Best Practices for Implementing an Effective Information Governance Strategy
The collection of rules used to oversee the production, administration, storage, and eventual dispose of data inside an organisation is referred to as information governance. It governs data ranging from paper files, phone records, and voicemails to emails, spreadsheets, word processing documents, presentations, database records, and new sorts of electronically stored information (ESI).
It’s a good term, but it doesn’t always explain how you get from recognizing the need for IG to having a set of policies and processes that operate. Fortunately, Exterro’s Basics of E-Discovery delves a little deeper, examining some of the problems you may have in your IG programme as well as some pointers on how to get started.
With the introduction of new data privacy legislation such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), it’s also crucial to think about how your internal rules and procedures connect with your Data Inventory. These two notions are now basically interchangeable — and, sadly, privacy restrictions are speeding over the world, posing new problems. So, let’s speak about some best practices to bear in mind while creating your IG strategy, as well as how it relates to your company’s data map.
Create a multidisciplinary team. All stakeholders, not only legal and IT, must be represented in information governance and compliance policies. Compliance, risk management, human resources, data privacy, information security, and your organization’s many business divisions are all part of this. All of these groups must be present from the beginning of the planning process. They must have a say in identifying risks, metrics, and criteria to aid in the development of a successful Legal Governance, Risk, and Compliance (GRC) strategy, which is important to the success or failure of any IG programme.
Conduct a full data audit and create a data inventory. Before you can design an IG framework, you must first determine what data your business presently possesses. Individual business units will be familiar with the primary data sources they employ, but successful IG policies and procedures account for everything: backup tapes, old or retired technologies and software, and data archives. This includes mapping out that data and creating a data inventory; your organization’s data map is the most important component to success with new data protection requirements like the GDPR and CCPA.
Examine the legal and regulatory obligations for data retention with care. In many businesses, some types of data must be kept for specific lengths of time, while others (such as human resources records) may be subject to state, federal, or municipal regulatory obligations. All of these requirements must be accounted for in your policies and processes, so it’s vital to know them all and have a way to track any changes. While the GDPR is the only major privacy regulation with consumer data retention rules, it’s a good idea to defensibly delete what you don’t need, both to avoid potentially unfavorable lawsuit results during the discovery process and to reduce the danger of customer data breaches.
Maintaining data maps should be a top priority, and regulations regarding data retention should be followed. Recognize the issues that are most important to your company, and then create policies that address those concerns first. This stage should occur organically when you audit data and evaluate your legal requirements. As previously said, data is the most important factor in determining compliance success or failure, and keeping an up-to-date data inventory is the greatest method to know what you have. Develop and execute a defensible deletion strategy if you’ve collected a stack of never-used backup tapes — or, if the processes appear to be sound but aren’t being followed, more strictly enforce what’s currently in place.
Dismantle organisational silos through training people. While developing your organization’s IG policies and procedures is the responsibility of a steering group of stakeholders, the enterprise’s success is ultimately dependent on workers adhering to the plan. To make this happen, you must teach your staff, who should have cross-functional expertise to the point where being a competent data steward is part of their job description. Employees on the Data Subject Access Request team, for example, should be well-versed in their duties as well as the overall process and what is required for success. On a daily basis, they must be aware of the policies and follow the required processes. They also need access to technologies that will assist them in carrying out their responsibilities. Making explicit “the why” behind the programme is an important part of ensuring that training is successful. Employees will be motivated to improve their work habits if they see this as an option.
Carry out the enforcement. Even if you develop policies and train staff on them, you will not achieve 100% compliance. Even when they intend to change, people revert to old behaviours. You don’t want to trap individuals in noncompliance, but you do need to track compliance and have remedial mechanisms in place if problems arise. Create repercussions before you need them, and then perform random, periodic audits of employee compliance — and follow through when there’s a problem.
Analyze the outcomes. Prior to execution, define the metrics you will use to show success in your IG project. The metrics should be in line with your organization’s aims as well as the types and volumes of data it collects. As more General Counsel and Chief Legal Officers become aware of the growing Legal GRC difficulties they face, we are seeing more data on how they are assessing success in their own firms.
Check out information security governance risk and compliance for a different viewpoint on how to get started with information governance in your organisation.
Read More — Information Governance Essentials
