Six steps for creating a 'super data map'.

• Author: Diamond, Mark

Creating a "super data map" that not only captures metadata about where and in what media information resides, how it is used, and who owns and has access to it, but also integrates legal, compliance, privacy, and IT attributes along with a record retention schedule, can lower risks, reduce costs, and be easier to maintain than separate, single-purpose databases.

Do you know where your records actually live--in which systems and on what media? How about your privacy information? Do you know what content is where when you need to place a legal hold?

Multiple groups in an organization need to know what information lives where for a number of purposes. These groups, including legal, IT, and records and information management (RIM) professionals, often take disparate approaches to identifying and classifying the same information, multiplying the work and producing a variety of results.

Organizations that want to link retention schedules and policies to repositories have an even more difficult task. Extending a records retention schedule to capture other types of metadata, such as privacy and security fields or pointers to systems of records, quickly can become overwhelming and unmanageable. What's needed is a better approach. It's time to create a data map.

Defining 'Data Map'

A data map is a database that captures an inventory of what you have, where it is, and who is responsible for managing it. It can track record types, personal and confidential data classifications, documents and other types of paper and electronically stored information (ESI), and key metadata, such as how it's used, for what purposes, and who has access to it.

Data maps can track information across a variety of media, systems, and locations. Because information and data are continually created, deleted, and moved, an effective data map is dynamic and updated regularly. Maintaining it is a great challenge, but good map design can make it much easier.

Identifying Users

A number of business functions need to track the location of documents and data. These include the following:

Application and Infrastructure Management

IT groups need to catalog enterprise applications, repositories, and systems across the organization. Such information helps guide backup and archival strategies, disaster recovery plans, and capital spending.

RIM

RIM professionals need to know which records reside in which repositories, track systems of record, identify what records are convenience copies, and manage retention requirements. They also need to identify and defensibly dispose of expired, duplicative, and low-value data and documents.

Legal and Compliance

Litigators and investigators need to know the location of ESI and hardcopy content that may be relevant in a legal proceeding or investigation. This knowledge enables them to issue narrower legal holds, thereby reducing the costs of discovery and increasing defensibility.

Legal and compliance teams need to track trade secrets, intellectual property, and other kinds of private and confidential data. They also have to ensure that employees, customers, and other legitimate stakeholders have access to data, while unauthorized or non-legitimate users don't.

Auditors need to track financial and compliance information that is relevant to one or more specific regulations, including the Sarbanes-Oxley Act of 2002, the Foreign Corrupt Practices Act of 1977, and others.

Privacy

Privacy professionals have regulatory and statutory requirements to identify and track personally identifiable information (PII), protected health information (PHI), and other privacy data. This may also include privacy data flows.

While the needs for mapping vary across functions, the mapping process is very similar. Creating a single, "super" data map that combines records, privacy, discovery, and other drivers and serves multiple masters is easier, more efficient, and costs less than building and maintaining multiple maps.

Defining 'Super' Data Map

As shown in Figure 1, a super data map identifies the repositories, applications, and storage locations where information can...