United States: Why Data Cleanup Fails – Part Four: Culture

In this series of Insights, we delve into why data cleanup efforts so often fail, despite organizations' desire to get rid of data they no longer need.

This includes the very real, tangible and increasingly significant regulatory and legal drivers (e.g., fines) organizations face, and the wider, growing cultural assumptions among customers and employees that organizations are merely the stewards—rather than the owners—of their personal data.

What Are the Main Challenges Preventing Effective Data Cleanup?

Although every organization is distinct, the following five reasons most commonly prevent organizations from effectively implementing data cleanup:

At first, the order of this list may seem reversed—instinctively, technology might seem to be the main reason why cleaning up data doesn't happen, followed closely by culture and process. However, as this series has tried to make clear, when accountability and buy-in are taken care of, the other three fall into place and are much easier to tackle. If the first two are left unaddressed, as they typically are at most organizations, cleanup doesn't happen at all. With this perspective in mind, we will examine the fourth reason why data cleanup fails: culture.

How Culture Affects Data Cleanup Efforts

It's a sad fact that you can do everything right to clean up data, yet fail because you did not account for the ingrained biases of your key stakeholders, who often have a vested interest in the status quo—that is, keeping data forever. A motivated, accountable executive who enjoys wide buy-in with a strong process typically has a good chance of succeeding at data clean up, but not if the wider culture of the organization tends towards data retention business as usual.

If you find yourself at an organization that hews to the status quo of keeping data forever, it's important to dig deeper to get at some prevailing attitudes and assumptions behind the bias towards over-retention.

• Data belongs to the business – IT owns the technology that manages data, and compliance sets the rules of the road, but ultimately, the business gets to decide whether to retain or dispose of it.
• The more data we have, the more value we can get out of analytics – there's immense value locked in historical data that more than compensates for the risk it poses.
• Keeping data is less risky than disposing of it – having more data will allow us to better defend the organization from lawsuits, respond to regulatory requests and satisfy auditors.
• Data disposal at scale can't be done at our organization – our data is too complex and too varied to dispose of without detailed, manual review.

Educating Stakeholders on the Evolution of Data Retention is Key

When faced with one or more of the attitudes above, it's important to avoid adversarial approaches to change (e.g., "laying down the law" by playing the compliance card) and instead adopt a teaching mindset. It's crucial to educate stakeholders on why their bias towards over-retention, while understandable and even correct in the past, is no longer a viable approach to managing data risk. While the specific approach in any given case will depend on many factors, not the least of which are the personalities involved, here are some talking points to ground your attempts to educate stakeholders and help them evolve their thinking about data retention:

• Yes, the business owns its data from an operational perspective (they need it to do their jobs), but the risk posed by that data belongs to the wider organization  and is ultimately owned by an executive-level risk officer, such as the General Counsel or the Chief Compliance Officer. If the legal obligations to retain data are shorter than what business operations require, we can document them and make them part of our policies rather than one-off exceptions.

• How much value you can get out of data depends in large part on how mature your analytics capabilities are; however, done properly, effective data disposal doesn't preclude analytics—it enables it  by improving the relevance of data by getting rid of out-of-date, junk and duplicate data.

• Keeping data forever is not less risky, it simply poses a different kind of risk to the organization. Based on the important work done by The Sedona Conference over the last 10 years, the legal consensus among courts, regulators and outside counsel has evolved significantly. There is wide agreement among these three that the correct, legally defensible approach to data risk is to conduct the consistent, proactive disposal of data when the legal obligation to retain it is past.¹

• This is true for some data at every organization, but significant portions of data can be subjected to disposal based on "big bucket" rules that require little to no human intervention and can de-risk substantial volumes of data in a straightforward way, for example addressing data with no business value, data that is obviously stale or duplicate sensitive data.

The Long Game

The bad news is that cultural transformation is not a quick fix activity. It requires sustained, ongoing collaboration with your stakeholders to educate them not only on the risks of the status quo, but also on the benefits of proactive data disposal. It's a long game, but one that must be played if your data cleanup efforts are to be successful and sustainable. With buy-in from the key stakeholders, successfully changing the culture is a critical step to implementing the proper process.

Footnote

1. The Sedona Conference, Commentary on Information Governance, Second Edition, 20 SEDONA CONF. J. 95 (2019).

Originally published 30 April 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.