The pandemic has accelerated the adoption of collaboration platforms in the workplace such as Slack, Microsoft Teams, Meta’s Workplace and Zoom. Between 2019 and 2021, the use of collaboration tools increased by 44% and the average Slack user sent roughly 110 messages a day. Today, almost four out of five organizations rely on these channels to facilitate employee conversations and keep work on track.
The collaborative platforms and tools that facilitated the shift to remote or hybrid work arrangements are now firmly in place as part of standard operating procedures, but the data they produce is different from other electronic channels for business communications, and management of the resulting risks has not yet caught up to adoption. These platforms facilitate a level of collaboration that can increase efficiency, but they also introduce a massive amount of unstructured data.
Unlike the linear logic of email chains, these new channels fragment conversations and split them across a range of public and private forums. Acronyms, GIFs and emojis result in a chaos of audio, image and video files. Compared to email, this type of conversational data is largely nuanced and unstructured, creating not only a new data set, but also a new set of data governance challenges to be reckoned with.
Managing Conversational Data
Making sense of digital conversational data presents challenges daily, whether it is related to compliance, legal or cybersecurity. For example, cybersecurity professionals who are tasked with protecting both data and employees have already seen a notable increase in phishing attacks on these platforms. In these attacks, bad actors gain access to a company’s platform, pretend to be employees and go on to gain further access to vital company systems, which can lead to unauthorized access to customer data, financial information or intellectual property. The rise of such schemes emphasizes the need for technology teams to work across the entire enterprise and institute data governance structures that are adapted to a hybrid workforce.
The exponential growth in this conversational data has also introduced new considerations for compliance and legal. Collecting, structuring and normalizing data from these platforms creates new challenges for legal discovery, records retention and privacy. Capturing and preserving this new set of unstructured data falls outside of most standard monitoring and archiving solutions that are typically used for other electronic communication channels.
For risk and compliance professionals who are struggling to get their arms around data governance associated with conversations on collaboration platforms, it is important to know how business information going across platforms like Slack, Zoom and Teams fits within the enterprise. The following are some elements to consider:
Adapting Records Retention Policies
Companies are using collaboration tools to help facilitate daily business activities, and a significant amount of work has shifted from email to messaging apps, creating another way for employees to share and store business knowledge. In addition, different pockets of the organization often use different specialized apps and platforms for their specific business needs, creating even more challenges for information collection due to varying data structures.
Multiple collaboration platforms, the increase in the amount of data, and the reliance on employees’ use of these tools to complete their daily activities combine to put enormous strain on an organization’s existing records retention policy. Risk professionals will need to work with their technology partners to understand the different communication types in each collaboration tool as the business value and requisite retention requirements may not neatly fit into the legacy data retention policy, particularly as it concerns email. For example, the business value of a direct message is likely different from posts to a channel or group, which will be further impacted by whether the communication is publicly available to a large part of the company or private. Retention policies for collaboration platforms will need to be more nuanced to ensure compliance while not discouraging use of these tools.
Managing Electronic Discovery
In the past, organizations could rely on email tools to assist in their efforts to identify and collect electronically stored information for legal proceedings, otherwise known as electronic discovery or eDiscovery. Standard email tools assist in locating relevant data as well as reducing the amount of data via records retention or deletion processes. Modern collaboration platforms complicate this, however, as they allow users to create different types of messages in different formats.
For example, millions of messages and conversations happen on Slack as either direct communications or as part of a channel where groups of employees can view and respond. In the event of litigation and required eDiscovery, seemingly casual conversations in a business communications channel will need to be reproduced. As plaintiffs’ counsel and regulators become more familiar with these tools, it is important to note that companies will see an increase of such requests related to litigation or regulatory processes.
It is essential that your eDiscovery team stays up-to-date on the collaboration platforms used and any new features or functions to ensure they can respond to a data request promptly and completely. By receiving regular updates on the adoption of new tools as well as utilization of existing tools, you will have a better understanding of where your company’s business records are located so you can find them when needed for litigation or an investigation.
Addressing Regulations and Obligations
In addition to the general risks, companies in certain industries have their own unique sets of security mandates and regulatory obligations based on the type of data involved. The pandemic accelerated employees’ adoption of collaboration platforms faster than anticipated. As a result, many different types of data were quickly shared and stored on these tools before controls could be implemented. This could include credit card data, health data, financial data, or even confidential data associated with a merger, investigation or legal guidance.
Risk professionals should partner with technology teams to implement internal data detection tools, potentially including existing data loss protection tools, to identify the types of data employees are sharing on collaboration platforms.
Companies should then take a two-pronged approach: First, determine if the platform has the necessary controls for the data so business leaders can make appropriate risk decisions. Second, determine why the data is being entered into the tool in the first place. Front-line employees may simply be trying to support their customers and have no easy alternative available. For example, employees may use the collaboration tool as a kind of Post-it note during a customer call to keep information handy and avoid physically writing it down. If the company uses a data control tool to identify and delete or even prevent this usage, then the employee will either use another unapproved tool or write it down on a piece of paper and throw it away. Learning how and why employees use the collaboration tool is critical to supporting your employees in doing their job.
Understanding the Enterprise Collaboration Ecosystem
As the domains of legal, IT security and compliance overlap, every risk professional needs to be familiar with their organization’s overall collaborative infrastructure to understand the basics of what can be done in each tool and how it can be governed and secured. This will allow for greater understanding of how your enterprise meets specific data security requirements and follows any applicable regulatory mandates. It will also provide insight on how data from various business communications is collected, structured and normalized for things like eDiscovery. You may be surprised to learn what data the organization considers important enough to retain and what is discarded as irrelevant.
The goal for organizations is to promote adoption and return on investment for collaboration tools while ensuring the data is managed, controlled and secure. Managing email continues to present new complexities due to the volume and variety of content to manage. Established email data retention policies offer a starting point, but can often conflict with the way employees use the platforms and result in losing valuable business context, creating even more confusion around compliance in the workplace.
As organizations update data governance measures to account for the use of collaborative platforms, they must look ahead to the future. While email has been the business standard for decades, the proliferation of collaboration tools shifts the dynamics of workplace communications. Allowing people to communicate freely over these platforms has proved indispensable for work productivity throughout the pandemic, and they will remain part of everyday business processes for the foreseeable future. Having implemented these platforms, the next task for companies is establishing the proper compliance checks to manage the resulting volume of unstructured data. Moving forward, it is critical to adopt a broader view of data governance in the digital workplace and establish necessary procedures to ensure security and compliance.