Lorrie Luellig

This column will explore how a cross-functional "defensible disposal" program can help companies satisfy their legal and regulatory requirements around the world while also controlling costs and meeting other research and business objectives.

Saving everything doesn't work

Pharma companies may believe there is ample justification for saving all data. Scientists may believe that by definition all research data has business value and is critical to regulatory compliance. Legal and compliance officers may believe that the safest response to the complex requirements of the FDA, FTC, SEC, IRS, and health authorities around the world is to save everything. And business users and executives may believe that saving everything is a thrifty way to keep a permanent record of business activities while also reducing risk.

Unfortunately, none of this is true. A huge portion of stored research data is redundant. Storing it all makes it harder for scientists to find the data they need when they need it, and makes it more difficult to extract new results from old data. In addition, positioning a company for an effective response to an e-discovery request, as well as new regulations related to privacy (e.g., HIPPA in the United States and the European Directive on Protection of Personal Data in the European Union) require companies to delete some data. Companies must realize that the supposed safe harbor of "saving everything" can actually put them in legal jeopardy and at risk of regulatory violations and penalties.

Storing data isn't cheap

A key justification of saving everything is the misconception that storage is relatively cheap and that constantly investing in new storage infrastructure won't impact the bottom line. But the McKinsey & Company research showing an overall data growth rate of 40 percent means that companies that stored 15 petabytes of data in 2011 will need to find space for some 39 petabytes by the end of 2014. Even with a 20 percent decline in storage unit costs, the per petabyte cost of tier one storage for most large companies will likely swell to between $1.5 million and $5 million, consuming close to 20 percent of the typical IT budget.

But deleting the right data isn't easy

Clearly, data that has no legal, regulatory, research, or business value should be deleted. But who is in a position to delete it? Only IT has the power to perform the physical disposal of electronic information, but on its own, IT has no way to determine what is of value. In fact, even in a relatively small pharma company, IT may need to know which of 100 legal holds and 300 record categories apply to which of 10,000 people working in which of 2,000 departments whose data is located in which of 1,000 servers or apps. That's a billion possible choices with no mechanism for making good ones.

But how can scientists and business users determine what is of legal or regulatory value? How can legal determine what is of scientific or business value? And even if these determinations can be made, how can they be communicated to IT?