7 best practices for information governance

Information governance is the set of rules used to control the creation, management, storage, and ultimately disposition of data within an organization. It governs data from paper files, phone records and voicemails to electronic data such as emails, spreadsheets, word processing documents, presentations, database records and new types electronically stored information (ESI).

As a definition, this works well, but in practice it doesn’t necessarily tell you how to move from identifying the need for IG to having an effective and functioning set of policies and procedures. Fortunately, at Exterro eDiscovery Basicswe dig a little deeper, looking at some challenges you might face in your IG program, as well as some tips on how to get started.

Recently, with the advent of new data privacy laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), it is also important to consider how your IG policies and procedures interact with your data inventory. These two concepts are essentially interchangeable these days and, unfortunately, privacy regulations are accelerating around the world, creating new risks. So let’s talk about some of the best practices you should keep in mind when designing your IG plan and how it interacts with your organization’s data map.

  1. Create a cross-functional team. Information governance policies should reflect the needs and goals of all stakeholders, not just legal and IT departments. This includes groups such as compliance, risk management, human resources, data privacy, information security, and the various business units in your organization. Each of these groups must be present from the planning stages. They must have a say in defining the risks, metrics and benchmarks to facilitate a successful Legal, Risk and Compliance (GRC) governance strategy, which is critical to the success or failure of any IG program.
  2. Perform a comprehensive data audit and establish data inventory. Before creating an IG framework, you need to understand the data your organization currently has. Individual business units will be familiar with the major data sources they use, but effective IG policies and procedures take everything into account: backup tapes, legacy or obsolete technology and software, and data archives. It also means mapping this data and creating a data inventory; Your organization’s data map is the most critical component to success with new data privacy regulations such as GDPR and CCPA.
  3. Carefully evaluate legal and regulatory requirements for data retention. In many industries, certain types of data must be retained for set periods of time, while other records (for example, human resources information) may be subject to requirements of state, federal, or local regulatory agencies. . Your policies and procedures need to account for all of these regulations, so it’s essential to understand them all, as well as have a way to track any changes that occur in them. While the GDPR is the only major privacy law to offer standards for retaining consumer data, it’s a good idea to defensibly delete what you don’t need, both to avoid potentially negative outcomes in the event of a dispute during the discovery process, as well as to mitigate the risk of consumer data breaches or non-compliance with a consumer data request.
  4. Prioritize data card maintenance and enforce retention policies. Understand what the most pressing issues are for your organization, then develop policies that address those critical areas first. These issues should arise as you audit the data and assess your legal obligations. This step should therefore take place naturally. As we mentioned earlier, compliance success or failure usually starts with data, and maintaining an up-to-date data inventory is the best way to know what you have. If you’ve accumulated a bunch of never-used backup tapes, develop and implement a defensible deletion policy or, more seriously, enforce what’s already in place, if the procedures seem solid but just aren’t being carried out.
  5. Train employees and break down organizational silos. While a steering committee of stakeholders is responsible for defining your organization’s IG policies and procedures, ultimately the success of the business depends on employees following through on the plan. For that to happen, you need to train your employees, and they need to have cross-functional knowledge since being a good data steward is part of their job. For example, employees on the data subject access request team should have knowledge of their job, as well as how the whole process works and what is critical to success. They must understand the policies and follow the necessary procedures on a daily basis. And they must have access to the technology that will help them accomplish their tasks. A key part of making sure the training works is clarifying the “why” of the program. This is what will motivate employees to change the way they do their jobs.
  6. Follow law enforcement. Even if you create policies and train employees on them, you will not achieve 100% compliance. People revert to old habits, even when they want to change. You’re not looking to trap people in non-compliance, but you need to measure compliance and put corrective actions in place when issues arise. So establish the consequences before you need them, then perform random, periodic employee compliance audits and track them if something goes wrong.
  7. Measure results. Define the metrics you will use to demonstrate the success of your IG project from the start, before implementation. Metrics should match both your organizational goals and the types and amounts of data you have within your organization. As more legal directors and general counsel become aware of the growing challenges they face in legal GRC, we are starting to see more data on how they measure results in their own organizations. Read the results of Exterro’s 2020 Corporate Legal Leaders Survey for more insight.

By Joe Mulenex