Ahead of GDPR, Information Governance Comes into Its Own

A full 98 percent of US enterprises have embarked on information governance (IG) projects, dramatically up from just 10 percent last year.

LAS VEGAS – In sharp contrast to a year ago, a full 98 percent of US enterprises in a survey from the Information Governance Institute have embarked on information governance (IG) projects. That’s dramatically up (to say the least): Just 10 percent last year had projects in place.

Why the staggering sea change? Bennett Borden, chief data scientist and chair for the information governance group at law firm Drinker, Biddle and Reath and chair at the IGI, told attendees at the Opentext ENFUSE 2018 conference that IG is finally beginning to be understood as a discrete practice area within businesses, largely driven by the looming General Data Protection Regulation (GDPR)  regulations and a heightened awareness of breaches and hacks (the latter is thanks to big cyber-incidents such as the Equifax breach).

“In terms of the major drivers for IG, the number one answer for the last six years has been external regulatory, compliance or legal obligations, which have come to the fore in the past year,” Borden said during a session here on Tuesday. “This year however cybersecurity is driving much of the IG focus too. There’s an awareness now that the more information you have, the more liability there is and the greater chance of a breach.”

In the IGI research, 48 percent said that they strongly agree that cybersecurity is essential to IG, and 37 percent simply “agree.” This data point is somewhat unsurprising given that 30 percent of respondents said they’ve suffered external attacks this year.

IG’s Definition Gains Clarity

The landscape has also shifted in the past year as data privacy has come to the forefront. There’s a growing awareness among consumers and businesses alike about how much information we create in our everyday lives, as we take actions and make decisions and effectuate them by digital means. That gives companies access to increasingly huge amounts of data – data that they don’t necessarily have control over. That creates big risk exposure in terms of the potential for data mishandling.

“We are the most documented members of our species,” Borden said. “Think about all of the data touches you have when you travel, from key cards for hotel rooms to the use of rewards cards to all of the apps that are supposed to make travel easier. It’s an amazing record of what we do as human beings.”

However, there’s a discipline that’s missing, “which is an overall strategy about the purposeful disposition and use of digital data,” Borden said.

Enter IG. Borden stressed that IG shouldn’t be conflated with information management, which concerns how data flows through an enterprise. IG, on the other hand, has to do with why we have the information in the first place and what we do with it.

IG projects include: defining and implementing a framework for how information is treated, and accordingly updating policies and procedures; audits and deletion of old and unneeded data; comprehensive legacy data cleanup; data loss prevention; implementation of legal hold tracking; and execution of big data analytics projects.

A full 41 percent in the IGI survey said that the definition of IG to mean projects like this has gained clarity in the last year.

“Almost every company is doing something around IG, with the updating of policies and procedures leading the way since that’s the easiest to tackle,” said Borden. “Companies are aware that they have too much data, and they don’t know what’s included or even where it is. You can’t solve that without policies and procedures. So most fall back on this to effectuate data strategy.”

Global data remediation projects involving getting rid of risky or useless info and organizing the data that’s left over is the second largest group of IG efforts, he added.

Balancing Interests

IG does face hurdles, not the least of which is the need to balance competing interests across division within the business.

“IG is fundamentally a coordinating and facilitating function,” Borden said. “Most companies don’t have a framework where you can elicit the perspective of each facet, balance the competing concerns and goals, develop a solution that fits the profile of the company, and then execute it.

Functions like HR, product development, sales, marketing, legal and so on tend to have function-specific solutions that create and store information; and they also have different perspectives on what data should be used for.

“The marketing people’s job is to tell people about things, and they push info out all the time to garner more leads,” Borden said. “They want accurate and current information to be spread as widely as possible. But the security function’s job is to get the right information to the right people at the right time. Neither’s wrong, but there are conflicting lines of sight—so who wins?”

Organizations thus need to decide how to govern its information in a way that works for everyone.

Borden advocates a “corporate therapy” approach that involves asking a series of questions of each stakeholder: What are the business, regulatory and legal objectives? What information do I need to accomplish them? How long is that information useful? How does it need to be organized while it’s useful, in terms of access, security and privacy? And finally, what do I do with that information once it’s no longer useful?

“These questions are critical to developing IG maturity – you identify business objectives and the major stakeholders, and get them to talk to each other and develop relationships in order to come to a consensus,” Borden said. “Those on the compliance and legal risk side will talk to each other, tech sits in the middle and the business people are often not at the table, even though they are the ones creating and leveraging the information. They couldn’t tell you how to secure it or how long to use it, and that needs to change.”

The good news is that with the combined carrot (data insights) and stick (risk such as GDPR and cyberattacks) aspects coming to bear, the IG arena has taken off in terms of executive focus. The IGI has seen a big leap in the number of IG leaders with “Information Governance” in their title (a 41 percent rise from last year to reach 52 percent). The number of organizations with IG steering committees has spiked 26 percent, to reach 46 percent.

IG Driving Value

While concerns over risk are causing change, so is a new perception of IG’s overall value.

“We’re starting to see that companies recognize that it’s just good business practice to get a handle on their data and how they handle it,” Borden said.

About half (46 percent) of respondents in the survey said they saw value in IG this year, compared to just 16 percent last year, which is a whopping 179 percent change. The number of respondents reporting that their organization was extracting no value from the information it holds was slashed by more than half (a 55 percent decline).

“Companies are realizing that the info they create has insights within it,” Borden explained. “Also, people in senior management positions today were largely raised in the information age, and they’re used to the idea that insights are leveragable.”

This has of course given rise to the data brokerage world – which, Cambridge Analytica aside, continues to be a lucrative new era companies wanting to explore (legal, privacy-first) marketing and customer service applications of digital footprint data.

“We can we understand human conduct by the data trails we leave behind us as we move through our lives,” Borden said. “The more information we have, the more we can understand what people do, why they do it and what they’re going to do.”

Suggested articles