In this first edition in our "Why Data Cleanup Fails" insight series, we delve into why data cleanup efforts so often fail, despite organizations' desire to get rid of data they no longer need. This includes the very real, tangible and increasingly significant regulatory and legal drivers (e.g., fines) organizations face, and the wider, growing cultural assumptions among customers and employees that organizations are merely the stewards—rather than the owners—of their personal data.

What Are the Main Challenges Preventing Effective Data Cleanup?

Although every organization is distinct, the following five reasons most commonly prevent organizations from effectively implementing data cleanup:

1417592a.jpg

The order of this list may at first seem reversed: instinctively, technology might seem to be the main reason why data cleanup doesn't happen, followed closely by culture and process. But, as this series will make clear, when accountability and buy-in are taken care of, the other three fall into place and are much easier to tackle. If the first two are left unaddressed, as they typically are at most organizations, data cleanup doesn't happen at all.

With this perspective in mind, we will examine the first of the reasons why data cleanup fails: accountability.

Accountability vs. Responsibility

Accountability is a term that's often confused with responsibility; however, there are important differences between them. Accountability falls on the person (sometimes more than one person or even an entire function or department) who is "on the hook" for what needs to be done. If it doesn't happen, they'll be called to account, but they're not the ones tasked with doing what needs to be done. In contrast, responsibility falls on the folks who must do what needs to be done but are not ultimately "on the hook" for its happening, i.e., there aren't repercussions when it doesn't. As a general example: the CEO of a company is accountable for the firm's financial performance, but they aren't the ones ultimately responsible for all the activities that lead to that financial performance. While some line-level employees may be let go when the firm struggles financially, in the end, the CEO of an underperforming firm is held accountable and can lose their job over it.

Organizational Accountability vs. Real-World Accountability

Beyond the fundamental confusion of accountability and responsibility, organizations compound the problem by ignoring the importance of real-world, as opposed to organizationally assigned, accountability. Most professionals are likely acquainted with organizationally assigned accountability, typically expressed as the Three Line Compliance Model.

  1. First Line: Compliance functions such as records management or privacy. They are consid­ered both accountable and responsible only for defining the policies and procedures required to comply with legal and regulatory obligations, i.e., they establish the guardrails and nothing more.
  2. Second Line: Information technology (IT) resources accountable and responsible for delivering technology to enable employees to work in accordance with the policies and procedures defined by the First Line.
  3. Third Line: All employees are both accountable and responsible for doing business in accordance with the policies and procedures defined by the First Line.

How Does Accountability Help Organizations Improve Their Data Cleanup and Management?

While this model makes sense on paper, it often fails in practice because of a disconnect between who the organization considers accountable for compliance (the Third Line) and who the real world considers accountable (the First Line). When an organization experiences a data breach of over-retained sensitive data for thousands or millions of customers, the Third Line isn't typically called up to defend the organization with regulators—the First Line is. The party with real-world, actual accountability for compliance is nearly always one or more executive-level risk officers, such as the general counsel, chief privacy officer or the chief information security officer.

Therefore, when an organization assigns responsibility for data cleanup differently than the real world does, e.g., considering end users accountable for data cleanup, it typically doesn't happen. This is chiefly because these end users know that they have no real-world accountability for data cleanup: if it doesn't happen, they won't be the ones answering to external parties, someone else will.

For data cleanup to have a chance of happening, then, the people who have real-world accountability for it need to:

  1. own this accountability,
  2. communicate this accountability clearly to the organization and
  3. drive those responsible for execution (the Second Line and Third Line) to do their job in this respect.

If they oversee their organization's data cleanup efforts proactively, they could save the organization from a potential high cost of being in the regulatory spotlight.

An Accountability Framework for Data Cleanup

1417592b.jpg

Once an organization gets the executives to accept accountability for data cleanup, it's time to consider the resources who will lead the teams that will not only need to accept their responsibility for data cleanup but actually do it.

DOWNLOAD THIS ARTICLE

Stay Tuned

In our next Insight, we'll dive deep into getting buy-in for accepting responsibility for data cleanup—a key step in implementing effective, scalable data cleanup.

Originally published by 23 January, 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.