Data management has long been a best-practice strategy to control data volumes by applying different methods, such as data prevention, aggregation, deletion, or archiving. Companies’ data management strategies to date have primarily focused on reducing total cost of ownership (TCO). Now, however, a data management strategy alone is no longer sufficient. In addition to cost considerations, companies must also effectively address legal compliance requirements and risk mitigation issues. They have to ensure, for example, that they know and understand retention requirements and that they apply them correctly to their data. Building an effective information lifecycle management (ILM) strategy has emerged as a key approach to balancing and dealing with these broader challenges of cost, compliance, and risk.
ILM takes a more holistic approach to dealing with data and information; it is vital that companies who do not yet have an ILM strategy begin to build one. Key to building a comprehensive ILM strategy is finding the right tools to help users manage and follow that approach more effectively.
A solid foundation for ILM
A good data management strategy is already a solid basis for ILM. Effective data management helps reduce costs by reducing data volumes and avoiding data redundancies – both key factors for more efficient information management. With this cost-focused foundation, building a comprehensive ILM strategy becomes more about finding a constant balance among TCO, risk, and legal compliance and taking steps to define, document, and strategize ways to better manage the information that exists across the company.
Up until now, however, customers were largely left to their own devices in the areas of risk and legal compliance. Policies governing data retention and the destruction of data had to be written down manually and applied separately to the different data types in the system: Structured data, meaning business or transaction data, and unstructured data, such as scanned invoices, print lists, or even media and sound files. With these rules and policies stored in different places, and with no way to make sure that people were adhering to them, it was impossible to ensure that all users managed their documents and data with the same sets of rules. Even just trying to understand legal data retention requirements can be quite overwhelming, especially when a company operates in several different countries.
Laws governing digital data often do not distinguish clearly between data and information. When a privacy protection law requires that data about former employees have to be destroyed after a certain number of years, what is really meant is that all the information about that person must be destroyed. It would be of no use to destroy the employee data if the information about that person was still available in other data objects.
In this case, compliance can only be achieved if all data records containing information about that employee are destroyed. To avoid the risk of not complying with this kind of privacy protection law – or any legal data retention requirement, particularly in the areas of tax and product liability – companies have to be aware of the location and format of any relevant information throughout its entire life cycle.
Identifying common pain points
The compelling need for comprehensive ILM has led more and more SAP customers to begin creating their own strategies. Accordingly, the Americas’ SAP Users’ Group (ASUG) ILM Influence Council recognized a need for software tools to shape and manage such a strategy. As part of the Influence Council, SAP and customers worked together to identify common ILM pain points and compile a list of customer requirements – for retention policy management and other legal compliance issues, for example – to share with SAP development. In turn, SAP began to develop the ILM tools its customers needed. The Information Retention Manager (IRM) is one such tool to evolve from this collaboration. SAP is continuing to work with its customers to develop more ILM tools and applications that will allow customers to centrally manage their data retention policies and perform ILM tasks, such as data destruction and legal holds.
Easing ILM efforts
Just as companies use business software to assist in data management, certain tools can fill the missing links on the path toward a comprehensive ILM strategy by providing considerable support and automation. SAP recently introduced a new policy engine called the Information Retention Manager (IRM). This tool, which will be made available in late 2007 as part of an upcoming enhancement package for SAP ERP 6.0, will allow users to centrally manage all internal and external policies governing data retention – within and outside of their SAP systems – for both structured and unstructured data. IRM also allows users to enter their retention rules for paper documents. This means that the rules governing the life cycle of all data and documents are kept in one central location, allowing users to more efficiently and consistently manage their information. Having such a central management tool as part of the business software – close to the origin of the data – is key because the integration and relationships of the business data is embedded within the applications.
In-depth look at the data retention technology
IRM is a very flexible function that allows users to enter retention rules for different object types – such as sales orders, invoices, or financial documents – in their system. This flexibility also allows users to enter different retention rules for each object type, with rule categories that best fit those object types and reflect the various requirements of different departments that will come in contact with the information being managed. To cover both internal and external requirements, for example, companies can have different kinds of rules, such as “tax law” or “product liability.” These retention rules can outline requirements for minimum and maximum retention periods, criteria for the beginning of the retention period, or guidelines for which storage system to use in case data needs to be archived during that retention period. Users can also enter the residence time, which will determine how long data has to remain in the database before it can be archived.
The rules companies enter in IRM describe when objects should be archived, where they should be stored, and when they must be destroyed. During archiving, the system first checks whether the object is considered unchangeable and whether the residence time requirement has been fulfilled. If the retention rules are being met, the object can be passed on to the storage system. Additionally, if the object is to be destroyed without being archived, IRM will first check that the minimum retention period has been completed. If an object is archived, the storage system must ensure that the user-specified retention rules are not violated in terms of access authorization. In addition, data can only be destroyed if it is free of any legal holds. If data is or may be involved in any kind of legal proceedings, authorities can place a hold on it, meaning that the data cannot be destroyed until that hold is lifted.
Going beyond data storage
Unlike ILM solutions that focus solely on the storage aspect of information management, SAP’s ILM tools focus on the entire life cycle of information – from its creation in the database, to its archiving in a storage system, to its final destruction. It’s important to point out that this life cycle begins with the actual creation of a data record in an ERP system, not with the storage of that data. Moreover, on a storage system level, the business references and relationships of documents cannot be determined without additional metadata. As a result, a real classification of the documents is quite difficult. Therefore, it is crucial to view ILM as a comprehensive approach. Technologically, this means that the storage side of a system must be able to speak to the application and support the same ILM functions – such as the destruction of data. It is crucial to view ILM as a comprehensive, holistic approach.
To ensure that IRM provides the most comprehensive ILM support possible, SAP closely followed its customers’ lead, as well as official guidelines dealing with data and information, when designing the tool. Two of the most important of these guidelines are the “Design Criteria Standard for Electronic Records Management” (DoD 5015.2-STD) in the US, and the German “Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen” (GDPdU). Although IRM does not claim to automatically meet all legal requirements, it does support DoD-compliant management of electronic information by offering the option of maintaining different rules for different interpretations of the same data record.
ILM allows companies to better juggle TCO, risk, and legal compliance as they manage their enterprise information. This can only be achieved through a holistic and comprehensive approach to information lifecycle management, made possible through new technological innovations that now allow ILM processes to become increasingly automated. Data management is still one of the main pillars of ILM, but new technologies, such as IRM, are filling the remaining gaps to make a comprehensive ILM strategy possible.
Source: SAP Insider