The effect of Covid-19 on organizations and employees worldwide saw the incredibly rapid change of how and where work was performed: from office to home, and now into a predominantly hybrid environment. With several years of working differently behind us, we are going to discuss the significance of an organization’s Information Governance program and related practices.
While Information Governance as a formal discipline is relatively new, the underlying principles are not. It has always been a best practice for an organization to know what information it creates or collects, where that information is stored, and who has access to that information. Historically, organizations needed to know these things so that they could access information efficiently to make optimal business decisions. While this still stands as a driver for a strong Information Governance program, today’s drivers also include reducing storage, litigation, cybersecurity and data privacy costs and risks.
A strong Information Governance program that has been developed with the needed stakeholders, focuses on realistic policies based on the intersection of your organization and best practices, well-designed technology, and an employee-focused change management program does take time, cost money, and require both internal, and often external, resources. Much or all of the work can be done internally, with dedicated Information Governance resources, a roadmap of projects to achieve Information Governance maturity, and perhaps most importantly – executive sponsorship and support. Realistically, it could take many months or years to fully implement the proper processes, technology and other elements of a mature program.
But the benefits cannot be understated. Imagine an environment where all (or even the majority, for the sake of this article) of the information and data either created or received by your organization, is known and documented (the what). Further, the location of where this information and data enters the organization, is stored, and leaves the organization is also understood and documented (the where). The methods by which this information is created, received and transmitted (the when and how), who has access to the information internally and receives it externally (the who), and for what reasons (the why) are all also understood, and documented. While this may seem overwhelming, or too aggressive, this should be the ultimate goal of your Information Governance program.
Why is it necessary to strive for this much rigor in understanding your organization’s information? How do you know, when you receive notice of a lawsuit, that you are gathering and reviewing only the responsive information that you are required to? How do you know if some of the information you turn over to opposing counsel, or to the agency performing an investigation, doesn’t contain documents that should have been disposed of, according to your Retention Schedule? How do you know, when you respond to a Consumer or Data Subject Access Request, that you fully understand how you receive information, the purposes for which it is collected, and that you are only retaining it for the needed period of time? How do you know what shadow IT technologies your employees are utilizing because there are too many layers of unusable security measures in place for them to perform their job (I’m not suggesting that security is bad, absolutely the opposite, but I am suggesting that it has to be usable and people need to be properly trained).
So where do you start? Your first step is two-fold: determine who your Information Governance sponsor is, the person who takes responsibility for the success of the program, and will provide both necessary guidance and needed resources to the various projects that will need to be undertaken. Equally as important, determine who the wider net of your key internal stakeholders are. This will almost always include Legal, Compliance, IT, and resources from your Business Areas. Charge them with understanding the corpus of the information they either create or receive. This provides the basis of your data map, and also the opportunity to analyze the information on a risk matrix, focusing on the volume of information and type. Determine what projects are needed to properly address the highest risk information, but don’t overlook opportunities to address quick wins. Ensure you have people at the ground-level in every area of your organization who not only understand their business area’s information, and also receive extra training on proper retention, disposition, legal holds, access, technology, security, and other key topics.
Covid highlighted the need for organizations to fully understand the world of their information, and the above provides the framework of launching or maturing your Information Governance program. While we are still reevaluating where we work, it is the perfect time to also reevaluate how we work.
