Thursday, February 25, 2010

Yes US, there is such a thing as EU Data Privacy

All too many times, it is easy to get the sense that the ediscovery market is a US one. Given the notorious American litigious nature, many people and companies are solely focused on how to react and respond to discovery within the borders of the US. Though much does indeed occur here, those of us that participate in the global arena understand there are greater interests and conflicting rules that can greatly impact one’s ability to respond to discovery. I have to admit that I have been witness to too many instances of “grabbing data” that may otherwise be legally “ungrabable.”   Pardon my parochial verbiage but in these instances it appeared not so much that data was collected as it was indeed “grabbed.” This of course is where the party was aware of international regulations – most often however ignorance of such controlling law was rampant.

Enter the work of the EU Article 29 Working Party and that of Working Group 6 of The Sedona Conference (WG6 & TSC). Both groups have attempted to add some clarity to the obligations of parties involved in cross-border matters which involve the transferring of data from one jurisdiction to the other. I will borrow the words of Chris Dale here for a proper description, including his intro as I believe it sums of the lacks of awareness quite well:

I will interpose only the briefest of introductions for the benefit of those bewildered by the whole subject, a group which, alarmingly, includes many for whom it all matters very much, if only they knew it.

The Article 29 Working Party is an independent European advisory body on data protection and privacy, established under Article 29 of EU Directive 95/46/EC. Its tasks include consideration of the conflicts which arise between EU data protection and privacy laws and the requirements of foreign courts and other bodies for documents which may contain private information covered by the Directive. The Working Party issued a document on 11 February 2009 called Working Document 1/2009 on pre-trial discovery for cross border civil litigation (“WP158”). The Sedona Conference responded on 30 October 2009 with a formal Comment of The Sedona Conference® Working Group 6 to Article 29 Data Protection Working Party Working Document 1/2009.
Read Chris’s entire post HERE

Recently, Jim Daley the Co-Chair of WG6 provided an update on the conversation with the EU and TSC. You can read more in Chris’s post above but I wanted to highlight the discussion that best illustrates where the current thinking is with this group and where they want it to go. Needless to say that there is some distance still on how the EU and the US see data privacy, specifically the transferring of personal data. To quote Mr. Daley:

"We received very spirited questions from the several Working Party members regarding why anonymization was such a burden for companies responding to cross border discovery, and why recourse to the Hague convention posed practical issues. We were also asked whether we believed there is really any hope that the U.S. federal judiciary will consider data protection and privacy and blocking statutes in balancing the privacy interests of Data Subjects with the disclosure obligations of multinational corporations. The questions led to an expansion of our time to 45 minutes. We all were able to participate in the discussions.

"The Chairman, Jacob Kohnstamm [Dutch Data Protection Commissioner], concluded by observing that he felt this might provide a 'win--win' situation if we can work toward complimentary goals of minimization of transfer of personal data, and overall reduction in e-discovery costs as a result.

While I do not believe that the US will embrace a more EU-type view on privacy the fact that this dialogue is occurring and continuing does provide hope that each party will find better ways to reconcile the different views each has. In the meantime there is every reason for companies to acquaint themselves with these issues so that they can better manage data transfer issues. If nothing else, understanding that there are even such things as “blocking statutes” and specific rules prohibiting personal data usage as well as what is defined as personal data – would be a valuable exercise.

The next step for this effort is the TSC Solutions paper that is currently being drafted and that will be discussed and used to frame the future discussions. WG6’s next meeting is slated for Washington DC later this year (tentatively September) and is by invitation only. If you are interested in attending you can send an email to Jessica Buffenstein at jdb@sedonaconference.org.

A note on participation: my direct involvement with Working Group 6 was only for a short time having participated in a Bermuda meeting prior to the dialogue with the EU. I would like to be of more value to the group to be honest but in all candor the state of work and dialogue currently transpiring between TSC and the EU is of such a high caliber that only those “neck-deep” in these issues are truly valuable. I do await in anticipation the end result as these folks work to clear the path for the rest of us and provide guidance on how best to navigate the international terrain of data transfers.

Sunday, February 7, 2010

Trojan Horses, Rabbits and Red Herrings

For ease of reading I am posting here an on-going conversation that Steven Levy and I have been having on the role of Project Management within organizations looking to find the "hidden ROI" within their information assets. It all started with Feb. 1 post here. Once again, thank you to Steve for his comments and informative perspective. In case you have not read it yet he has recently published the book "Legal Project Management."

Steve's reply is below (link to his blog HERE)

Joshua Kubicki* of Legal Transformation published an interesting and thoughtful piece Monday on Using Project Management to Find “Hidden” ROI.

He writes that he’s drafting a new proposal for the Sedona Conference about “establishing a business case for finding the hidden ROI in an organization’s information assets.” He talks about project management as an essential — and missing — factor.

While I’m (obviously) a huge supporter of the right kind of project management in the legal arena, I wonder if project management per se is just a bit of a red herring in the case of hidden ROI.

In the business world, you wouldn’t make any major move without thoroughly considering all the aspects of ROI, an nontrivial exercise. However, the concepts of ROIC, opportunity cost, IRR/NPV, and such seem alien to the way most attorneys practice law — and indeed often to the firms themselves [abbreviations summarized below]. I’m not talking about the terminology per se; there are plenty of ways to debate the net present value of various projects and cases without ever using the term.

What may be a “better” approach would be to apply a greater degree of business logic to the mechanics of the practice of law. I don’t mean attorneys should get a dual JD/MBA any more than I think they should chase PMI certification. Rather, they should develop a certain base level of business (and project) literacy before they are considered as potential members of the partner pantheon. The basic concepts of both disciplines are easily understood; NPV, for example, is a shorthand for discussing the time value of money and opportunity cost, both of which can be applied to thinking about case management without ever cracking a spreadsheet.

I put “better” approach in quotes for two reasons. First, I think it’s essential for senior and partner attorneys to participate in the profitability of their firms or corporations, which means applying business thinking to their work, as alien as some may now find the concepts. Second, given the degree to which this is all thinking from another planet, perhaps project management is after all the right guise in which to slip business thinking into the firm’s mental drinking water.

It’s an interesting article; take a look.

My response was . . .

Steve,

Thanks for reading and then posting your response here. In your response you hit on one of the major challenges I and the other drafting team members of the Sedona paper have been wrestling with.

In scoping the framework of a business case for approaching information assets from not only what the value is today or for a particular use but what the value “could be” for others or at a later time, multiple parties within the organization come into play. Each groups brings with it their own sense of knowledge and processes. Take for instance the C-suite. This group typically addresses issues from a high level, leaving the granularity to subordinates and experts to examine. They consider market knowledge, financial positioning, shareholder return, Board response and other “global” factors. Contrast this with the RIM (Records and Information Management) professionals who are typically sequestered into a realm of paper and data storage and retention. Too often these folks are not allowed into strategic arenas where their approach could enlighten others. In fact it is only recently that they have advanced to a place where they influence such things as legal holds, ediscovery, and knowledge management. Much of this growth has come from self-motivation and bootstrapping these areas along with their traditional domain. Groups such as AIIM and ARMA have been key in this regard. Other groups necessary for this effort are IT, Legal, and front-line business persons – again each with their own sense of “how we get things done” and “what we need to do.” Each indeed injecting their own brand of “business logic.”

As I mentioned in my article – the formation of an Interdisciplinary Team is key. The various types “business logic” of these diverse members are necessary due to the broad and expansive reach of information and the kaleidoscopic definition of “value.” Gathering these different groups together to take on the challenge of finding “hidden ROI” is just the start. Finding a “leader” or rather a person otherwise responsible for the planning, tracking, benchmarking, and sustaining momentum is perhaps more vital as without this person the diverse group will have a tendency to pursue others agendas and may deviate from the overall goals. This is where I suggest a project manager is needed – if to serve no other role than as the gravitational center of the group – keeping it close, moving and always focused on the end goal.

Red herring, maybe. Better yet, a Trojan Horse. Though neither idioms are needed in organizations that claim advanced business logic and represent a culture of information sharing versus silo-ing.

Steve sums it up best in his reply and his use of a Monty Python clip to drive our idioms home.

Trojan Horse is indeed a much better metaphor than red herring. However, I fear it will prove to be a Trojan Rabbit unless the records folks learn to speak the language of business. It’s not that they’re not allowed into strategic areas, but that they neither know how to speak the right language nor understand means of gaining entree. Getting their project act together is necessary, but not sufficient, I believe, without solving these other two issues.

Monday, February 1, 2010

Using Project Management to Find "Hidden" ROI

I have mentioned here before that I am currently on the drafting team for a new Sedona Conference project. This effort is a not yet a formal Working Group for TSC but it is an effort that been in play for over a year now. The focus/topic of this examination is on establishing a business case for finding the hidden ROI in an organization’s information assets. Think Business Intelligence meets Records Management meets ediscovery meets IT and you will have a basic idea of where this paper begins. Because of the nature in which organization create, disseminate, and store information – often siloed, disaggregated, unstructured, and untracked - there is a large amount of “value” that is unseen and untapped. We are seeking to lay out the plan for initiating the effort to corral this information and extract the “hidden” ROI and uncover the riches in having a more dynamic aggregated information asset model. The debut of our work was presented in draft form at last year’s ARMA conference in Orlando where it was received with generally positive reviews but further clarification and redirection was needed on the part of the drafters after hearing the feedback. We are still in the process of drafting this piece and look to have it out for public comment in the near months ahead.

While working on this topic many related subjects and issues have been co-mingled in my mind. Certainly the aspect of IT and legal convergence is of great potential in any scenario that looks to define ROI for informational value. Costing studies on implementation and financial ROI will be necessary as well for any implementation. Defining some of the many ancillary benefits of strengthening such diverse business process as R&D in product development, early case assessment in legal matter management, and improved customer satisfaction will be helpful in further expanding this topic. Perhaps the most important question however is who within an organization will be charged with this task? Records Managers have a stake and so would make a likely choice. IT obviously carries the burden from an architectural perspective as well as content access and security and so may be a wise choice. If an organization already has a BI or KM team they might also make for a strong choice. Even a techno-type out of the in-house legal team may make a solid implementer. However all of these positions currently exist and in most cases are already over burdened with their day-to-day responsibilities. Executing on a cross-organizational ROI business case that looks to mesh all informational assets into a holistic system and process that is able to extract potential value for all relevant parties will require a skill set that is adept and working with diverse groups and business functions. It will require someone who has a grasp both of the underlying objectives but also on how to organize and plan for such an undertaking.

Without divulging too many of the key elements of the paper, in it we do outline the necessary elements for it to succeed. One of the most import factors is that of creating an Interdisciplinary Team made up of key stakeholders within the organization (I mentioned some of them above). However, there is a knowledge gap in this group no matter the type or size of organization (with some exceptions) – there is no person identified that has the core project management skills of the quality that this implementation demands. A project manager would be of great value and importance. Their discipline in organization, planning, measuring and executing would add a tremendous advantage in this cross-function organization-wide undertaking.

Obviously it is our hope that this paper and business case contain therein will be a catalyst for organizations to review their current information architecture and decide to undertake a deeper, more meaningful effort of establishing the process of extracting ALL value from it. I look forward to sharing this paper with the project management community to assess its potential impact from their perspective and hear how the PM role may take part.