How should we structure our information governance & risk management efforts?
What is information governance?
As digital transformation accelerates, more companies are starting to view data as a strategic asset that must be protected and appropriately managed. To achieve this, many companies are formalizing information governance programs. Formalizing information governance ensures that data is appropriately collected, used, shared, retained and protected.
What is the purpose of information governance?
The purpose of information governance is to implement effective information governance over a company’s high value information, which not only reduces risk, but significantly improves organizational productivity and reduces data management related costs.
- Ownership and responsibility of critical business information is assigned to specific teams or roles; improving data quality, accountability, findability and discoverability.
- Information security and privacy of sensitive or personal information and intellectual property helps to prevent data breaches, external threats to network security and unauthorized access to internal user access controls.
- Information integrity is enhanced through direct access to master data, elimination of information silos and reduced data duplication.
- Data reduction by systematically archiving or deleting redundant, obsolete and trivial information in alignment with industry regulations and operational need, makes it easier to find important or valuable data
- Improve accessibility and availability of information by ensuring data and content is discoverable through consistently applied classification across all information management systems and repositories to organizational standards and approved business metadata schemas.
- Regulatory compliance obligations are satisfied through a federated approach to records management utilizing consistently applied metadata across content repositories.
What is the difference between data & analytics governance and information governance?
Data & analytics governance focuses on how a business uses data, particularly for analytics. Data & analytics governance focuses on aspects such as the availability, integrity/quality, timeliness and accuracy of the data. D&A governance addresses regulatory compliance related to the confidentiality of the data but in a transactional perspective. Information governance looks at the overall data lifecycle in all aspects of data use and data processing across the organization, particularly about the volume, what are you doing with it, and how long are you keeping it?
What is information security governance and risk management?
Another type of governance that companies should implement is information security and security risk governance. Security risk governance supports effective, risk-based security decision making. When we talk about security risk, this is different from privacy risk. As we’ve commented before, you can have security without privacy but you cannot have privacy without security.
Information governance framework explained:
An information governance framework incorporates the capture, classification, storage, distribution, and preservation of information assets. From a compliance and consumer privacy perspective, it’s mostly reactive in that it encompasses such activities as responding to information requests, such as data subject access requests (DSARs or SRRs) under the GDPR and CCPA/CPRA regulations. It also includes the secure disposal of obsolete data as required by internal company policies and regulatory compliance.
When building a workable and sustainable framework for information governance, it is important to ensure that it is designed to be flexible and easy to sustain so the framework won’t become outdated quickly, the approach fits the business purpose, and the framework advances business outcomes that are focused on the needs and rights of the individual, rather than the data itself.
A good framework should have a flexible execution model and be supported by a key set of involved stakeholders that includes those who create, innovate and drive the organization, as well as those who monitor the organization.
Why is information governance important to privacy professionals?
Information classification and governance is an important pillar of privacy program management that includes creating, maintaining and enforcing standards and processes to govern information collection, use, sharing and retention.
What is an information governance plan?
Information governance helps organizations ensure the effective and efficient use of information.
An information governance plan should address key questions: what business value will be delivered, how will it be delivered and how will it scale as priorities change? In today’s rapidly changing digital business environments, any information governance plan must involve multiple stakeholders and be built with flexibility in mind so that it can be adapted and changed to address future changes in priorities as they arise.
Why is information governance important?
Information governance is a critical framework for any companies that rely on a high volume of data to run their business. With the advent of digital transformation over the past few years, the attention on information governance has risen in importance. According to analyst research, nearly two thirds of legal, compliance and privacy leaders identify information governance as an important priority to the board of directors.
Is information governance a legal requirement?
In a nutshell, no, information governance is not strictly a specific legal requirement. However, it makes very good business sense and should be the foundation for many types of governance and compliance. For instance, information classification and governance is a pillar of strong privacy program management that includes creating, maintaining and enforcing standards and processes to govern information collection, use, sharing and retention. It also comes into play in supporting data subject access requests in a manner that is compliant with regional data privacy regulations. Having poor information governance can lead to not only penalties but loss or reputation and consumer confidence.
How do you implement information governance?
In order to implement a sustainable information governance it’s important to focus on delivering actual business value as early as possible. While many companies believe they must do a full data catalog first, at 2B Advice we recommend beginning with a high level assessment or gap analysis first, to get an overall idea of priority areas of focus. Implement in phases and keep your approach flexible to address specific areas of need. Think about where you are today and where you need to be? It might make sense to quickly identify obsolete data so you can delete it and focus on high value data more easily. Or perhaps you need to prepare for a cloud migration, or a new data privacy regulation, or expanding to a new region? By focusing, you can achieve business value faster and achieve high-value organizational outcomes faster. Keeping your framework flexible will allow you to more easily drive results and ensure your framework can evolve and scale with the business.
Who is responsible for information governance?
Information governance is not typically owned by a single person since it touches almost every area of the business. Executive leadership should establish and maintain the tone for information governance in their organizations. And in nearly two thirds of organizations this is a board level concern. Legal, compliance, IT, security and privacy leaders must come together to support the information governance framework.
What is an information governance officer?
Recently we have started to see a new role, the chief information governance officer, or CIGO, which reflects the growing importance of information governance rising to a board level concern. This is still a fairly new role and we will monitor to see how it evolves. This role cannot create a single silo and will only be successful if the CIGO has the broad support and ear of all key executives.
In terms of information governance, what is an audit trail?
An information governance audit, or assessment is performed to determine the level of information governance in a firm. An initial audit or assessment is a good idea to establish a baseline and areas of focus. As discussed above, rather than trying to boil the ocean, a successful framework is a flexible work which prioritizes the areas of focus to be able to create business value outcomes early on.
Once the framework is in place, regular audits ensure that information governance is being maintained. A solid framework includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. The period audit ensures all of these are being followed across the organization.
Closing thoughts: What is the ultimate goal of information governance?
The ultimate goals of information governance must be to deliver business value and to be able to maintain that and scale as the business priorities change. Data is a top strategic value for organizations today and must be treated in accordance to this importance to ensure that the data is appropriately collected, used, shared, and protected. This helps with compliance with regulations and to protect business reputation.
To learn more about figuring out where you need to start to create an information governance framework, contact 2B Advice today and we’ll help you get started with a data risk assessment.
How We Can Help
The aim of this article is to give you a clear understanding of the data minimization principle and practical advice on how to implement it.Standard Contractual Clauses Guideline 2021
The ultimate guideline for EU Standard Contractual Clauses (SCC), also known as the EU Commission’s Standard Data Protection Clauses.2B Advice achieves ISO/IEC 27001:2013 Certification
2B Advice customers trust us with their data and we strive to ensure our solutions are in line with international privacy and information security standards.