Looking into the crystal ball


Looking into the crystal ball Ethical BoardroomBy Jason R. Baron – Of Counsel in the Information Governance and eDiscovery Group at Drinker Biddle & Reath LLP, Washington, D.C.



Predictions are notoriously bad at actually predicting the future. Dr Dionysius Lardner stated in 1830: “Rail travel at high speed is not possible because passengers, unable to breathe, would die of asphyxia.”

An 1876 internal memo from Western Union said: “This ‘telephone’ has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us.” James Watson, chairman of IBM, famously opined in 1943: “I think there is a world market for maybe five computers.” And who can forget a spokesman for Decca Records on declining to sign The Beatles in 1962: “We don’t like their sound and guitar music is on the way out.”

With that significant caveat in mind, here are three predictions (along with some honourable mentions) as to what will be deemed important to get right or at least pay increased attention to during the coming year, as a matter of corporate information governance (IG).

  1. General Data Protection Regulation (GDPR) compliance will drive greater attention and urgency to implementing IG solutions

This prediction is almost a ‘no-brainer’. The GDPR, with its effective date of 25 May 2018, will be a key driver of greater attention being paid to IG, given the looming prospect of ongoing audits and fines for noncompliance with key privacy-related provisions. Among its many provisions, the GDPR requires that corporations get a handle on knowing where ‘personal data’ resides in corporate networks and repositories, which in turn will mean documenting that some kind of data inventory has been undertaken to identify such data generally and especially a subcategory of ‘sensitive personal data’. The latter category consists of personal data revealing a person’s ethnic origin, political opinions, religious beliefs, trade union membership, data concerning health, sexual practices or orientation and genetic or biometric data. Heightened attention must be paid to putting in place protocols for employees in any enterprise consisting of a ‘data controller’ or ‘data processor,’ in order that everyone understands how to manage personal data in conformance with the GDPR and local law.

The discipline of information governance is fundamentally all about corporations obtaining better visibility and insight into their data stores, in order to be able to intelligently assess risks and material weaknesses in how data is being preserved, as well as to assess the true value of the data in the company’s possession and control. For several years, leading advocates of best practices in IG have been advocating the formation of an IG council, with an interdisciplinary composition of key C-suite executives, including a chief legal officer, chief information officer, chief financial officer, head of information security, head of human resources and other key staff involved in the processing of corporate data. The GDPR requires that a data protection officer (DPO) be appointed with the portfolio for ensuring compliance with GDPR and local standards. A key challenge for each enterprise will be integrating the work of a DPO with whatever existing IG structure has been set up to monitor corporate data policies, especially with respect to retention, privacy and security of data. Corporations will need to find the right balance in devoting resources to meet increased risk under the GDPR, lest they end up spending too much on storage and creating other bottlenecks out of an abundance of caution. Escalating newly arising issues to an IG council may help in achieving that balance and will take on special importance in 2018.

One perhaps overlooked aspect of GDPR compliance may mean a sea-change in the way corporations treat compliance with ‘tried and true’ records schedules. To date, most records schedules set out retention periods where the period effectively sets a minimum retention length for preserving records, without a great deal of attention being paid if records (especially in electronic form) are held for a longer time period. With the GDPR comes a spotlight on record retention time periods also operating as a ‘maximum’ in cases of personal data, where the enterprise may be subject to audits aimed at ferreting out whether such data continues to exist notwithstanding its eligibility for destruction or deletion.

  1. Cyber breaches will continue unabated: a wake-up call for IG oversight?

Almost just as certainly as the GDPR’s effective date, predictably the world will continue to see massive and not so massive data breaches at regular intervals through 2018. At the time of this writing, Yahoo and Equifax have been the latest corporate victims. Apart from the obvious measures that cyber experts recommend, increasingly boards of directors have been tasked with some measure of supervision and oversight with respect to what policies are being adopted by CEOs in anticipation that they will be the next hacking target. But is this enough?

As noted in this space earlier this year, in light of the almost-certain risk involved in experiencing a data breach, it is highly recommended that board members expand their cyber-mandate to ask fundamental questions about the nature of the legacy data that the enterprise holds in all of its varied network systems and platforms.[1] Asking the ‘why’ question – why the corporation is holding on to terabytes of legacy data in superseded applications and backup media – is the beginning of a strategy aimed at mitigating cyberthreat risks through data reduction. More generally, asking the question of how the enterprise categorises its information as to value v. risk should be useful in prioritising concrete IG-related activities. An IG council charged with delegating out the overseeing of data clean-up efforts should be working hand in hand with cybersecurity experts in asking these fundamental questions.

  1. The Internet of Things (IoT) will increasingly impact on
    corporate governance decisions

The IoT is transforming the data landscape and will continue to do so at an accelerating pace in 2018. According to one recent report, the proportion of IoT adopters ‘that have embraced IoT on a massive scale – more than 50,000 connected devices – has doubled since 2016.’[2] Gartner has estimated that 11.2 billion connected things will be in use worldwide in 2018 and will reach 20.4 billion by 2020.[3] This means the IG landscape must anticipate and deal with smart, connected devices streaming data into the enterprise from every imaginable corner of the globe and of every type: from consumer wearable biometric data, to data from smart objects in the home and automobiles (including driverless ones), as well as sensors covering energy and industrial grids.

Although the scale, volume and variation of these new types of streaming data will pose new challenges, the basic framework of information governance first principles applies in this new domain as well. An IG council with representatives from the C-suite should systematically inventory new forms of data being collected within the enterprise and develop policies on retention, privacy and security that reflect a new data environment beyond email and other forms of user-generated applications on social media.

  1. Other trends coming into focus in 2018

First, with each passing day it becomes clearer that artificial intelligence (AI) in the form of software and algorithms will increasingly predominate in non-traditional areas, including in providing informational insight and understanding of corporate data. Max Tegmark, in his recent book Life 3.0 (2017), includes an illustration of the ‘landscape of human competence’ where the rising sea level of AI now engulfs human activities such as chess, Jeopardy!, Go and driving, with speech recognition and translation next up, and art, cinematography, book writing, science, AI design and programming still on the hills ahead to be conquered. Tegmark asks the question: How long will it take until machines can out-compete us at all cognitive tasks? (Emphasis in original.) An emerging public discussion of the ethics of AI as used in the corporate enterprise has been spearheaded by the call by members of the EU Parliament to have the body ‘propose rules on robotics and artificial intelligence, in order to fully exploit their economic potential and to guarantee a standard level of safety and security’.[4]

“The discipline of information governance is fundamentally all about corporations obtaining better visibility and insight into their data stores, to be able to intelligently assess risks and material weaknesses in how data is being preserved”

Second, distributed ledger technology (commonly referred to as ‘blockchains’ in connection with Bitcoin and other crypto-currencies), holds out the promise in the near term of disrupting longstanding approved methods of recordkeeping, especially in the financial sector, but in many other private and public verticals as well. For example, in the US, the Securities and Exchange Commission, the Commodities Futures Trading Commission and the Federal Reserve all have published requests for comments and made other types of background papers available online. These collectively describe how distributed ledger technology aims to provide greater security through a new form of ‘trusted’ system of interlocking blocks of data, each of which has had its information encrypted and verified by a network of computers in such a way as to make the data virtually immutable to modification by bad actors.

Third, the various controversies that have arisen over the use by senior officials of ‘private email networks’ and other forms of apps as an ‘end-run’ around compliance with sanctioned official networks, are really just the tip of a ‘shadow IT’ iceberg that will become more apparent in 2018.[5] It will be imperative that as a matter of IG policy both the public and private sector pay greater attention to putting policies in place that are understood by all employees, not just senior officials, to set out where corporate data, including intellectual property, is to be stored. Without such policies, Cloud-based information assets will prove increasingly difficult to control, representing an increasing source of reputational risk.


About the Author:

Jason R. Baron is Of Counsel in the Information Governance and eDiscovery Group at Drinker Biddle & Reath, LLP, and serves as Co-Chair of The Information Governance Initiative. Jason is an author of scholarly research on the law of information retrieval, and is a frequent keynote speaker in international forums on the subject of the e-discovery and e-recordkeeping. In 2011 he was honored as the recipient of the international Emmett Leahy Award, for career contributions in records and information management.


1.See Jason R. Baron, Information Governance Oversight: Questions For Board Members To Ask At The Board, Ethical Boardroom (Jan 2017), http://ethicalboardroom.com/information-governance-oversight-questions-for-board-members-to-ask/.

2.See IoT Barometer 2017/18, http://vodafone.com/business/iot/iotbarometer.

3.Gartner Press Release (Feb. 7, 2017), http://www.gartner.com/newsroom/id/3598917.

4.EU Press Release (Feb. 16, 2017), http://www.europarl.europa.eu/news/en/press-room/20170210IPR61808/robots-and-artificial-intelligence-meps-call-for-eu-wide-liability-rules.

5.See Jason R. Baron & Amy R. Marcos, Beyond BYOD: What Lies In The Shadows, Ethical Boardroom (August 2015), http://ethicalboardroom.com/beyond-byod-what-lies-in-the-shadows/

Comments are closed.