For many information professionals, outsourcing, cloud sourcing, and distributed information systems have greatly complicated their ability to construct and manage corporate compliance programs. These business models embrace data mobility, velocity, and dissemination (data created, distributed to, and stored in, more locations), variables which are in direct conflict with the control methods, process documentation, and management models which are the pillars of good compliance.
With increasing frequency, I am asked how companies build their compliance around data-intensive rules and regulations, such as privacy and data protection, when the mobility, velocity, and dissemination of data continue to accelerate. The conflicts are translating into obstacles to potential efficiencies in business—in many cases, companies elect to ignore those conflicts, forging ahead and abandoning the assurance that compliance can be maintained.
This post introduces a design strategy that is rapidly maturing—and is a foundation stone for rules-based design and information governance. It explains what I am trying to achieve in creating RitterMaps and working with information mapping to integrate legal compliance fully into IT design and management.
The problem is relatively simple to explain: long before the Internet, governance established itself as something that occurs within defined geographic boundaries. The authority of a government was limited to the boundaries of its jurisdiction. One immediately thinks of the sheriff posse in hot pursuit that stops at the edge of the river, having reached the state border, having no authority to continue the chase.
As corporate compliance developed as a business value and process, compliance has adopted the same notion of geographic boundary. Compliance begins by asking what assets (people, property, technology, data) are present in identified locations, and then asking, based on that presence, what rules exist for which compliance programs should be developed. Similarly, if a jurisdiction did not have identified rules, companies have previously designed, and continue to design, their operations to take advantage of operating in a low-regulation environment.
When new locations are evaluated for expansion, or acquisitions are considered, compliance (and the related cost of compliance) is a routine required element in the analysis. The same business process has proved useful in the first decades of outsourcing (before on-demand, cloud-based sourcing). Based on location, companies calculate how the outsourcing impacted compliance. In all of these situations, the one variable that was viewed as stable was geographic location.
Trial lawyers use the same analytical process: the first questions asked, for any case, are “Where is the court located? What are the rules? Are there alternative forums that offer better rules?” For them, once the venue is identified, the rules (and the obligation of the lawyer to work within those rules) are known and relatively stable.
All of these analytical models struggle to sustain themselves as current (and future) generations of technology gain momentum. Essentially, the digital information assets are acquiring a liquidity that defies compliance tied to specific locations, personnel, or devices. As the business case for increased liquidity (through cloud-based sourcing and distributed storage) increases, the compliance effectiveness is proportionately compromised.
In negotiating agreements for cloud services, companies confront the data liquidity issue directly, particularly as lawyers struggle to achieve a result that assures the compliance function that the mobility of the data across a vendor’s cloud facility will not jeopardize the data protection and privacy controls. A common strategy, often unsuccessful, is to limit the cloud provider’s flexibility so the contracted services will be performed only in identified locations.
What, then, is a solution that works? The answer is not to abandon the importance of the geographic variable, but embrace it differently. We are not going to change the mobility, velocity, or dissemination of data—but we can change how we view building and administering compliance. The strategy ultimately enables any business to achieve even higher scores of mobility, velocity, and dissemination (all of which contribute to business efficiency, agility and operating profitability), with more efficient and lower-cost compliance.
The key is to presume that data will always be mobile. But, however much the data moves, the data will always be some “where”—the data will be present in a physical location, stored in a device that has some known geographic location. Just as we have done since the day of horse-galloping posses, geography matters. The difference is that we must build an inventory of the rules for all possible locations and then, and only then, build suitable compliance processes that work across the locations which are acceptable.
In other words, do not let the location of a corporation’s offices, manufacturing facilities, or data processing centers drive the analysis. Instead, assume the mobility of the data and design compliance to enable that mobility to be maximized to your business benefit.
In pursuit of this concept, some companies have been building “compliance maps”. Most often, the work product is not a map at all but a detailed legal inventory of the applicable rules. But technology now exists to organize and present the compliance inventory differently—using maps themselves.
Mapping software used for geographic maps include the ability to show layers of information—these are called “rasters”. Layers can show different types of information—by using color codes for the pixels of a certain location, one can view the elevation, terrain quality, land use, water density, etc.
In many respects, when we are trying to build an inventory of the rules applicable to data in a specified location, we are also constructing compliance “rasters”. International rules (such as conventions), national rules (laws and regulations), sub-national rules (states and provincial laws and regulations), local rules, etc. In effect, we are identifying the rules by the boundaries of the locations to which the rules apply and stacking them up to determine the overall inventory that applies at any location.
The data employed to inform a raster sits in a separate database. The process is within reach to build databases that can be layered, and then visually portrayed. But, in doing so, we are also building a complete inventory of the rules, and delineating, based on the triggers which make a rule applicable, when those rules require compliance.
In building and expanding this type of inventory, which uses location to evaluate the rules based on mobile data, we are putting in place an infrastructure component that allows faster evaluations of compliance requirements and, in turn, better and improved negotiations among customers and suppliers. There are challenges to doing so, but the ability to truly map the law into structures that can be integrated into IT governance and compliance with far greater business agility.
If you would like to have a conversation about mapping the law for your business, pick up the phone and give me a call.