Defensible Data Disposal

October 1, 2012
Pharmaceutical Executive, Pharmaceutical Executive-10-01-2012, Volume 0, Issue 0

With the costs of data storage poised to increase, pharmaceutical companies need to break their pack rat mentality with respect to data, writes Lorrie Luellig.

For pharmaceutical companies, the strategic importance of effective information governance has never been greater. Processes related to research and development, clinical trials, pharmacovigilance, drug registration, and the pharma supply chain face increasingly complex information management regulations. Changes to IP laws relating to patents and "first to file" make it imperative that companies identify and properly retain all critical patent information. Pharma companies operating globally, whether in manufacturing, R&D, or marketing, must continually adapt to the diverse and evolving legal and regulatory environments around the world. All this at a time when pharma companies face exploding amounts of data and ever-increasing data storage costs.

Lorrie Luellig

This column will explore how a cross-functional "defensible disposal" program can help companies satisfy their legal and regulatory requirements around the world while also controlling costs and meeting other research and business objectives.

Saving everything doesn't work

According to McKinsey & Company, 90 percent of data in the world today was created over the last two years. For pharma companies already burdened by the cost and complexity of the vast amounts of research data they generate, this new onslaught of information in the form of social media, RFD tagging, electronic lab notebooks, raw data, and more is far outpacing the ability to effectively collect, analyze, store, produce, archive, and delete it. As a result, many companies opt to save everything.

Pharma companies may believe there is ample justification for saving all data. Scientists may believe that by definition all research data has business value and is critical to regulatory compliance. Legal and compliance officers may believe that the safest response to the complex requirements of the FDA, FTC, SEC, IRS, and health authorities around the world is to save everything. And business users and executives may believe that saving everything is a thrifty way to keep a permanent record of business activities while also reducing risk.

Unfortunately, none of this is true. A huge portion of stored research data is redundant. Storing it all makes it harder for scientists to find the data they need when they need it, and makes it more difficult to extract new results from old data. In addition, positioning a company for an effective response to an e-discovery request, as well as new regulations related to privacy (e.g., HIPPA in the United States and the European Directive on Protection of Personal Data in the European Union) require companies to delete some data. Companies must realize that the supposed safe harbor of "saving everything" can actually put them in legal jeopardy and at risk of regulatory violations and penalties.

Storing data isn't cheap

A key justification of saving everything is the misconception that storage is relatively cheap and that constantly investing in new storage infrastructure won't impact the bottom line. But the McKinsey & Company research showing an overall data growth rate of 40 percent means that companies that stored 15 petabytes of data in 2011 will need to find space for some 39 petabytes by the end of 2014. Even with a 20 percent decline in storage unit costs, the per petabyte cost of tier one storage for most large companies will likely swell to between $1.5 million and $5 million, consuming close to 20 percent of the typical IT budget.

But deleting the right data isn't easy

Clearly, data that has no legal, regulatory, research, or business value should be deleted. But who is in a position to delete it? Only IT has the power to perform the physical disposal of electronic information, but on its own, IT has no way to determine what is of value. In fact, even in a relatively small pharma company, IT may need to know which of 100 legal holds and 300 record categories apply to which of 10,000 people working in which of 2,000 departments whose data is located in which of 1,000 servers or apps. That's a billion possible choices with no mechanism for making good ones.

But how can scientists and business users determine what is of legal or regulatory value? How can legal determine what is of scientific or business value? And even if these determinations can be made, how can they be communicated to IT?

Defensible disposal

The answer is a cross-functional information lifecycle governance (ILG) program that uses a joint-stakeholder model to establish new lines of communication and new processes between the legal, records, research, business, and IT functions in order to facilitate the regular and automatic defensible disposal of data that has no legal, regulatory, research, or business value.

The Compliance, Governance, and Oversight Council, a community of thought leaders on ILG and defensible disposal, recently published the "Information Lifecycle Governance Leader Reference Guide," a detailed exploration of the justifications, strategies, and processes critical to creating an ILG program. Among the key findings in the reference guide are the following defensible disposal best practices.

Start with the right people. No cross-functional effort in a large organization can succeed without broad and deep support from executives and managers. Establish an executive committee that includes, at a minimum, the CIO, CFO, general counsel, and privacy officer. Develop a senior advisory group composed of line-of-business leaders to provide the necessary staff and support. A program office also needs to be staffed to drive and measure progress toward goals and to direct the efforts of a working group that develops the specific processes.

Create a framework for unifying processes. Develop a strategy for unifying the disparate and siloed processes and practices in legal, records, research, business, and IT. The information governance reference model, developed by EDRM (edrm.net), provides a framework for defining a unified governance approach to information and underscores the importance of linking information duties and value to the data assets that IT stores and manages. This linkage is critical to ensuring availability of valuable information, reducing risk, and enabling disposal of unnecessary information. The reference guide also provides a maturity model for the 16 specific processes required to lower cost and risk and institutionalize defensible disposal, value-based archiving and retention, and rigorous e-discovery.

Translate strategy into tactics and goals into results. Establish clear connections between business objectives, the processes and actions required to achieve them, the capacity to execute those actions, and the measurement needed for accountability. The need for clarity cannot be overstated. Without clear business goals, processes, and metrics, it is impossible to evaluate whether the organization has put in place the capacity and capability of executing the required processes.

Implement the right technology. Maintaining a defensible disposal program requires the right technology and tools to automate legal holds, retention of records, de-duplication, and the proper tiering and disposing of data that no longer has value. Storage virtualization should automate the freeing up of the capacity made possible by routine disposal. And there must also be a shared data source catalog across all the stakeholder organizations.

Measure success. Insist on constant and consistent measurement and reporting. Use the defensible disposal program's cost and risk reduction goals and timeline to create executive dashboards and management reports, but don't measure performance without also measuring the operational capacity. Ongoing capacity planning and monitoring are critical to avoiding the possibility that resource issues will undermine results, a very real possibility in cross-functional projects.

Audit the program. Once you have institutionalized defensible disposal in your organization, internal audit should report on process failures, help identify failure causes, and ensure organizational accountability for fixing any issues. The criteria used for auditing should be designed into the program from the start.

Moving forward

Defensible disposal can create tremendous value for pharmaceutical companies by substantially improving information economics and aligning information stakeholders across legal, records, research, business, and IT to lower systemic risks. By driving cross-functional change from disparate, siloed practices to a joint-stakeholder model, a defensible disposal program can drive cost and risk out of business operations and lead to greater financial performance.

Lorrie Luellig is Of Counsel at Ryley Carlock & Applewhite, PC Information Governance (RCA-IG) and a Faculty Member at the Compliance, Governance and Oversight Counsel (CGOC). She can be reached at lorrie@luelliglegal.com.

Related Content:

Legal