Information Governance Challenges and How to Address Them


Reinventing Professionals, a podcast hosted by industry analyst, Ari Kaplan, shares ideas, guidance, and perspectives from market leaders shaping the next generation of legal and professional services.

Craig Carpenter and Dean Gonsowski, Gimmal’s CEO and CRO respectively, spoke with Ari about information discovery, migration, governance, and compliance, and how Gimmal helps organization address their biggest information governance challenges. Below is a summary of that conversation and a link to the podcast recording.

CRAIG CARPENTER: I began my professional career after grad school as a practicing attorney in Silicon Valley. I litigated a little bit, enough to be dangerous, and then worked with technology companies doing licensing IP. This was the late nineties when all of my friends were becoming paper millionaires.

I jumped over to the technology side of the aisle and have been there since … operating initially in cybersecurity. And then in eDiscovery when I jumped over to a company called Recommind back in 2006, and I’ve been primarily in eDiscovery and GRC technology spaces.

Gimmal is a company that’s been around for about 15 years now. It started as a GRC — governance risk and compliance — consulting firm. And then as often happens in other companies in the space, Gimmal developed software to automate some of the work that they were doing. They primarily focused on energy companies, given the company started in Houston, TX. Since then, they’ve productized everything they used to do concerning GRC and then expanded the footprint of the technology.

Where we are today is a software company that focuses on the full life cycle of information governance [and addressing those information governance challenges] from the creation of information and its classification, categorization and characterization as a record, through its migration into a cloud back-end or a hybrid back-end. And then ultimately to the collection of ESI or the remediation of information once its useful life has finished.

ARI KAPLAN: Dean, what parts of the eDiscovery process does Gimmal support?

DEAN GONSOWSKI: The short answer would be the left-hand side of the EDRM [electronic discovery reference model] and a slightly expanded answer would be, even more upstream of the EDRM, which is the creation and governance. Migration and archiving and content management — all those solutions that manage information — we can connect and tentacle into.

More specifically, we play in eDiscovery when we start to collect, preserve legal holds and process information. We can do that both from various repositories and structured data, structured repositories, endpoints and the like. And we recently — within the last two years — acquired an eDiscovery company called Sherpa Software — that has discreet eDiscovery tools. In concert with the overall governance solutions, we’ve got the discreet eDiscovery use cases covered.

ARI: Craig, what are the biggest information governance challenges that legal teams need to address today?

CRAIG: Before COVID put the market evolution on afterburners, and the best proxy for this is seeing the rise of things in groups like Clock and the like, is the operation of information governance and having to deal with information where it sits, including Shadow IT, which is you have your IT sanction, data types, data sources, systems, etc.

You have the shadow network of information … whether it’s Slack or Dropbox or Box or cell phones or texting … or whatever the case may be. IT teams, and more specifically, legal teams, need to mitigate and manage that risk.

At the same time, you had a couple of other trends, the first of which is privacy and things like CCPA and GDPR that turned the burden of proof on information governance on its head. The whole cyber realm of having information that’s out there that you used to keep, because you didn’t want to get rid of it, but now if it gets packed and exfiltrated, you have all sorts of risks that these folks need to manage.

You add COVID on top of that, which is everything we just described, and then you have a remote or hybrid workforce. It turned information governance on its head in two ways.

First changing from being a nice to have to a must-have. And second, from what do we, what can we realistically get rid of? What can we realistically and legally and ethically keep and the rest of it we should actively manage.

That’s the biggest challenge facing corporate legal teams today, is that kind of affirmative burden that didn’t exist ten years ago and probably not even five.

ARI: Dean, given that, how should companies revise their records, retention and document management plans?

DEAN: There’s a long answer to that, but I would say that the shortest answer possible is that they need to be brought current into the new legislative and data privacy regime that we’re seeing out there. CPRA is a prime example, the California privacy regulation, is one of the first that has a nexus with the records retention and the length of time you keep information.

What we’re seeing in practice is as people start to operationalize their privacy response and data subject access responses and privacy posture, they’re having to look at how and when, and why they keep information in the first place. A lot of that has been neglected.

Read more: Status and Progress of Privacy Compliance in the U.S. in 2022

For people who are interested in getting their privacy house in order, I’d suggest that they also look at their records and information governance plans as well, because it’s not just simply, “Let’s get ready for privacy.”

They’re having to look at how and when and why they keep information in the first place. And a lot of that has been neglected.

Finally, the types of systems that are out there need to be handled with a common framework. And so, unfortunately for Microsoft, everything isn’t in the Microsoft stack, tons of it is, but there’s still Slack and Teams and Box and file shares and legacy archives and content management systems. And so there’s a policy element, and then there’s how do we make sure we can implement the policy across all these disparate systems? As Craig was talking about with hybrid workforce, now those pieces of information are that much more dispersed for knowledge workers.

ARI: Craig, how has the pandemic impacted the way organizations manage their data?

CRAIG: It’s put a lot more pressure on those that run information governance specifically on the corporate side, because now you have a distributed workforce and perhaps company policies that nothing can be saved locally, for example, or in “unauthorized” systems like Box or Dropbox or Slack. It must all be in a central location, but policing that isn’t always easy. The cyber profile of any given business has just gotten that much more complicated, because very few businesses were largely, let alone entirely, remote three years ago. Now almost every business has some component that has a hybrid or a remote workforce.

It’s accelerated the migration to cloud tool sets and repositories, because companies are trying to be responsive to their employee base and let them work as efficiently. Companies need to accommodate their employees if they want to hold onto them. That really puts a lot of pressure on legal specifically — but also IT and cyber and records management, etc. — to more actively manage all of these systems and data because data is a major asset, but it can also be an enormous liability if, for example, it were to get hacked or if there’s an investigation or good old-fashioned collection from eDiscovery. More active management is something that is far more mission-critical to legal departments than it was pre-pandemic.

ARI: Dean, what impact is technology having on the way organizations now approach their eDiscovery matters?

DEAN: eDiscovery is one of the reasons I’ve moved slightly orthogonal. The eDiscovery challenge has largely been solved. There are tremendous review platforms and technologies to handle the eyes-on document review and everyone’s comfortable with those.

What we’re going to see in the next decade is we’re going to move away from this collect and review methodology. And you’re going to see more people use just pure technology and not even predictive coding, but even more sort of intelligent collection and identity access management and understanding who’s looked at, information and the like. So in where the information resides in a given repository in Teams and in a file share, etc. versus let’s collect it all and push it into a review platform. I think that will be a pretty significant sea change when that happens. To me, it’s more of a when than an if.

ARI: Craig, how do you see information governance evolving?

CRAIG: It’s going to become a lot more active. A lot of people have figured out that eDiscovery is kind of a reactive exercise fairly far downstream, gets much, much easier and quicker and less painful, the better job you do upstream when it comes to information governance. We’re seeing that there may be a couple of different cohorts in the industry or amongst customers.

The first is those who are still just trying to get their arms around what’s out there, where’s the information, who is operating and what systems even exist anymore. What’s in the cloud, where are we putting everything and where are our employees putting everything?

The cohort that’s ahead of them are those that are starting to do what Dean described in terms of actively managing information, and in that way, de-risking it. In that process, where we ultimately see things going in privacy, in cybersecurity, our main drivers of this, and then the COVID hangover of a hybrid workforce is the accelerant, is this idea that information is not a static asset that just sits there to be protected at all costs and kept forever. It’s something that needs to be actively managed, because once its useful life is over it’s not a nuisance … now it’s a source of significant risk.

This idea that information is not a static asset that just sits there to be protected at all costs and kept forever. It’s something that really needs to be actively managed, because once its useful life is over it’s not a nuisance, now it’s a source of significant risk.

Where it ultimately is going to go, I think eDiscovery, nothing’s ever going to be turnkey, but going to make it simple. Hopefully down the road when you’ve actively managed information on the front end, it’s been classified, it’s been governed, it’s been declared a record or not, and then when its useful life is done, it is remediated. You have a universe where for the most part, the information you have is what you should have, which keeps you on the right side of risk.

That’s where we see information governance going. And that’s why we both came to Gimmal — other than the fact that we have respect and fondness for working together — it’s just, that this company has a tremendous opportunity to be, to continue to be, a leader in that realm. We’re excited about the role Gimmal can play because from a client perspective, getting to this active management of information and its life cycle is really where everybody wants to go.

To listen to the entire podcast, click below.

To schedule a demo, contact us.