Category: Business Processes

Business Processes Events Information Governance

We’ve Won! 1st place in our 2019 Information Management Today MVP Awards

By Rafael Moscatel, CIPM, CRM, IGP on

The people have spoken and our article, “7 Ways to Prepare Data in the Age of Privacy and Information Governance,” has won 1st place in the 2019 Information Management Today MVP Awards Other category! Thank you to all of our subscribers!

Article reprinted below!

Content may still be king, but now the rights to some of it may belong to the people! In response to the EU’s General Data Protection Requirement (GDPR) and recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size but each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.

Notably, while many companies are already familiar with records retention laws, these latest controls also introduce a duty to destroy data once no longer required for a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents a number of logistical hurdles.

However, directives on how you may use your customer’s data or any other information you store doesn’t necessarily have to be burdensome. In fact, these new guardrails present numerous opportunities to implement better governance, monetize the lifecycle of information assets and foster trustworthy relationships that can actually enhance the customer experience.

These 7 tips can help prepare your data to support an IG strategy:

  1. Automate Retention Schedules – Legal and compliance requirements are the cornerstones of corporate governance programs. Yet tracking the multitude of historical and emerging state, federal and international laws and regulations that affect your data decisions can be a monumental task that even the most robust law departments aren’t prepared for. Consider leveraging SaaS software to keep your Risk, Compliance and Legal staff current on the latest citation changes to these nuanced instructions. These tools empower you to defensibly destroy and cleanse costly data no longer useful to your organization.
  2. Cover Your Assets – Satisfying new compliance requirements like GDPR and CCPA means it’s not enough to simply know what kinds of records you keep, you need to know what systems they’re kept in and how that data flows between them. That’s why Chief Data Officers and Enterprise Architects are increasingly embracing asset management tools that not only perform diagnostics on their application stack but allow them to inventory their attributes and map related processes that inform long-term strategic roadmap planning. Tools like these also help support application rationalization projects which in turn aid in classification and disposal of unneeded data.
  3. Introduce Big Buckets – The biggest challenges with enforcing retention across an enterprise are “event triggers” that complicate how long sets of records must be retained. For example, an employee file might be held X years following a termination “event.” Big Bucket strategies allow you to simplify and group “like” records together to support more efficient destruction actions while assuming some risk. Work with your governance partners to determine reasonable standards for a Big Bucket policy and quantifying the acceptable amount of risk your company is willing to assume to achieve cost and efficiency benefits.
  4. Enforce Legal Holds – Cleansing your data lakes and silos to save costs and minimize risk is an exercise in defensible destruction but requires awareness of outstanding legal holds. A company that spoliates evidence subject to a legal hold, even without malice, can be fined and suffer adverse inference litigation rulings resulting in unfavorable judgments. Additionally, healthy oversight of records under a preservation hold doesn’t just make good legal sense, it can also help better identify opportunities for even more defensible destruction, cost reduction and risk mitigation.
  5. Activate File Analysis – The tricky thing about new laws like the CCPA is that they require companies to find and produce data for the consumer wherever it exists. That can be a cumbersome test for many entities that have hundreds or thousands of repositories. Luckily, advanced File Analysis tools can plug directly into your network and help quickly identify sensitive and personally identifiable information (PII). They can also help you deduplicate records and find redundant, obsolete and trivial data clogging your systems, also known as ROT. These tools produce a tangible ROI that management can point to as a prime example of why IG works.
  6. Embrace Content Migrations – Unless you’ve only lived in one home your entire life, you’ve probably experienced the cathartic process of cleansing your old wares in preparation for a move. Bringing in a new content management system is not much different and it’s a unique opportunity to apply retention to your data, discard ROT and provide employees with more accurate knowledge resources.
  7. Bake-in Best Practices – Information Governance is not a “one and done” proposition, it’s a rinse and repeat discipline that only works when management sees to it that organizational culture is along for the ride. These days a basic understanding about data handling is vital for every new hire. Concepts like records retention, data protection and privacy should be part of any overall corporate training plan.

By complementing policy frameworks and toolsets with the types of Information Governance approaches noted here we can better enable our workforce to hone their knowledge skills, achieve defensible destruction and improve audit outcomes. In effect, we are future proofing ourselves for a business world destined to face increased scrutiny and under siege from data breaches and privacy issues with seemingly no end in sight. IG is the bright light at the end of that tunnel.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Posted in: , ,
One comment
Business Processes Information Security Privacy

CCPA Rulemaking Activities – Upcoming Hearings

By Rafael Moscatel, CIPM, CRM, IGP on

CPA Rulemaking Activities – Upcoming Hearings

On October 10, 2018, the Attorney General released proposed regulations for the California Consumer Privacy Act of 2018 (CCPA).  The California Department of Justice (DOJ) will hold four public hearings to provide all interested persons the opportunity to present statements or comments on the proposed regulations, as detailed below.  The hearings will begin promptly at 10:00 a.m. and will conclude when the last speaker has finished their presentation.  Please note that attendees may be required to go through building security before entering each venue.  For more information about the public hearings, and to RSVP, please visit: https://www.oag.ca.gov/privacy/ccpa/rsvp.

The deadline to submit written comments is December 6, 2019 at 5:00 p.m. (PST).  Comments may be submitted via email (PrivacyRegulations@doj.ca.gov), mail (Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013), or at the public hearings.

Please visit www.oag.ca.gov/privacy/ccpa for information about the DOJ’s CCPA rulemaking process, including the following newly added pdfs:  Tips on Submitting Effective Comments and Information about the Rulemaking Process.

PUBLIC HEARING DATES

Sacramento
December 2, 2019; 10:00 a.m.
CalEPA Building
Coastal Room, 2nd Floor
1001 I Street
Sacramento, CA 95814

Los Angeles
December 3, 2019; 10:00 a.m.
Ronald Reagan Building
Auditorium, 1st Floor
300 S. Spring Street
Los Angeles, CA 90013

San Francisco
December 4, 2019; 10:00 a.m.
Milton Marks Conference Center
Lower Level
455 Golden Gate Ave.
San Francisco, CA 94102

Fresno
December 5, 2019; 10:00 a.m.
Fresno Hugh Burns Building
Assembly Room #1036
2550 Mariposa Mall
Fresno, CA 93721

Posted in: , , ,
No comments
Business Processes Data Governance Privacy Records Retention Policy

7 Ways to Prepare Data in the Age of Privacy and Information Governance

By Rafael Moscatel, CIPM, CRM, IGP on

7 Ways To Prepare Data In The Age Of Privacy and Information Governance

7 Tips for Data Preparation in the Age of Information Governance

Content may still be king, but now the rights to some of it may belong to the people! In response to the EU’s General Data Protection Requirement (GDPR) and recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size but each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.

Notably, while many companies are already familiar with records retention laws, these latest controls also introduce a duty to destroy data once no longer required for a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents a number of logistical hurdles.

However, directives on how you may use your customer’s data or any other information you store doesn’t necessarily have to be burdensome. In fact, these new guardrails present numerous opportunities to implement better governance, monetize the lifecycle of information assets and foster trustworthy relationships that can actually enhance the customer experience.

These 7 tips can help prepare your data to support an IG strategy:

  1. Automate Retention Schedules – Legal and compliance requirements are the cornerstones of corporate governance programs. Yet tracking the multitude of historical and emerging state, federal and international laws and regulations that affect your data decisions can be a monumental task that even the most robust law departments aren’t prepared for. Consider leveraging SaaS software to keep your Risk, Compliance and Legal staff current on the latest citation changes to these nuanced instructions. These tools empower you to defensibly destroy and cleanse costly data no longer useful to your organization.
  2. Cover Your Assets – Satisfying new compliance requirements like GDPR and CCPA means it’s not enough to simply know what kinds of records you keep, you need to know what systems they’re kept in and how that data flows between them. That’s why Chief Data Officers and Enterprise Architects are increasingly embracing asset management tools that not only perform diagnostics on their application stack but allow them to inventory their attributes and map related processes that inform long-term strategic roadmap planning. Tools like these also help support application rationalization projects which in turn aid in classification and disposal of unneeded data.
  3. Introduce Big Buckets – The biggest challenges with enforcing retention across an enterprise are “event triggers” that complicate how long sets of records must be retained. For example, an employee file might be held X years following a termination “event.” Big Bucket strategies allow you to simplify and group “like” records together to support more efficient destruction actions while assuming some risk. Work with your governance partners to determine reasonable standards for a Big Bucket policy and quantifying the acceptable amount of risk your company is willing to assume to achieve cost and efficiency benefits.
  4. Enforce Legal Holds – Cleansing your data lakes and silos to save costs and minimize risk is an exercise in defensible destruction but requires awareness of outstanding legal holds. A company that spoliates evidence subject to a legal hold, even without malice, can be fined and suffer adverse inference litigation rulings resulting in unfavorable judgments. Additionally, healthy oversight of records under a preservation hold doesn’t just make good legal sense, it can also help better identify opportunities for even more defensible destruction, cost reduction and risk mitigation.
  5. Activate File Analysis – The tricky thing about new laws like the CCPA is that they require companies to find and produce data for the consumer wherever it exists. That can be a cumbersome test for many entities that have hundreds or thousands of repositories. Luckily, advanced File Analysis tools can plug directly into your network and help quickly identify sensitive and personally identifiable information (PII). They can also help you deduplicate records and find redundant, obsolete and trivial data clogging your systems, also known as ROT. These tools produce a tangible ROI that management can point to as a prime example of why IG works.
  6. Embrace Content Migrations – Unless you’ve only lived in one home your entire life, you’ve probably experienced the cathartic process of cleansing your old wares in preparation for a move. Bringing in a new content management system is not much different and it’s a unique opportunity to apply retention to your data, discard ROT and provide employees with more accurate knowledge resources.
  7. Bake-in Best Practices – Information Governance is not a “one and done” proposition, it’s a rinse and repeat discipline that only works when management sees to it that organizational culture is along for the ride. These days a basic understanding about data handling is vital for every new hire. Concepts like records retention, data protection and privacy should be part of any overall corporate training plan.

By complementing policy frameworks and toolsets with the types of Information Governance approaches noted here we can better enable our workforce to hone their knowledge skills, achieve defensible destruction and improve audit outcomes. In effect, we are future proofing ourselves for a business world destined to face increased scrutiny and under siege from data breaches and privacy issues with seemingly no end in sight. IG is the bright light at the end of that tunnel.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

Originally published in Document Media Magazine, July 2019.

Posted in: , , ,
No comments
Business Processes Ethics Information Technology Privacy

Digital Bondage and the Fallacy Of Work-Life Integration

By Rafael Moscatel, CIPM, CRM, IGP on

Forget your elder’s sage advice on maintaining a good work-life balance. There’s a new patently absurd approach (promoted here by the time-strapped PhD’s at Berkeley Haas), and it’s spreading like wildfire throughout the business world. They call it… “Work-Life Integration!”

Digital Bondage

The term “Work-Life Integration” is so misleading because at this point we’re all enduring an increasing degree of overlap between our personal and professional lives. It may be sold to us as “convenience” but much of it is not exactly “optional.” This obsessive and all-in-one approach to time-management ends up usurping the little personal, spontaneous and family time we still have left.

It reminds me a little of Chris Rock’s famous bit on “Job v. Career.”

But not everybody is as fortunate as Chris and there’s a bigger impact to his lifestyle than he’s letting on in the above clip. And so “Work-Life Integration” also makes me think about Cecil DeMille’s classic The Ten Commandments and the famous scene where a worker is about to be trampled by a giant stone moved by “her colleagues.” Moses’ character, played by Charlton Heston, comes down from his managerial pedestal to save the poor soul, who later turns out is his own Mother! It’s a metaphor for how easily, often and unfairly, we as society, put work before family, friends and for believers, even God. And when it negatively impacts others it is arguably immoral.

I was most recently educated on this 24/7 mindset by an executive who boasted, “Say I’m on flight to Hawaii with my family for the weekend, and I’ve got to approve a purchase order for half-a-million. I can do it right here from my iPhone!” Well, that’s nice, but it highlights the disconnect between those who literally have the world at their fingertips and those who get interrupted with email from their boss on the weekends. The same technology fix that feeds the workaholic is now invading the space of almost everyone, not just the guy or gal with a “career.” It’s affecting their partner, their children, their social circle, people on the road. And in many cases it is invasive, counter-productive and unhealthy for the family and the self. Do we really want to live in digital bondage?

In many ways, this digital bondage is reminiscent of the days when men and women of all ages built the Pyramids until they dropped dead. Sure, the Pyramids still stand as a testament to architecture and ingenuity, but to many they will also always represent a chapter in history when there was seldom a break from work. Luckily today we have a choice.

We must stand firmly behind the importance of rest and personal space. Sure, working remotely through technology has given us flexibility. There’s no denying that. But half-baked ideas like “Work-Life Integration” have adversely impacted the very relationships and working-conditions they were meant to improve.

Some in the Jewish faith believe that one of the Ten Commandments, to observe a day of rest on the Sabbath, is a cornerstone of not just spiritual growth, but what ultimately may lead to success in other areas of one’s life. Most cultures share this important value but as it erodes across the globe and the lines between work and rest are blurred, we all suffer.

Stay off the devices this weekend as much as you can. Find true balance by freeing yourself from digital bondage.

Posted in:
2 comments
Business Processes Data Governance Information Governance Professional Development Records Management Records Retention Policy

Less is more, gaps are opportunities and relationships matter: A Case Study in Information Governance at #AIIM2018!

By Rafael Moscatel, CIPM, CRM, IGP on

AIIM 2018 is just around the corner and I’m thrilled to be presenting my Case Study at this great conference which takes place April 10-13th, in San Antonio! Hope you can join me and so many like-minded in San Antonio this year or later in May when I’ll also be speaking about a program which was recently honored by ARMA International with its Excellence for an Organization Award!  Here are a few slides from my session which will be held on April 12th at 5PM.

This slideshow requires JavaScript.

Posted in: , ,
No comments
Business Processes Ethics Information Governance Information Technology Records Management Records Retention Policy

The Paperless Office

By Rafael Moscatel, CIPM, CRM, IGP on

By Rafael Moscatel

The extent to which any organization can reduce its dependency on paper is largely determined by laws and the industry regulations it faces, the technology available to it and how well its leaders manage change, internally as well as for customers.

Here are some thoughts on how to begin solving the paper problem around your office:

Understand the affordances of paper  One of the most thorough examinations of the issue of paper and its role in our lives and workplaces came in 2002 when MIT press published The Myth of the Paperless Office.  The book’s findings make a case for the “affordances of paper” and stress that to reduce paper production and consumption we must understand the underlying habits and processes driving how our clients and colleagues work.

Attorneys for example often require a contextual or “case at a glance” perspective that a chronological or issue focused file offers… a “story telling” approach to presenting information which can’t always be matched even with the best software. Similarly, auditors or project managers will often work with and create aggregated records which serve a specific purpose for which imaging might be overkill or too costly. And contrary to popular belief, there still exist quite a few scenarios where it remains more affordable, practical and efficient to even store information in paper form. Conversion costs and risks required to maintain the digital lifecycle of infrequently referenced documents and avoid bitrot* can often exceed those associated with retaining the same materials in paper form.

Make the right policy changes with executive level support  Every Records or Information Governance policy initiative or project your business undertakes should have senior level executive support and reflect the best practices within your industry.

Here are some policy and procedural ideas to consider that can act as catalysts for change.

  • Get a Retention Policy / Schedule, implement it and regularly enforce it -A Retention Schedule (often in line with a data map) is the most effective tool for properly managing records and information and its necessity cannot be understated.  It not only protects an organization and keeps paper and electronic storage costs low, it gives executives a tool for understanding and navigating the massive network of silos and records their businesses create.
  • Institute an E-signature Policy for all contracts under a specified financial threshold
  • De-duplicate emails and all other electronic content repositories systematically
  • Identify where duplicates are created, determine why and what can be done to prevent them going forward
  • Take a “final draft and / or executed version” approach to your document lifecycle rules Continue reading “The Paperless Office”
Posted in:
No comments
Business Processes

The Myth of the Paperless Office – 12 Years Later

By Rafael Moscatel, CIPM, CRM, IGP on

It’s been 12 years since I first read Abigal J. Sellen and Richard H.R. Harper’s book, The Myth of the Paperless Office.  It remains one of my favorite no nonsense analysis into the subject.

This bold and insightful analysis by two Microsoft employees into the psychological and practical reasons why certain business processes continue to rely on paper remains relevant even a decade after its publication. The book is especially helpful for records and information governance consultants more intent on providing their clients with a true understanding of the nature of their processes than selling them software solutions driven by buzz phrases including “The Paperless Office.” Continue reading “The Myth of the Paperless Office – 12 Years Later”

No comments