of application data management.
2) Develop compliance training materials
For the broader organization, basic compliance training can help everyone understand the policies of the organization regarding how data generated or consumed by applications should be handled. The compliance training also familiarizes employees with the data governance and compliance team so that everyone becomes aware of this important group.
3) Perform an audit of current hosted solutions
If the only way to know what solutions are running in the company is by asking Legal to pull copies of signed contracts, then the organization could benefit from an audit. The audit should address what solutions have been implemented, who is using them, what data is being consumed or generated by them, and what data practices they employ. Ongoing maintenance of active contracts should be a function of the Data Governance and Compliance Team, with rigorous attention to terminating licenses to unused solutions and ensuring complete data repatriation and/or deletion as part of those terminations.
While the advent of so many new cloud-based applications has made it easier than ever for businesses to quickly implement new capabilities, it has fundamentally changed the relationship of business teams and IT. As a result, the business teams need to take on some of the responsibilities formerly managed by IT. Many organizations have developed an Information Governance Committee to address these issues and the trend is on the rise.
By forming cross-functional governance teams, providing compliance training and staying on top of what solutions are deployed across your organization, you can reduce your legal risk related to data capture, use, access, retention and deletion.