Information governance (IG) plays an increasingly significant role of the way corporations do business. But what do organizations do with all their data? Where do they store it—and is it secure, well organized, and accessible?
According to the 2023 Data and Analytics Leadership Executive Survey by NewVantage Partners, 94% of organizations plan to increase their data investments in 2023, yet only 40% of organizations have well-established data policies and practices. In other words, organizations may be spending more on data without planning for how they’ll manage it.
To avoid that trap, you need a solid IG strategy to ensure that your data is accurate, secure, and reliable and that its benefits outweigh its potential liabilities.
This post covers everything you need to know about IG, from a basic definition and the benefits of adopting an IG program to some examples of laws that organizations may need to comply with and the challenges of managing IG. We’ll wrap up with five best practices for adopting an efficient information governance strategy and a discussion of how information governance software can help.
What is information governance?
Information governance is an umbrella term that describes the way an organization manages its data, encompassing the principles, policies, and procedures the organization uses to decide who can do what with growing corporate data volumes. In other words, IG is an accountability framework that organizations use to ensure that they responsibly create, store, use, preserve, and delete information.
The primary goals of information governance are to:
· ensure the proper use and handling of data,
· help an organization achieve its business objectives while avoiding risks, and
· comply with applicable laws and regulations.
Information governance is a close relative of data governance, but there are several key differences between the two.
How does information governance differ from data governance?
Information governance is broader than data governance. Data governance focuses on ensuring that an organization’s data or digital assets are accurate, secure, and compliant. IG, on the other hand, encompasses all of an organization’s information assets, in whatever form they may be in, including physical records. IG also has a broader aim than data governance: to further an organization’s overall business objectives while mitigating associated risks.
So, why is IG such a big deal?
Why is information governance important?
Information governance is crucial to an organization’s success because it helps the organization organize and safeguard the information it stores. Information is an incredibly valuable business asset in today’s world, and organizations must take proactive steps to manage and protect their data assets if they want to get the most out of them.
Improper data use or storage can also pose a huge liability, especially when that data contains people’s personal information. Therefore, IG is key to insulating organizations from regulatory investigations, lawsuits, and fines.
The best way to consistently apply IG principles throughout an organization is to adopt a comprehensive information governance framework.
What is an information governance framework?
An information governance framework or program is the overall approach an organization takes to managing and protecting its information. The Information Governance Reference Model (IGRM) illustrates how an organization can conceptualize and design its IG framework.
The IGRM presents an IG implementation model as the shared responsibility of an organization’s business, legal, and IT departments.
Regardless of how an organization structures its information governance framework, the framework should:
· define the scope of the information it covers;
· outline the roles and information governance responsibilities of people throughout the organization, including data custodians;
· include policies and procedures based on information governance principles; and
· establish a mechanism for reporting information breaches, loss, and recovery.
Why should organizations go to the trouble of adopting an IG framework?
The benefits of implementing an information governance program
Given the large volumes of information that businesses generate, information management can very quickly become overwhelming. Implementing a comprehensive IG program helps organizations streamline their approach to information management and gain confidence in how they manage their data. With a strong information governance program, organizations can:
· ensure data quality, accuracy, and reliability (for business continuity as well as electronic discovery purposes);
· maintain continuous business operations;
· guarantee the proper handling and effective and efficient use of sensitive data;
· improve data security and risk management of data breaches; and
· avoid regulatory investigations, actions, and fines.
Data security in particular is becoming a major concern for organizations—and information governance is a key element in improving it.
How information governance can improve data security and prevent data breaches
Strong information governance helps organizations improve their data security and prevent data breaches by creating and enforcing security controls. These measures can include:
· controlling user access to certain information,
· adopting policies regarding the use and disclosure of information,
· encrypting data, and
· continuous monitoring for potential risks.
Misuse of information and security breaches are increasingly concerning for organizations given the sheer volume of information they have to protect, the rise of the black market for personal data, and the increase in data privacy laws around the world. While organizations can’t control these factors, they can achieve regulatory and legal compliance by strengthening their information management practices.
The main laws and regulations that information governance can help organizations comply with
Information governance can help organizations avoid costly compliance and regulatory issues, but it’s not one size fits all. There are many laws, rules, and regulations that organizations may be subject to. Here are a few examples
The General Data Protection Regulation (GDPR)
The GDPR protects EU citizens’ personal data. It gives data subjects the right to request their information from organizations that hold it or to have their data “forgotten” by those organizations. The GDPR also requires organizations to adhere to strict cybersecurity and other requirements.
The California Consumer Privacy Act (CCPA)
The CCPA protects California residents’ privacy rights. It gives data subjects the right to request their information from organizations that hold it, to opt out of having their personal information shared or sold, and to have a business delete their personal information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA is best known for its Privacy Rule, which protects information that contains individuals’ health information and their personally identifiable information. The Privacy Rule only applies to covered entities, such as healthcare organizations.
The Foreign Corrupt Practices Act (FCPA)
The FCPA bars organizations from bribing foreign officials to advance their business interests. Although the FCPA doesn’t regulate data specifically, an organization must be able to quickly and thoroughly review relevant information to cooperate with sudden investigations and respond to large-scale regulatory requests, which demands strong IG.
Organizations may also be subject to regulatory reporting requirements established by federal agencies such as the Securities and Exchange Commission (SEC) or the Environmental Protection Agency (EPA). Because there’s so much variability in the laws, rules, and regulations that may apply to an organization depending on its general industry and specific business, each organization must tailor its information governance policies and practices to ensure compliance. Here’s how.
How organizations can ensure their information governance practices comply with data privacy laws and regulations
Regulatory compliance requires modern corporations to do all kinds of things, from responding to data subject access requests (DSARs) to monitoring and complying with various regulatory reporting requirements. Organizations can ensure that their information governance practices are compliant by:
· understanding the laws and regulations that apply to them,
· implementing policies and procedures that govern how each department in the business handles information, and
· monitoring for changes in the regulatory structure that governs them and updating their IG policies accordingly.
Information governance sure sounds like a full-time job, doesn’t it? For some, it is.
Who manages information governance and applies generally accepted recordkeeping principles within an organization?
Some organizations appoint a chief information governance officer (CIGO) to implement and maintain a system for IG and records management. But often no single person is responsible for enforcing an information governance program or ensuring compliance with the organization’s generally accepted recordkeeping principles.
Regardless of whether an organization has a CIGO, a comprehensive information governance program requires an interdisciplinary approach involving other stakeholders throughout an organization. As the IGRM suggests, those stakeholders include leaders from an organization’s business, legal, and IT departments.
Let’s turn to some of the challenges these stakeholders often face.
Common challenges of information governance and records management
In theory, information governance is a fairly easy concept to grasp. In practice, however, IG can present many challenges, including:
· the volume of information and range of information types that most organizations store;
· the range of locations in which that information may be generated or found;
· time and budgetary constraints that force organizations to choose which aspects of information governance they will prioritize;
· the constant flux in laws, rules, and regulations that apply to the organization’s data;
· competing interests and viewpoints among stakeholders, who often see information governance very differently based on their areas of expertise; and
· inconsistencies in how the organization handles data, both between departments and as time goes on.
While some of these challenges are unavoidable, an organization can improve the success of its information governance program by incorporating a few key components.
The key components of an information governance program
Information governance programs vary based on the type of information the organization stores, the technology it uses, and which laws and regulations apply. Generally speaking, though, these are the main elements of a robust information governance program:
An organization must understand its information before it can decide what to do with it. An information map provides a complete inventory of the information an organization stores and lists:
- the types of information the organization has,
- the IT and other systems the organization uses,
- all of the places where information is or could be stored (including communication and collaboration platforms such as Zoom and Slack), and
- the relevant data custodians for each type of data.
Records management refers to the way an organization controls its digital and paper documents. It can help an organization determine which records it needs easy access to (such as its corporate financial records and business records) and which records can be archived (such as tax and legal records).
Information lifecycle management
Information lifecycle management describes the oversight of how an organization handles information from its creation through its eventual deletion. The goal of information lifecycle management is to maximize the utility of information while controlling the associated costs and minimizing risks.
Information security and identity and access management (IAM)
Organizations use information security and IAM to protect their information from internal and external threats and mitigate business, financial, and compliance risks. Information security protects information from any unauthorized use, whereas IAM focuses on users’ identities and access permissions.
When an organization faces a legal proceeding, it must provide certain information to its opponent. Well-established eDiscovery workflows ensure that organizations can protect and access that information on demand. Similarly, if an organization is involved in an investigation—either internally or externally—it must be able to quickly and completely gather information relevant to that inquiry.
Knowledge and content management
Knowledge management focuses on how an organization can organize and centrally store its information so it can learn from experience and improve its operations. Similarly, content management refers to the way an organization locates, creates, handles, and delivers content, whether internally or to a broader audience.
Organizations use data analytics—or the review and analysis of data—to identify industry or business trends and inform decision-making.
Ongoing monitoring and review
Information governance isn’t a set-it-and-forget-it endeavor; it’s an ongoing process that requires frequent monitoring and review. Organizations should continually look for potential risks, inconsistencies, inefficiencies, and areas of data and record management practices that need improvement.
Implementing an IG strategy can be overwhelming, but there are ways to make the process go more smoothly.
5 best practices for a more efficient information governance strategy
Here are five ways organizations can improve their information governance framework.
1. Start with a clear idea of the legal and regulatory landscape.
To implement an effective IG framework, organizations must understand the legal and regulatory requirements that apply to them. For example, before deciding what information security principles they should adopt, they should know what security measures are required by the data privacy laws that apply to them. Similarly, they must know how long they are required to retain certain types of information for legal and regulatory compliance before they can adopt suitable retention policies.
2. Foster interdepartmental collaboration.
One way to get stakeholders from different departments on the same page is to create a team that gives each of them a seat at the table. This helps organizations create well-rounded information governance policies and prevents inconsistencies between departments down the road.
3. Provide training.
Sound IG requires the cooperation of people at all levels of an organization, not just the C-suite, the IT team, or specific data custodians. Organizations can get all of their employees on board by providing periodic training on their information governance policies and procedures.
4. Regularly schedule compliance reviews.
As we’ve discussed previously, information governance requires ongoing monitoring and review. Organizations should schedule compliance reviews at regular intervals to see how well their IG processes are working. Then, they can bring any issues to their interdisciplinary team and provide additional training as necessary.
5. Invest in information governance software.
Implementing an IG framework that adequately addresses how an organization handles information is no small feat. Information governance software can automate large portions of the process, illuminating information in a way that manual review simply can’t.
Let’s take a closer look at what IG software is.
What is information governance software?
Information governance software includes any software—locally installed or in the cloud—that organizations can use to understand, organize, and protect their digital information. An organization may use a variety of disparate solutions to manage its IG or a single unified software platform. Whatever approach the organization takes, the software it selects can make or break its information governance program.
Smart organizations look for comprehensive software platforms that streamline information governance workflows and make information management manageable and affordable—like IPRO.
Begin your information governance journey with IPRO solutions
Modern technology can streamline and expedite the IG process, furthering your organization’s business objectives and mitigating risks in less time.
For example, ZyLAB ONE is an eDiscovery platform that allows users to quickly search, review, and analyze large volumes of data across multiple repositories in place, enabling a more efficient targeted approach to data collection. ZyLAB ONE also allows users to easily categorize and organize data sets, deduplicate data, auto-redact information, and securely share information with collaborators.
IPRO’s Live Early Data Assessment (Live EDA) platform also searches and reviews vast amounts of data across multiple repositories from a single interface. The Live EDA platform can quickly provide valuable insights into your organization’s data and information management practices, enabling smart data decisions that save your corporation time and money.
With the help of IPRO’s proven solutions, you can easily improve the way your organization uses and handles information, improving compliance, mitigating risks, and even boosting profits as a result.
Get your free copy of IPRO’s Information Governance 101
Now available as a downloadable PDF, learn why Information Governance is crucial to an organization’s success by helping the organization organize and safeguard the information it stores.