Content Management and Capture

 View Only

As a Privacy/Compliance Officer, How Can I Ensure Regulatory Compliance with My Company’s Content Systems?

By Gene Stakhov posted Thu July 07, 2022 12:20 PM


It's 2022, and I've got news for you…

Being a corporate compliance officer is no easy job. Reducing risk exposure in most organizations (including my own) amounts to keeping a step up on an ever-growing tumult of regulations, audit demands and legal exigencies. And all this must happen as the systems of content and engagement continue to evolve and produce staggering amounts of information – and potential liability.

Regulatory Compliance

The complex patchwork of the current regulatory climate is enough to drive anyone mad. Or at the very least, scurrying to look for solutions. Unlike our friends across the pond, governed by a single overarching information protection framework, here in the U.S. we don't have that "luxury". Even though our domestic data custodians might be beholden to the General Data Protection Regulation (GDPR) due to its extraterritorial nature, we have our own orchestra pit, in the form of state-specific (e.g., CCPA, SHIELD), industry-driven (e.g., HIPAA, FINRA) and even medium-specific regulatory requirements.

Oftentimes the rules might even seem contradictory. For example, tax laws (and in many cases, the business itself) will say "preserve", while the privacy regs say "forget". How do you make sense of it all? And how do you even begin to convey your strategic compliance requirements to the gatekeepers of your affected systems? 

Litigation & eDiscovery

This statement will probably not come as a big shock to you, but the fact is that we live in a highly litigious society. An economist writing a piece for The New York Times estimated that Americans spend roughly $1,000 per person each year on tort-related litigation. Equating to 2.2% of our GDP, it's a massive number, and much higher compared to most other nations.

Increasingly, the role of electronic and other information-based evidence proves to be a major factor in determining the outcome of legal matters. Not only is there a legal duty to preserve evidence that might be relevant to a threatened or pending lawsuit, but the (potential) litigant needs to account for a dynamic variety of sources: database records (i.e. "structured" data), email and electronic documents ("semi-structured" and "unstructured"), in addition to newer external integration points like mobile devices, apps, and - who can forget on top (or at the bottom) of it all - good old paper. And obviously, all this stuff needs to be findable if it's going to be of use, or at least not result in a spoliation sanction. Legal hold orders typically require searching for specific metadata, across systems.

E-discovery (often referred to as eDisco) has become quite the vibrant industry in recent years. Legal observers credit the watershed Zubulake vs. Warberg decision back in the early 2000's as giving rise to the prominence of the role of electronic information in litigation proceedings, but with preceding and subsequent revisions to the Federal Rules of Civil Procedure, the march toward eDisco was destined to happen sooner or later in the post-Enron scandal, technology-stacked world.

The bottom line here is, you better have adequate visibility, custody, and protection (legal hold) of your organization's information in the likely case of litigation. 

Internal Factors

Internal corporate compliance processes are reluctant to take the back seat on this fun trip. In fact, as information systems grow more complex and interoperable, the demands for accountability from areas like Human Resources, Finance, and Legal evolve as well.

And storage needs arising out of "big data" utilitarian aspirations to enhanced analytics, knowledge management and business intelligence add to the overall complexity of achieving the Zen state of a clearly guided information philosophy. What do you ultimately do with the information in that data warehouse, once mining is done? Is it ever really done? What if you're a medical facility, or a regulated utility? How do you balance that with the other requirements that need to be satisfied? There are a lot of questions... 

Enterprise Content Management (ECM)

One area in your organization that at least has the potential to offer up some answers is enterprise content management (ECM). Your content storage repository plays a critical role in the regulatory compliance landscape, and as a privacy/compliance officer, you need to help the business in establishing waterproof processes to delete documents that must be deleted, and to keep documents that must be kept. And these processes must be auditable, in the event of an inquiry from a regulatory agency or internal audit.

If your company uses IBM's FileNet as its core content services platform, you probably know it's a very "techie" world. There's a lot going on there that's outside your purview. So how can you relate your requirements in a direct, meaningful, and actionable way to the tech overlords, so that they can implement what needs to be done on the IT side? You don't need (or want!) to be wading into technology, believe me. You want to leave the tech stuff to the pros. But that being said, you’d probably like to have an easy way to gauge your state of risk. A dashboard with insights into risk-laden content, scheduled reports, and a data model that makes translating your requirements to their tactics a reasonable ask. 

There Are Options!

The good news when it comes to FileNet is that there are options for enabling lifecycle retention management – a critical component of any corporate compliance strategy.

Perhaps the most obvious and first-line candidate for this role is IBM’s own Enterprise Records (IER). IER is a FileNet platform add-on that gives you a full suite of records management, reporting and enhanced audit functionality. When it comes to destroying documents and metadata, auditors (and judges, for that matter) want to see disposition processes that are repetitive and consistent. You can configure sweeps on schedules, to go out and look for expired content. And you can route work items to specific resources or entire teams for approval. IER installs as its own managed database (object store in FileNet parlance), features full file plan capabilities for physical or electronic records, and even supports multiple data models (e.g., DoD 5015.2) and vital records.

If you’re not quite ready yet for the relatively heavy lift of something like IER, enChoice’s Content Lifecycle Management (CLM) for IBM FileNet P8 provides automated protection and destruction of regulated and non-regulated content in the FileNet P8 repository at the lowest possible resource requirement and cost, thus touting “Predictable Cost of Ownership”. CLM complements the basic retention functionality of FileNet P8. Its embedded dashboard and reporting capabilities provide a configurable overview of all documents to be deleted and their retention settings. Retention periods can be assigned based on events, e.g., for contracts or invoices. Documents and even folders are deleted in a controlled and secure manner, in adherence to compliance guidelines, either manually or in automated batches. All deletions and modifications are logged for auditing purposes.