The Practitioner’s Guide to Information Governance

Over a year into the COVID-19 pandemic, businesses that were already beginning their digital transformation have sped up their efforts even more.

Companies have been forced to increase spending on digital transformation in order to cope with a myriad of pandemic-related challenges. Many companies scramble for new ways to manage the data they create: according to a 2020 report from McKinsey, 34% of organizations have experienced an increased migration to the cloud and 37% have increased spending on data security as a result of Covid-19.

All that change lead to increased understanding of the vital importance of information governance, but most companies are still figuring out how to manage this new influx of data. Information governance presents its own unique challenges: companies need to be even more proactive with how they use new technologies and best practices to manage the sprawl.

Your company needs a firm grasp of what this governance entails, as well as clear and effective strategies for content management, information security, risk mitigation, and regulatory compliance. Without a solid information governance program, companies risk missing business opportunities, running afoul of government regulations, and opening themselves up to unnecessary security risks.

What is information governance?

At its most simple, information governance is the framework that guides how organizations manage information. But in a digital-first, cloud-based business ecosystem, information governance goes beyond managing physical records, like devices or printed documents. It includes policies for the creation, usage, storage, archiving, and valuation of digital assets, risk assessment, compliance, data governance, and information security, as well as defining policies and standards for the company as a whole.

Information governance encompasses security concerns and regulatory compliance. That includes legal compliance with data laws like the GDPR and California’s CCPA as well as more industry-specific regulations like HIPAA, PCI-DSS, GLBA But effective information governance also helps businesses use information as a resource for business planning: at its core, information governance is about balancing the safety of keeping data with the value that data can provide.

ARMA International, the association for information professionals, defines several core principles for a successful information governance program:

• Accountability: a senior executive will be responsible for overseeing information management.
• Transparency: information governance practices and policies will be open and verifiable.
• Integrity: the program will be constructed so that information has a reasonable guarantee of being authentic and reliable.
• Protection: information governance will protect information that is private, proprietary, secret, or confidential.
• Compliance: the program will be set up to ensure legal compliance with applicable data protection laws and regulations.
• Availability: companies will use information governance to keep information retrievable in a timely and efficient manner.
• Retention: companies will maintain information for the appropriate amount of time.
• Disposition: conversely, companies will have processes in place for the secure disposal and archiving of information after it no longer needs to be kept.

More and more, businesses of every size are increasing the amount of resources they invest, with 47% of organizations worldwide reporting a significant priority shift for cyber security. Your company’s information is spread across multiple locations, devices and platforms every day—information governance helps mitigate your risk to breach or attack.

When crafting their information governance plan, companies need to take several different areas into account: content and data management, information security, risk mitigation, and regulatory compliance.

Strategies for content and data management

Modern companies generate petabytes of structured and unstructured data. That’s 1,024 terabytes or 1,125,899,906,842,624 bytes if you want to get granular—the equivalent of taking 4,000 digital photos every day for your entire life. And the amount of data generated each year continues to increase. Analyzing and using that data effectively can help your company make better business decisions and maintain a competitive advantage.

Strategy 1: Analyze big data for better decision-making

Analyzing big data—data that’s too vast and complex to be analyzed by humans—can generate tremendous insights for your business, including information about customers, internal processes, and resource allocation, to name a few. Creating centralized repositories for fractured data can help you make better and more profitable business decisions.

Strategy 2: Make collaboration easy

Powerful information governance keeps data secure without hindering collaboration: your employees need to be able to access the files they need, share resources with their team, and communicate quickly, all without putting the information they handle at risk. Creating information governance policies that allow for secure, convenient collaboration can boost productivity and keep employee frustration low.

Strategy 3: Use smart content governance

Machine learning and automated governance can help you wrangle your company’s information, especially harder-to-sort unstructured data. Smart content governance allows you to automatically find and secure sensitive data and monitor unusual user behavior at the same time.

Strategies for information security and risk mitigation

Employees working remotely access information from more points than ever before, which adds security risks. Information governance helps mitigate those risks without hindering work processes for your team.

Strategy 1: Conduct regular audits

Regularly audit who has access to secure information and how that information is accessed to limit possible breaches. It’s important to limit access to important or sensitive information in order to keep your data secure; employees change roles or move on to other companies, responsibilities shift, and priorities evolve, all of which can change which permissions make sense.

Strategy 2: Protect the data at the source

Firewalls and external security can help keep your information safe from outside threats. But often, incursions happen when the security of a single user account is compromised. From there, the outside attack will look for ways to gain lateral movement insight your corporate network. With these newly acquired credentials, they’ll look for ways to obtain admin privileges for increasingly sensitive repositories. Plus, information is now spread across many devices and platforms. To mitigate both of these risks, security should be built into the content environment itself.

Strategy 3: Manage the information lifecycle

Understanding and managing the information lifecycle can help you define where sensitive data is kept and retain or archive sensitive data automatically to reduce the risk it poses. Keeping information for an indeterminate amount of time exposes your company to unnecessary risks. But that doesn’t mean information should be archived or deleted immediately either: information can be valuable for set lengths of time, and regulations require that companies retain data for legal compliance.

Strategy 4: Minimize data

Unchecked data leads to unchecked risk: wherever possible, minimize the amount of data your company keeps long-term. That means reducing your company’s overall information footprint, automatically reviewing information to see what can be securely disposed of, and deleting old and outdated data. Minimizing data can also help manage storage costs and optimize data processing.

Strategies for regulatory compliance

More and more countries are putting data protection regulations in place, and ensuring regulatory compliance with local and national regulations is a big part of information governance. With the amount of information that modern companies handle, conforming to different laws can quickly become a headache. It’s important to have clear systems in place to make compliance as easy and efficient as possible.

Strategy 1: Work from the inside out

Build compliance into your information governance from the beginning, when information is generated or acquired, rather than treating regulatory compliance as the final box to check. This allows you to create an information retrieval process that can quickly and easily deal with requests, like a subject access request (SAR) under the GDPR, for example.

Strategy 2: Set automatic retention periods

Set automatic retention periods for information to make it easier to comply with regulations—which often require safe disposal or archiving. It’s both costly and risky to continue storing information once it’s no longer necessary. Plus, managing the information you do have becomes easier as the overall volume decreases.

The importance of company-wide buy-in for information governance

One of the biggest challenges for successful information governance can be getting buy-in from stakeholders at all levels of your company. It’s important to have an information governance champion on the executive team responsible for leading initiatives, but it’s also important for your entire workforce to understand the importance of information governance in order to create a successful and secure information culture at your company.

‍