7 Ways To Avoid Information Governance Pitfalls
Information governance practices must be updated as laws, technologies, and business models change. Here are seven ways to make sure you're governing your data effectively.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/bltc7d04b561d4af536/64cb4f7941f5b9196512c823/1-privacy-policy-512769_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
The governance of information and data isn't a subject that only regulated companies need to worry about. Businesses, regardless of their size or the industry they're in, need to understand how they store and use data, and whether it's adhering to their own privacy policies or complying with a regulatory mandate. Without formal data governance, companies are managing the associated risks by default.
"Some organizations don't know where to start, so they bury their heads in the sand hoping it goes away, or they'll wait until they get burned and then they'll do something," said John Isaza, a partner at Rimon Law, in an interview. "And if they get burned, they may say we need to get burned again to see a pattern."
High-profile incidents, such as the Target and Ashley-Madison hacks, raise awareness of the problem but tend not to change the way individual companies operate, unless perhaps a direct competitor was breached. Even then, little if anything may change.
"It's not a question of if you'll have a data breach; it's when you'll have a data breach. We tend to forget that inadvertent data disclosure has a lot of problems with it, and it's a big portion of why these problems come up," said David Horrigan, e-discovery counsel and legal content director at e-discovery software provider kCura, in an interview. "Carelessness really has to be part of a governance policy."
Who is in charge of data governance varies depending on the size of a company, the industry it serves, and internal considerations. The players typically include some combination of IT leadership, business leadership, the chief security officer, the chief privacy officer, the records information manager, someone from the general counsel's office, and the person responsible for compliance.
"The justification for a team comes when you realize you're keeping a lot of data, you need to protect the data, quickly find the data, and make sure you know when you can get rid of the data," said Richard Lutkus, a partner at law firm Seyfarth Shaw, in an interview. "Once things get too hard for people to manage on their own, companies start looking at better ways to organize their data as they're implicated in more lawsuits."
Data governance is sometimes relegated to the IT team, especially when it is viewed in traditional IT terms. In fact, there is a debate about whether information governance and data governance mean the same thing or not -- and the explanations vary.
An Association of Information and Image Management blog describes information governance as "the overarching policies and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives." Data governance is defined as consisting of "the processes, methods, tools, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate."
Semantics aside, neither data governance nor information governance alone is sufficient. We present some considerations that apply to both. After you've reviewed these, tell us about your own data governance experiences. Is your organization sticking its head in the sand, or leading the charge in good data governance practices? Tell us all about it in the comments section below.
Developing effective data and information governance policies takes time. It's an evolving process. Like any other business or IT endeavor, reaching a desired end is easier if the status, goal, and steps necessary to meet the goal are defined, agreed to, supported by, and acted upon by the stakeholders.
"You need to conduct an assessment of how the information is being managed throughout the organization, taking into account the governance principles that pertain to the integrity, disposition, retention, and availability of the data, as well as compliance requirements and accountability," said Rimon Law partner John Isaza.
Assessing weaknesses is obvious, although Laurie Fischer, managing director at Huron Legal, suggests a formal "SWOT" analysis (strengths, weaknesses, opportunities, and threats), commonly used in business and product planning contexts. "Having an open dialogue about what we're doing right in each of the disciplines, what we could be doing better, what would allow us to govern information better, and what are the threats [helps us] come up with a streamlined strategy."
Information and data governance policies can affect the business positively and negatively. Unless the policy is designed with the needs of the business and its customers in mind, its value is uncertain.
"It's really important to understand early on what your business objectives are for doing this. It may be you want to improve the first-time resolution of customer queries, or that you want to reduce waste in the manufacturing process. [Regardless,] it's important to have that insight from the beginning so you can prioritize and measure progress," said Tim Jennings, chief research officer at global advisory firm Ovum. When data governance has a purpose, it can be measured against outcomes. Companies are more likely to get engagement if they seek assistance on a business level, as in improving customer inquiry turnaround times, as opposed to improving data quality scores.
There is also the issue of business value. Governance does not contribute directly to revenue, like a new product or service might. Compliance comes at a cost -- and there are the potential costs of regulatory fines and litigation. "If you don't know what the goal of your big data project is, then you don't know the business value of the information you are supposed to be collecting, which means you can't place a value on governing that data," said Jake Freivald, VP at business intelligence solution provider InformationBuilders, in an interview. "If you can't place a value on governing that data, then you're not going to get funding for data governance. You'll over-govern some things and under-govern others, and you won't have a plan."
Information and data governance collectively require multiple types of expertise and generally involve people from multiple disciplines. You'll need expertise in IT systems, business domains, security, privacy, compliance, records management, and legal. The group may be chaired by the CIO, chief data officer, chief information governance officer, or another individual who has the authority to make a final call and can be held accountable.
"Sometimes data governance lacks a single source of accountability. Therefore, you could suffer from a lack of leadership and uncertainly about the roles and responsibilities. That's a critical first step," said Robert Scott, managing partner at law firm Scott & Scott, in an interview.
Information and data governance policies can't be followed unless they've been defined in the first place. If there are missing pieces, serious problems can arise. For instance, in the electronic design automation space, Synopsys sued Magma Design Automation for patent infringement, which cost Magma $72 million. Of that sum, $30 million to $40 million was spent tracking down information that was demanded as part of the litigation. The companies settled the lawsuit out of court, and eventually Synopsys acquired Magma.
"If we'd had everything from email policies to data retention policies done from day one, we could have saved a lot of bills," said Rajeev Madhava, chairman of data-centric compute and storage virtualization solutions provider Robin Systems, and former chairman and CEO of Magma. "When we got sued in our eighth year, we had documents pretty much from the day of formation sitting in old machines, and no one had any idea what was in there. Fifty-five lawyers spent six months trying to figure out what we had."
The generally accepted records-keeping principles defined by professional association ARMA International include accountability, transparency, integrity, data protection, compliance, availability, retention, and disposition. ARMA also developed the Information Governance Reference Model, which complements its record-keeping principles and includes five levels of maturity. Data governance principles have been defined by the Data Governance Institute. They include integrity, transparency, auditability, stewardship, checks and balances, standardization, and change management.
Disconnects between policy and implementation are common. The policy may have been written a while ago. It may not have been updated, and perhaps nobody is following it. Then an incident occurs.
"Anytime a plaintiff's attorney can establish that an incident resulted because a company failed to follow its own policies, it's an easy case to win. While it's prevalent, it's concerning because that policy is going to be Exhibit A in a lawsuit if there's an incident involving data security or privacy," said Robert Scott, managing partner at law firm Scott & Scott. "The implication is you're negligent if you didn't follow your own policy."
It's important to understand the data that's being collected, where it's stored, for how long it's been stored, and how it's being used. "People are having successes in one or even several places so they'll do a good project, but they fail to have that as a repeatable process," said Tim Jennings, chief research officer at global advisory firm Ovum. "I tell clients that, as part of corporate governance, you need to make sure you have the right data governance program in place, but I see that happening rarely at the moment."
One reason information and data governance policies are less effective than they could be is that there is no reward for complying with them, and there are no consequences for failing to comply with them.
"These policies are often shown to a new hire in initiation training, where they are told 'You need to read this and abide by it.' If employees read it, even fewer follow it," said Richard Lutkus, a partner at law firm Seyfarth Shaw. "Putting a policy forth without enforcement or an implementation plan happens all the time. Policies change but practices don't, so it's just a piece of paper."
One way to enforce policies is to build compliance into systems and processes, which can be effective or ineffective, depending on how it's done. If it's done well, an organization can accomplish its information and data compliance goals without overly burdening everyday work tasks. Sadly, systems are often implemented without understanding the impact they will have on business productivity and, more specifically, on how people in the organization work. Because work tasks become more cumbersome than they once were, employees tend to look for workarounds. The workarounds may include circumventing the system or compromising the effectiveness of the system through misuse, as in choosing a default or convenient -- but erroneous -- value in a pull-down menu of options.
Laws, regulations, statutes, and technology are constantly changing, which is why governance is an ongoing process. It's important to understand the changes, as well as how they affect the business, its customers, and any governance policies. The complexity of it all can be very difficult to manage, especially using only in-house resources.
"In the US alone, there are [more than] 20,000 laws that have something to say about how long we keep certain information or that imply how long we have to keep it. Go outside the US and multiply that 20,000 manyfold. Keeping on top of that is challenging, but it's definitely a requirement to comply with the law," said Laurie Fischer, managing director at Huron Legal.
Apparently some private companies are treating regulatory items differently than in the past as a matter of brand reputation. "It used to be, 'Let's do what the regulations say and leave it at that' -- the bare minimum because it comes at a cost," said Kristoph Gustovich, VP of hosting and security at enterprise legal management provider Mitratech. "Now, people are saying the bare minimum is not good enough. If that data were to get out, my brand would be at risk."
Laws, regulations, statutes, and technology are constantly changing, which is why governance is an ongoing process. It's important to understand the changes, as well as how they affect the business, its customers, and any governance policies. The complexity of it all can be very difficult to manage, especially using only in-house resources.
"In the US alone, there are [more than] 20,000 laws that have something to say about how long we keep certain information or that imply how long we have to keep it. Go outside the US and multiply that 20,000 manyfold. Keeping on top of that is challenging, but it's definitely a requirement to comply with the law," said Laurie Fischer, managing director at Huron Legal.
Apparently some private companies are treating regulatory items differently than in the past as a matter of brand reputation. "It used to be, 'Let's do what the regulations say and leave it at that' -- the bare minimum because it comes at a cost," said Kristoph Gustovich, VP of hosting and security at enterprise legal management provider Mitratech. "Now, people are saying the bare minimum is not good enough. If that data were to get out, my brand would be at risk."
-
About the Author(s)
You May Also Like