Data Lifecycle Management and Information Governance

Data Lifecycle

Management and

Information Governance A DOCULABS WHITE PAPER

Data Lifecycle Management and Information Governance: A Doculabs White Paper

[Type here]

How do you purge your data? Are your data

management practices in compliance with

recordkeeping conventions and with legal

standards? This white paper reports some surprising

findings about how organizations approach data

lifecycle management, discusses its impact on

information governance, and offers

recommendations for how to improve.


3

Survey Overview

Doculabs recently partnered with Executive Functions Management, Inc.

(EFM) to develop and issue a survey to the EFM membership, which is

made up of IT leaders at organizations of all sizes, from across all

industries. The goal of the survey was to investigate how firms are

governing the lifecycle and disposal of the data they generate.

The questions ranged from how IT leaders manage, pay for, and cost their

applications and storage, to what policies are in place for domains such

as information security and records management, to whether they

currently tier or purge data and whether they charge back to the business

for services.

We received 480 responses to the survey, with the respondents

representing 432 organizations across a wide range of industries and of

all sizes (see Figures 1 and 2).

Figure 1: Respondents by Industry

http://www.efmevents.com/


4

Figure 2: Respondents by Firm Size

Although there were many interesting points in the responses, in this

white paper we’re going to drill down into one issue in particular: how

firms reported that they purge (or don’t purge) data. Doculabs believes

that where firms stand on this issue has significant consequences for

their ability to adhere to core corporate compliance requirements and

also has a direct impact on a company’s legal and compliance risk

profile.

How a company purges its data has implications for

its ability to meet compliance requirements as well

having an impact on the company’s risk profile.


5

Data Management Is a Compliance Issue

Among the questions we asked was how our respondents’ companies

purge data after it has passed its legal or operational life (see Figure 3).

Figure 3: How Do You Purge Data that Has Passed Its Legal or Operational Life?

At first glance, the response to this question seems to paint a fairly rosy

picture of how organizations are purging data: Fully 70 percent of

respondents reported that they purge in some way, with 25 percent

reporting that they don’t purge at all (5 percent were not sure whether

they do or not). For all the “keep everything forever,” “digital landfill”

doom and gloom we hear out there, this sounds pretty good.

That is, until you look at the nature of the purging that’s going on. Only

one-third of respondents reported doing regular purging, whether

automated (21 percent) or manual (12 percent). The rest reported

purging on an ad hoc basis, whether automated (10 percent) or manual

(26 percent).

Considered from the perspective of records management and e-

discovery, these percentages should give us pause. If a firm is purging on

anything other than a regular basis and according to published policies

and procedures, they’re not compliant—either with recordkeeping

conventions or with the ways judges have tended to interpret the Federal

Rules of Civil Procedure (FRCP) to apply to corporations. Ad hoc purging is

risky because the courts typically regard it as capricious in that it doesn’t

follow established policies and procedures that provide an audit trail.

Even if ad hoc purging doesn’t lead to spoliation in a given case, the point

is that it could have, because the organization didn’t have controls in

place to protect against it.

https://www.federalrulesofcivilprocedure.org/

https://www.federalrulesofcivilprocedure.org/


6

So what these numbers from our survey question suggest is that two-

thirds of respondents are not compliant with either recordkeeping

conventions or the FRCP—a very big number.

We decided to do a more detailed analysis of how the responses to this

particular question correlate to other questions in the survey, to see

whether we could infer anything about why firms approach purging data

the way they do, and what factors might contribute positively or negatively

to their ability to be compliant in how they manage their data.

Fully two-thirds of respondents to our survey reported

that their organizations are not purging data

regularly—and therefore are not in compliance with

good recordkeeping practices or with the FRCP.


7

Technology Usage

A potentially important factor in whether and how organizations purge is the technology capabilities

they have in place—i.e. do they have in place the tools that would facilitate regular purging of data?

For this survey, we asked participants about six categories of technology:

Enterprise Content Management (ECM)

Records Management (RM)

Data Archiving (Application Level)

Data Archiving (Across All Applications)

Structured Application Decommissioning

Unstructured Application Decommissioning

We then analyzed the data according to respondents’ reported approach to data purging, looking to

see the extent to which respondents in each group also made use of any of these technologies. For

ECM and RM, respondents in all categories reported high usage (see Figures 4 and 5), which

suggests that there isn’t a strong correlation between having these technology capabilities and

whether and how organizations purge.

Figure 4: ECM Technology Usage

But what’s worth remarking is that 67 percent of those who report that they don’t purge also report

that they use RM tools moderately to extensively. The main value of RM tools is to allow

organizations to retain documents and data for the time required by laws and regulations, and then

purge them after their legal and operational usefulness is past—so it’s hard to imagine what these

organizations are doing when they “use RM tools” if they’re not purging data, i.e. if they are in effect

keeping everything forever.


8

Figure 5: RM Technology Usage

For data archiving tools, we found more disparity in how firms were leveraging these capabilities. For

data archiving by application (i.e. within a single application), most firms are doing well, with 62

percent to 86 percent of firms reporting that they archive by application (see Figure 6). The outliers

were firms that reported that they don’t purge: Only 49 percent of them are archiving data by

application.

Figure 6: Data Archiving by Application

For data archiving across all applications, the picture is substantially the same, but at lower levels

across the board: 55 percent to 73 percent for most firms and 39 percent for firms that reported

that they didn’t purge (see Figure 7).


9

Figure 7: Data Archiving Across Applications

When we turn to application decommissioning, however, the discrepancy between those who don’t

purge and those who do becomes more pronounced (see Figures 8 and 9). For both structured and

unstructured application decommissioning, 78 percent and 71 percent respectively of those who

reported that their organizations don’t purge data also don’t leverage application decommissioning

tools.

But overall, the number of firms who report using structured application decommissioning tools is

low. Organizations that are purging using automated tools (whether ad hoc or regularly) reported the

highest use of structured application decommissioning tools (54 percent and 57 percent,

respectively).

Figure 8: Structured Application Decommissioning

View the Webcast http://bitly.com/1PSISTg

http://bitly.com/1PSISTg


10

For unstructured application decommissioning, the glaring standouts are firms that purge on an ad

hoc basis using automated tools: 73 percent of them reported using unstructured application

decommissioning tools moderately or extensively, compared to a range of 29 percent to 58 percent

for the rest of the respondents.

Figure 9: Unstructured Application Decommissioning


11

Governance Maturity

Next we looked at what we could discern about the respondent firms’ maturity of governance

structures. After all, the technology capabilities we just discussed are hard pressed to deliver value if

the organization does not have the people/process controls in place to leverage those capabilities

adequately. We asked respondents to tell us how strongly they had governance in place around four

domains:

Records Management

Regulatory Compliance

Information Security /Privacy

Disaster Recovery/Business Continuity (DR/BC)

Let’s look at each of these in more detail.

Records Management

There was a significant correlation between those firms which reported having a moderate to strong

Records Management (RM) function and those who purge, whether ad hoc or on a regular basis (see

Figure 10). Not surprisingly, those firms who reported that they have no or weak RM were the same

firms which reported that they don’t purge data. After all, without clear guidance on what corporate

data needs to be kept and for how long, purging is difficult, if not impossible. And left to their own

devices without guidance from RM, IT will tend to keep everything forever to avoid the risk of either

deleting something the business needs or spoliation of data on legal hold.

Figure 10: Records Management Maturity

But if we look more closely at the firms that report having moderate to strong RM, 38 percent of

those firms also reported that they don’t purge data. As with the high number of firms that reported

having moderate to strong use of RM tools yet didn’t purge data, there’s a disconnect here between

the aims and goals of an RM program (retaining data for the amount of time required by the law and

then disposing of it) and on-the-ground practices (keeping everything forever).

The responses showed no correlation, however, between those who had moderate to strong RM and

regular versus ad hoc purging. It seems the kind of purging was less significant than that they

purged.


12

Regulatory Compliance

The reported rates of moderate to strong regulatory compliance were high across all categories, no

matter how firms reported they purged data (see Figure 11). This isn’t surprising, given the

importance of regulatory compliance for firms of all sizes across industries. However, those who

reported purging using automated tools (whether regularly or ad hoc) reported 91 percent to 95

percent moderate or strong regulatory compliance, versus 71 percent to 85 percent for firms that

purged manually or didn’t purge at all. This seems to suggest at least a mild correlation between

moderate/strong regulatory compliance and automated purging—not surprising, because purging

corporate data requires policies and guidelines to provide the framework within which purging can

be executed defensibly.

Figure 11: Regulatory Compliance Maturity

Information Security and Privacy

Given the increasing scrutiny of information security and privacy in the aftermath of high-profile data

breaches at organizations such as Target, The Home Depot, Premera, Anthem, and CHS, it’s not

surprising that the reported levels of maturity for information security and privacy are as high as the

regulatory numbers we saw in the previous subsection. And, as with regulatory compliance, those

firms that reported they didn’t purge data had a higher incidence of no or weak information security

and privacy compliance than other firms: 29 percent versus 8 percent to 22 percent. Similar to the

discussion of regulatory compliance above, we believe the correlation likely has a similar basis: I.e.

good information security and privacy policies and controls in place (1) enable IT to purge data

without fear of “doing something wrong” and also (2) encourage IT to do so in order to comply with

corporate policies and standards.


13

Figure 12: Information Security and Privacy Compliance Maturity

Disaster Recovery and Business Continuity

Disaster recovery and business continuity (DR/BC) is a critical business capability; without it, an

organization is at risk for disruptions to operations from a range of potential threats: so-called acts of

God, terrorism, hardware and software failure, criminal activity, etc. So it’s not surprising that

respondents in general reported having high levels of DR/BC controls in place. Again, the outliers

were those firms that reported either that they didn’t purge or that they purged manually on an ad

hoc basis. These two categories reported that they had no or weak DR/BC in 41 percent and 47

percent of cases, respectively. Firms that regularly purge or that purge on an ad hoc basis but with

automated tools reported moderate to strong DR/BC in 71 percent to 85 percent of cases.

Figure 13: Disaster Recovery and Business Continuity Maturity


14

Potential Incentives to Purge Data

Getting buy-in to purge data that’s passed its legal or operational life

sometimes requires incentives. And the incentives that get the most

attention are the ones that have an impact on costs. Here, we look at two

areas of potential opportunity to incent business units to regularly purge

their data: chargeback models and data center models.

Chargeback Models

Chargeback refers to IT billing its internal corporate customers for the

products and service it provides on a granular, service-based model (e.g.

per gigabyte of storage, per user of an application, etc.). In addition to

chargeback, there are two other approaches to billing internal customers

for IT products and services:

Fixed fee: charging each business unit a percentage of total IT spend;

can be straight, i.e. divide IT spend by number of cost centers; or

variable, i.e. based on number of FTEs within each cost center

Percentage of budget: charging each business unit a percentage of

total IT spend, based on what percentage of total corporate spend

that unit’s divisional budget represents

Without getting into a detailed discussion of the pros and cons of IT

costing models, suffice it to say that, as incentives for data purging,

neither the fixed fee nor the percentage of budget model is effective at

encouraging business units to take ownership of data and purge it once

its legal and operational usefulness is done. This is because at most

organizations the cost of IT storage is tied to the total number of business

units, the total number of FTEs, or the total departmental spend, so

purging data and thereby reducing the volume of data IT manages for an

individual business unit doesn’t lower the money that particular business

unit spends on IT. In fact, it actually increases the unit cost per gigabyte:

For example, if a business unit has 10 TB of data and spends $10,000

per year with IT for it, when they purge half of it (and still pay $10,000 per

year), their unit cost has doubled; but if they double their volume of data,

their unit cost drops by 50 percent.

Despite the compelling reasons for using chargeback, very few firms

surveyed reported using either approach. Across all firms, the range was

16 percent to 32 percent. However, when we dig in to the results, we see

some significant differences. Those who do regular, automated purging

top this list of chargeback, at 32 percent. Those doing regular manual

purging placed second, with 22 percent reporting that they chargeback.

The remaining firms reported levels of chargeback of less than 20

percent.


15

Figure 14: Chargeback Models in Use

Data Center Operational Model

Third-party hosting of a corporate data center can be a powerful incentive to purge data, because

many contracts for data center hosting include volume pricing—i.e. a price per gigabyte per month.

So if IT reduces the volume of content, its monthly costs go down—a direct line between purging and

operational costs.

However, the respondents to this survey overwhelmingly hosted their own data: a range of from 61

percent to 74 percent host it mostly in house, with 17 percent to 24 percent reporting a hybrid

model. Those reporting mostly outsourced data centers fell between 8 percent and 15 percent.

Given this, it’s not possible to draw a correlation from the survey data about hosting and purging,

although intuitively we would assume that per gigabyte pricing would encourage purging.

Figure 15: Data Center Hosting


16

Conclusion and Recommendations

We believe the results of this survey provide the basis for some important

conclusions about managing corporate data.

Good governance is strongly correlated with regular data purging. Those

firms that reported that they didn’t purge data also reported that they

had weaker records management, information security and privacy,

and disaster recovery/ business continuity functions.

Purging is strongly correlated with data hygiene in general. Those firms that

reported that they didn’t purge data also reported significantly lower

levels of storage tiering and application decommissioning, possibly as

a result of a pervasive culture of “corporate hoarding” or to an overall

lack of discipline in information lifecycle management.

Many organizations are not getting the value they should from records

management. The high percentage of firms that reported usage of RM

tools or moderate to strong RM functions (or both) also reported that

they didn’t purge data—a clear disconnect between the purpose and

value of RM and what these firms are actually realizing.

Application decommissioning is underutilized relative to its potential returns.

Applications are expensive (hardware, software, and FTE to maintain),

so the low number of firms overall reporting that they decommission

applications suggests that this is an area of opportunity for IT to

deliver value to the organization.

Given these conclusions, Doculabs recommends the following to firms

looking to improve how they manage structured applications and data:

Focus on information governance rather than technology. The survey results

indicated a much stronger correlation between good data hygiene

and good governance than between good data hygiene and

technology capabilities. Without clarity and structure around the

“rules of the road,” organizations will struggle to effectively manage

their data.

Incent good data hygiene with chargeback. If there isn’t a direct tie

between what a business unit pays for IT and how much data they

have (or worse, an inverse relation, as in fixed fee or percentage of

budget models), it’s going to be difficult to get them to agree to purge

their outdated data. It’s also difficult for IT to prove the value they add

to the organization in managing applications and data.

Pursue application decommissioning. Very few firms reported

decommissioning applications, so this is a significant opportunity

area that has not only big dollar savings, but a positive compliance

impact—i.e. less outdated data reduces the impact and severity of

data breaches and lowers the effort and cost of e-discovery.

About Doculabs

We are experts in social collaboration and content management. We help

our clients by delivering highly actionable and comprehensive strategic

plans and roadmaps, helping our clients achieve their business goals and

create competitive advantage. Our consulting services also help our

clients improve their records management and information governance

approaches to facilitate compliance, reduce risk, and reduce the cost of

e-discovery.

Founded in 1993, Doculabs has an established track record in helping its

clients bring content under control and improving the ways they

collaborate. Our engagements focus on guiding our clients with our

expertise, analysis, and in-depth market knowledge. And we’re

independent; we don’t sell software or implementation services, so our

clients can be sure that our recommendations are objective.

Our consultants are highly experienced, averaging more than 20 years of

relevant professional background and many years of working together as

part of the Doculabs team. We’re recognized thought leaders in the

industry, frequent speakers at industry events and webinars, and active

contributors to leading publications, social media sites, and organizations

such as AIIM.

Hundreds of Fortune 1000 organizations and agencies of state and local

government have turned to Doculabs for assistance with their information

management strategies. For more information about our services, visit

the web site at www.doculabs.com or call (312) 433-7793.

About EFM

Executive Function Management, Inc. (EFM) was created with a goal of

providing strategic-level events and peer networking groups for

technology leaders throughout the U.S. EFM offers events for technology

leaders that provide an opportunity for select leading-edge suppliers to

forge new relationships with IT professionals.

EFM’s IT Symposium Conferences are annual gatherings that allow CIOs

and their senior IT leaders to explore critical business, technology, and

leadership strategies and to build a stronger professional peer network

and attain real-world knowledge on business changing technology and

management solutions. EFM IT Symposiums are currently held in 28

cities across the U.S.

View the Webcast http://bitly.com/1PSISTg

http://bitly.com/1PSISTg