06 Jul Access Answers: Episode 13
PODCAST
TRANSCRIPT
Episode 13: Moving IG Forward with Kathy Jordan
Julia:
Welcome to another episode of Access Answers. I’m your host, Julia Vergara, along with Angela O’Pry. And we have Kathy Jordan here with us today.
Angela:
Welcome, Kathy. We’re so excited to have you, Kathy is one of my favorite people at Access Sciences. She is so amazing. And I have to also mention, one of our longest-tenured employees. She’s been with the company since 2001. And her role is principal consultant, but she’s just really, I don’t know. You just seem to know everything about the company and the history and our business. You just know how to do it all. So, we’re here to pick your brain today on this episode, and hopefully, you can share some words of wisdom with our audience.
Kathy:
I’m happy to be here. Thank you for having me. And it’s funny, I was thinking about that with the whole 20 years thing, that when I started with the company, we were under a different name and we were really small at the time. So, you literally did everything. So, you worked on projects, you wrote proposals. If there was a hurricane coming, you packed the office… So, when you said you seem to do a little bit of… We did, we did everything. And it was really great because you learned so much because you were exposed to so many different situations that might’ve taken years to be exposed to otherwise. So, it was great to come on when I did.
Angela:
Yes. And I just love chatting with you because I always seem to learn something new, whether it’s about national running month or the Dixie chicks in the bag… By the way, how are they doing? How are the Dixie chicks?
Kathy:
The chickens are good. They’re very good. They’ve been a little distracted lately with the rain. When it rains, for some reason they don’t like to lay eggs. They like to just think about the rain, I think, so they’re more pets than anything. So I’m fine with that.
Angela:
Yeah. So, they’re just like us. Whenever it rains, I just want to lay around and be lazy.
Kathy:
Yeah, yeah. That’s totally it. And so, it’s not like they don’t like water. They do like water a bit. They also don’t want to necessarily be in the downpour, but like I said, they get totally distracted. They’re very curious and so anything that’s a distraction from their normal day is a great distraction to not lay an egg. Because laying an egg is like a long process. It’s work. So.
Angela:
Yeah. Who wants to work when it’s raining? So, speaking of long processes, I’m sure in the course of 20 years with the company, you’ve seen some processes evolve and change specifically with information governance or technology and business strategy. What do you think is the biggest difference from 2001?
Kathy:
I think I’ve actually seen a little full circle lately in the sense of when I first started in 2001, I feel there was a pretty equal focus on managing physical records and electronic records. We were concerned about both in equal measures and we were focused also on managing the record or the document as a whole. And also maybe collections of it, you could manage it at the file level, right? So, there is that, but then there was also at the time an emphasis on creating these very detailed records inventories. And we sort of got away from that a little bit where we started thinking about collections in bigger buckets and organizing so it was easier to find things, organizing the way that you retained your electronic records. And so, we were thinking more in terms of like I said, these groupings of records for search and retrieval and just easier to manage, easier to apply retention to.
But lately, I feel that we have gone back to the need for some of these more detailed level-type maps or inventories, and that we’re not managing just at the record level, but now we’re managing down to discrete pieces of information within documents and records. And so, it’s funny, it’s like starting with those inventories and then sort of moving to, “Oh, maybe we’ll do these bigger groupings.” And now I feel like maybe we’re back to inventories again, but for different reasons, right? And it’s not that we’re away from the bigger buckets and the bigger groupings because we absolutely need those to implement our systems and to apply retention and to manage our information, but now there is a need also to have those more detailed inventories, I feel.
Angela:
Do you feel that’s related to, I guess my first exposure to that was a couple of years ago, maybe the project that we did for a large retailer with the data mapping-
Kathy:
Mm-hmm. Yeah.
Angela:
… Is that kind of along those lines or?
Kathy:
It is. So, yeah. I absolutely feel that the data maps in the project that you’re specifically talking about, we did that when it was one of our first clients where we were looking at GDPR and they were operating internationally. And so, it was concerned for them, and they had to achieve compliance. And one of the best ways to achieve compliance was through these data maps. What do we have? Where is it? How long are we keeping it in order to be able to understand and create those policies and to ensure that you’re complying with the law? So, yes, that was it. But now domestically, California passed a data privacy law in 2019. Just last year, they passed kind of, it’s not a second part to it, but an additional privacy law that reinforces, strengthens, clarifies that law, creates new categories.
Virginia just passed a data privacy law in March. So, while we’re not going to say, “Oh my gosh, every state in the United States is passing these comprehensive data privacy laws,” 25 states did try to last year.
Angela:
Wow.
Kathy:
California and Virginia did, but I think that that trend is going to continue. So, those data maps have become in my mind a really, really good tool to be able to demonstrate this is our private information. This is what we have. This is how long we’re keeping it. So, it does feed that process. I think that it also feeds this remote working, we have new security concerns because people can work everywhere, they are working everywhere. And now we have information on all sorts of devices that are kind of outside of our visibility. A data map can help you there too. What do you have? Where is it? So it can help you understand where your high-risk security areas are.
So, I kind of feel like that, that going back to full circle, it’s feeding a variety of different initiatives. And I think that’s a good thing so you’re not just doing this one thing. You can actually do this one thing and you can say, “Well, it can help me with data privacy. It can help me understand my security risks. It can certainly help me with discovery requests.” So, it’s a good thing. And it’s anytime that you can have an initiative where you can feed multiple different strategies or tactics across the organization, I think that that’s effort well spent.
Angela:
What is involved in creating that data map?
Kathy:
Wow. So, yeah.
Angela:
Are we back to long processes again?
Kathy:
No. It can be, right? So, you have to decide, I think that first, you have to agree on the template, right? What information do we want to collect? So, you have to get an agreement on what the templates going to be, and it’s got to achieve the right balance. It’s got to be at that right level. It can’t be too onerous. It’s got to be realistic. So, if you know exactly what you want to achieve going in. So like if you know, “Well, yeah, I want to help with mapping for data privacy, but I also want to know about my security risks and I do want to know some…” So, if you know everything going in, you can create your template from the start in a way that can feed all of those. When you can agree on your template and you have it at the right level, “This is what we’re going to do,” you have to identify the groups to talk to, right?
And then within that group, you have to get the right subject matter experts. You really have to have the people who can speak to all of the content that is generated or received within their group, right? So they have to know their business processes and it’s going to be a person… Certainly, you don’t have to be there 20 years like me, but it does need to be a person with the right longevity so that they understand the company because you also want them to understand their interactions with other groups across the company, right? So, not just me in a silo, but, “This is how we work across the organization. This is who I interact with.” And so, then you’re having those sessions with those subject matter experts and then you’re building out that template.
That sounds very simple. And it doesn’t have to be overly complex, but you do have to plan. You have to make sure, like I said, that you have the right template, that you have your subject matter experts. You have to communicate what you’re doing and why it’s important. That’s the other thing that you have to bring them along with you so that they understand the importance of this effort. And then you also… It’s not one and done, right? This is a template that can change over time. So, you have to have a process to go back and revisit that, update it, how are we going to make sure that this stays evergreen? When we change, how are we going to be aware of that there’s a change and we have to go back and update our template and update our knowledge of where things are?
That part, I think goes to building the awareness across the organization. And that’s that whole other change management piece of-
Angela:
Oh, yeah.
Kathy:
…Yeah, of what we do where we have to just build that awareness so that this becomes part of our culture. It becomes part of what we do. It’s not just this other added thing. It just becomes part of your organizational awareness and culture. And so, it is a process, as you say, because there are so many components, but I do think that when you tackle each part in a logical manner, you understand the purpose of what you’re doing at each step. It is manageable and you will come out with a good product in the end.
Angela:
What would you say to someone that’s listening to this and thinking, “Holy cow! Okay. I have not thought about a data map. I don’t have one, or I don’t even know if someone in my organization is thinking about this.” What would you say to them?
Kathy:
Well, so of course the first thing I say is, “Call me.” Well, I think that… My approach to most things is step back-
Angela:
Mm-hmm.
Kathy:
…Step back away. Don’t be overwhelmed. Step back. I’m a person that the first thing I like to do is I like to do my research. I like to understand what am I facing? What do I have to comply with? So, back to the privacy example, it probably makes sense for everybody to start becoming aware of these things, but it’s hitting you if you operate in California, or if you operate in Virginia, that that’s its own sort of problem there too because one of the things that we’re looking at with privacy, and I think this is why people probably are having that sort of holy cow moment, what do I do? Is there is no overarching federal privacy law right now. So, you had 25 states last year proposing different things. And so that means that you could be trying to comply with X number of states that passed these laws.
So, right now, maybe I operate in California and maybe I operate in Virginia and this really does apply to me, so I have to comply with those separately, right? They could have crossover, but they could also have different requirements. I also need to know for everywhere where I do business, what’s on the horizon? What’s coming up? And so, in that way, so that you can understand how do I plan compliance here? What do I do? I think that that complicates matters. And I think it’s overwhelming. Some of the federal laws, I will say the word retention schedule, and everybody will go to sleep because evidently, you’ll just hear the heads hit the desk, I’ve had a focus on regulatory research for quite some time, and what you see with some of those really big federal laws like OSHA or some of the transportation laws, there’ll be a federal requirement. And a lot of the states will say, “I incorporate it by reference. I adopt the federal law and maybe I have exceptions to this or to that.” And that’s noted.
That’s predictable and that’s pretty easy to manage, so when you have that and you can comply with that, or you could adopt that as opposed to now California is doing this and it did it two years in a row. Oh, and by the way, there’s a look back period. So, there’s 12 months of data that’s going to be in scope even though it doesn’t go into effect in 23, I still have to worry about the 2022 data. And now Virginia did this. I think it’s overwhelming. And I think that oftentimes, especially when you are limited on your resources and you’re trying to plan a project like, “How am I going to go about this? And I have to keep track of what’s happening in this state or that state, or California just changed this and now they’re recognizing sensitive personal information. What does that mean? I just updated my policy for this other category. And now I have to worry about sensitive personal information.” I think that that’s the challenge.
And so, when I say that, stepping back, breathing, and then just coming up with a very sort of logical, practical approach of what do I want to achieve, what’s realistic? And then starting to build those relationships across the business and where you can partner. Like a data map can help IT obviously with security, right? It can help legal with discovery, where can you partner to deliver this project and this result in a way that can build relationships and alliances across the company so that multiple groups can participate in this process and have something at the end that they’re very happy with?
Angela:
And it sounds like, and I guess you can say from your experience working with clients, bringing all of those groups to the table could be a challenge-
Kathy:
Yes.
Angela:
…if you’re trying to do this internally, right? And you’re trying to get the stakeholder buy-in and get everyone to understand what you’re really working towards?
Kathy:
And it is. And that’s exactly right. It’s funny, I had one of my early projects we were doing, we were working with stakeholders from all across the company and we were meeting, we were developing a retention classification structure. We weren’t applying the research yet, we were just building the framework. Not just, it was international company, super complicated company and we were identifying those record series as the first step. Again, what are the logical steps to do these things? So, that was our first charter as this big team. And I was facilitating that team and what we saw, we would get to an understanding because we would work through it. We would work through our misunderstandings, our miscommunications, then we will come to this common understanding. And we all probably had compromised a little bit because that’s what that takes.
And then somebody new will join the team and they would inevitably say, “Well, what about this?” And we’d be like, “Oh.” Because they were starting back where we were six months ago, but that is the natural cycle. And there was no way to not let that person enjoy the cycle in the same way that we had. And so you had to understand that that person needed the time to come to the same understanding, or maybe a slightly different understanding and give us some different ideas, which would be great, but they had to have the time to come to the understanding where we were.
Angela:
Mm-hmm.
Kathy:
And so, that is always a challenge. Bringing groups with different motives, not in a bad way. We have different motivations, right? And we had different things that we’re trying to achieve. So, bringing all of us with our diverse needs and requirements together to try to get to some common understanding, it’s work, it’s effort.
Angela:
That sounds like we need happy hour tonight. My stress level just went up a little notch or two. No, I think there’s a lot of value in that. And I think you’re absolutely right that we’re going to see more of a need for that. Everything I read about is security. Look at the security breaches that have just happened-
Kathy:
That’s exactly right.
Angela:
… with the pipeline and the Martha’s Vineyard Ferry. What did they do? Why attack them?
Kathy:
Shame on me. I had that voicemail message and I opened the voicemail message. And I was like, “Oh my gosh, I’ve been through the training.” And yet it was so natural for me to not understand that that was a security threat. So, just thinking about the constant education that people need to just always have in the forefront of their minds. I have to question it, I have to question it. I can’t trust it. When your initial thinking is, “It’s a phone call. Came to my voicemail. Of course, it’s for me, they knew my name.” So yes, it’s not going away. It’s clearly not going away. And then we’re doing all of that while we’re trying to still enable collaboration, right?
Angela:
Mm-hmm.
Kathy:
So, we’re trying to lock down for certain reasons for security or for privacy, making sure that private information secured. But then we want people to be able to work remotely and collaborate and to not put too many barriers up. And so, it is a challenge because you need people to be able to work and work productively.
Access Answers is owned and operated by Access Sciences. We’re a consulting and business process outsourcing firm specializing in information governance, technology enablement, and business strategy. Since 1985, our dynamic team of experts have been committed to meeting each of our client’s unique information needs. If you’re interested in partnering with Access Sciences, send us an email at info@accesssciences.com.
Julia:
So, Kathy, along with many, many other companies, a lot of our clients were impacted by the pandemic. So, what did that look like from your perspective and what does it look like now that things are bouncing back a bit?
Kathy:
So, with the pandemic in general, what we have seen from… Companies immediately had to flip the switch so that everybody could work remotely, right? It had to happen so that business could continue. I’ll never forget when our office shut down, I was driving and I wasn’t… At the time, I didn’t even realize this is going to go on for more than X number of weeks. I had no idea and a guy in front of me on the feeder road had his office… His trunk was open, it’s been tied with a rope and his office chair was in his truck and I thought, “Wow! Oh my gosh, what have I just missed?” And some of our… I will say some of my clients understood that immediately and got it and knew that this was a long-haul kind of thing.
Others were more… Thinking, “What does this look like? How long does this last? How long are we going to be out?” But I do think that because of the need to operate efficiently and quickly, we had to flip that switch. And so, what that meant is that we were maybe rolling out solutions or opening up solutions that we hadn’t applied governance to. And what we’re seeing a lot, if you’re, like with SharePoint and Teams, most of our clients didn’t have time to put in site provisioning processes, maybe that they’re sharing files via Teams, instead of just links. If they’re sharing files, how are we applying retention to those? Can anybody request a site? Yes. It seems like anybody can. So, we’ve just seen this sprawl of information that’s ungoverned. And now we have information like in sites like Teams and SharePoint, but we also have it on our mobile devices. We are working everywhere, maybe on home computers.
So, I think that it was something that we had to do to work, but now people are saying, “Wow, we’ve got to really get this under control, and we have to reign it in.” I think that it’s good. And it means that you’re going to have to probably go through redesign. And you’re going to have to do that again, that process with users to understand so that you can do that redesign effectively. But it also means that you have to manage user expectations because people were used to just spinning up the site and just doing the work. And now we’re telling them, “Maybe not. Now you’re going to work this way. Yeah. Teams is great, but instead of sending that file on Teams, we want you to share a link and we’re going to start applying retention to things.”
And so, managing user expectations… So, again, it’s back to that change management, bringing them along all of your users so that everybody understands we’re not trying to inhibit work. We still want you to have your productivity, but we also want to reign it in just a little bit, so that we minimize our risk. And I think people understand that. I think that all of us understand that we don’t want to put our companies at risk. I think that it does require change. It’s going to require user behavior. It’s going to require a strong commitment to communications from the top down, why it’s important and you’re going to have to reinforce that.
So, I think that that is the biggest thing is that we want to continue with the collaboration. We don’t want to get in the way of productivity, but we do have to make sure that systems that we rolled out without governance, that we now apply governance and point forward, I think that it’s always going to be a hybrid. I think that we are going to be working in a hybrid model from now on. So we have to take these considerations into any new system that we implement so it’s not just, “Oh, we’re done with that. Let’s redesign the system and we’re done.” That it really now is our new way of working and thinking about our systems and how we roll things out. I think that’s one thing we’ve seen, right? Another thing that’s been coming up more recently with some of our clients are, “What do we do with all of these records that were generated in response to the pandemic?”
And that is a whole other thing. And one of the things that… It matters what industry you’re in, right? So, if you’re in a food industry… Okay. Well, that matters more than if like you’re in our company, right? It matters what your processes are. Like what did you put in place? Did you actually record a temperature associated with a person or did employees do some self-reporting? And when they came through the door, you did a temperature reading, but you didn’t save it? All of these things matter. What your processes were at the time, what they continue to be will have impacts on whether you created a record and a different retention period applies to it. So, that’s one thing, it’s understanding what your processes were, what data you were creating, what you were associating with the person and whether employees and visitors, other things that some of our clients are having to deal with are, what if somebody did get ill at work?
So, all of the notifications. Oh my gosh, you just generated a lot of things, right? So you have those kinds of things. You have the records around how did you protect your environment and make it safe for your employees? Also, payroll protection records. CARES Act’s records. So, you have all of these things that are hitting you in different places. So, it’s not just this one thing, but it’s looking across your company holistically and understanding where were you generating those records? I will say many of them, there’s probably a very logical place already on your retention schedule, a change in a policy. Will you have a record series for policies and procedures, and there won’t be a change, you just need to understand that you updated your policy, you have a record series you’re in good shape.
It’s really identifying those new things. And even some of the financial records that are generated. Again, I think that you likely have places already on your retention schedule, you will be in good shape. It’s going to be those new things that we’re doing, whether it’s the notifications, the contract tracing that we have to do, or if you are retaining temperatures associated with employees, those are the things that we have to be aware of. So, I think that again, understanding… It’s that whole… It’s what we always talk about, assess your situation, right? You need to start with an assessment, what are we doing? So that’s what I would say if I were in that situation, I would understand, “Okay, first what’s my industry? What are my impacts?” My impact might be lower because I’m not in a high-risk industry or we weren’t doing these things.
So, understanding your industry and the jurisdictions where you operate. Understanding what the processes were and maybe coming up with, “Okay, these I think are risk areas.” Or, “These are I think where we might’ve started generating some new stuff.” Talking to your subject matter experts and confirming. And then at that point, once you understand any new content that was generated or any new change in process, you do your research, regulatory research, making sure that you have your requirements covered in your retention schedule. And then you update your retention schedule, you update your policies, your processes, and you document all of that, so that you can prove down the road that you did exactly what you were supposed to do. You did your level best to understand everything that you were doing differently during this pandemic. And you have documented in a way that you can go back and prove your process down the road. And I think that that’s the key as well. And that’s what we always tell our clients is being able to prove your process and prove that you did your best goes a long way.
Angela:
Using the term record, do you think that’s a widely understood term of exactly what a record is versus just a regular email or a regular piece of paper or a text message?
Kathy:
I don’t.
Angela:
So, maybe let’s start there.
Kathy:
And that is the golden question that we always get in data gathering from users. How do I know if it’s a record? And the biggest part of me says, “Let’s not really focus on that. Let’s focus on the information that you generate, you receive. Let’s not worry about the definition of a record right now.” Yes, we do have retention schedules, we call them records retention schedules, however, we have to manage all information, regardless it has to be managed. And so part of me says, “Yes, we absolutely want to understand what the records are, but I like to do that on the backend and understanding when I talk to somebody and get them to describe their process or to get them to describe what do you use that for? Or when do you use that? Or where do you get that from? Or why do you need that?”
I can make some decisions on my own and RIM professionals can. Is that a record or not without the user having to say, “Oh my gosh, is this a record? Is this not a record?” I like to eliminate that burden where we can, because like I said, we still have to know about your information overall, right? And information, even if there is not a regulatory requirement to keep something, there is likely a very good business reason in many cases to keep something, so there’s a whole other category, right? And there is… In systems right now, like when we’re implementing systems, we want to know about all the information, because we want to put some kind of policy on it so that we can manage the information.
So, if it’s not a record, it’s not information you need to keep for business reason, it’s still information that you have. We want to put something on that so that it comes up for disposition, some kind of business rule. This is a three-year rule, or we need this reference information for five years, whatever it is that you decide as a business, we still need to know. So, I like to step back from that and just think in terms of information, and especially as I think about all of the challenges that we’re seeing right now with having to manage discrete pieces of information, personal fields of information within a bigger document, right? I think that to me, it just helps to just talk about records and information or just information or data, however you need to talk about it for your user to understand, and to understand that this has to be managed, I think that that’s the better angle for my perspective. It’s probably not a purist view. However, I don’t want people to get hung up on the words, right?
Angela:
Mm-hmm (affirmative).
Kathy:
And to forget about this whole other closet of stuff over there that is really important that we know about that they didn’t think to tell us about it because it’s not a “record,” right?
Angela:
Yes. What would you say to information governance professionals that are looking to communicate the value of their program upward in the company?
Kathy:
I think it is building these alliances across the company. And I think that is the very best way to demonstrate value. And some of the things we talked about, we, information governance professionals, we have things that we want to accomplish that serve the same purposes, needs with legal, with IT, with our business groups. And I think that when we can understand how what we’re doing works across the larger company and how we can build partnerships across the company, that’s how we’re going to get buy-in upward, I believe. And so that it’s not just presented as a, “This is going to help us mitigate risk.” Or, “This is going to help us do these things.” But this is going to help us mitigate risks and enhance collaboration and help the business because they were asking about this thing, by the way, and legal, because now we’re going to have a tool to understand how to apply holds better, or you see what I mean? So I really do think it’s building the partnerships and that that is the way that you’re going to get more visibility at the highest levels of the company.
Angela:
Yeah. I like that. I think that is basically the reward of effective collaboration, right? If you can work together, then that’s how the partnership is formed.
Kathy:
Mm-hmm. And I think that that’s true just of many things in the organization that when we collaborate and when we form partnerships, no matter what it is, we have more credibility because we are looking from a broader perspective, likely we’re hitting our core values and when we’re doing that, because chances are your core values are going to talk about that. Right?
Angela:
Mm-hmm.
Kathy:
And so, I do believe that any time that we collaborate and build partnerships and make alliances, we have more credibility. And that will rise up because all of a sudden, a solution that you thought, or problem you thought might’ve just been yours, now you see this can help across the board. And so then I just believe you have a better chance of adoption.
Angela:
Speaking of Teams earlier, it’s a little strange to see you on this program without a background because that’s your accessory every day is your fancy background. I was trying to remember what it was yesterday to tell Julia. I said, “It was something bright and colorful-
Kathy:
Fish.
Angela:
…Fish. Okay.
Julia:
I was telling Angela, my personal favorites were the octopus from the Octopus Teacher and then the train wreck.
Angela:
The train wreck was my favorite. That was so funny.
Kathy:
If I come to a meeting with you guys and have a train wreck, I’m going to know I didn’t very poorly.
Angela:
No, that was great. I love the creativity.
Julia:
Yes.
Angela:
And the guessing. It’s like, you never know what you’re going to get when you sign into a meeting.
Kathy:
That’s exactly right. If it’s my core client group, I’ll use my fun background, but if it’s like data gathering, I always have my Access Sciences up just because they need to… Again, it’s good for them to know who I am and why I’m there because I’m going to be an unfamiliar face. And if I’m an unfamiliar face with fish, octopus or something, my credibility just right down the drain.
Angela:
Yes. Of course. Love that. Well, thank you for being our guests today. Definitely shared a lot of wisdom and I think everyone right now is Googling data maps. How to get one, how long it takes and probably even how much it costs. So.
Kathy:
This was fun. All right. Thank you guys.