Exterro's seven best practices for information governance
Information governance is the set of rules used to control the creation, management, storage, and ultimately the disposition of data within an organization. It governs data from paper files, phone records, and voicemails to electronic data like emails, spreadsheets, word processing documents, presentations, database records, and new types of electronically stored information (ESI).
As a definition, it works well, but in practice, it doesn’t necessarily tell you how to get from identifying the need for IG to having an effective, functioning set of policies and procedures. Fortunately, in Exterro’s Basics of E-Discovery, we dig a little deeper, looking at some challenges you might face in your IG program, as well as some tips on how to get started.
Recently, with the advent of new data privacy laws like the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), it's also important to consider how your IG policies and procedures interact with your Data Inventory. These two concepts are essentially interchangeable these days—and unfortunately, privacy regulations are accelerating worldwide, creating new risks. So, let's talk about some best practices you should keep in mind when designing your IG plan, and how that interacts with your organization's data map.
- Create a cross-functional team. Information governance policies must reflect the needs and goals of all stakeholders, not just legal and IT. That includes groups like compliance, risk management, human resources, data privacy, information security, and the various business units in your organization. Each of these groups must be present from the planning phases. They need to have a voice in defining risks, metrics, and the criteria to help facilitate a successful Legal Governance, Risk, and Compliance (GRC) strategy—which is critical to the success or failure of any IG program.
- Conduct a comprehensive data audit and build the data inventory. Before building an IG framework, you need to understand what data your organization currently has. Individual business units will be familiar with the main data sources they use, but effective IG policies and procedures account for everything: backup tapes, legacy or retired technologies and software, and data archives. This also means mapping out that data and building a data inventory; your organization's data map is the most critical component to success with new data privacy regulations like the GDPR and CCPA.
- Carefully assess legal and regulatory requirements for data retention. In many industries, certain types of data must be retained for defined periods of time, while other records (for example, human resources information) may be subject to requirements from state, federal, or local regulatory agencies. Your policies and procedures must account for all of these regulations, so it’s critical to understand them all—as well as have a means to track any changes that take place in them. While the GDPR is the only major privacy law to feature retention standards for consumer data, it's a good idea to defensibly delete what you don't need, both to prevent potentially negative outcomes in litigation during the discovery process, as well as mitigate risk of consumer data breaches or non-compliance with a consumer data request.
- Prioritize data map maintenance and enforce retention policies. Understand what issues are most pressing to your organization, and then craft policies that address those critical areas first. These issues should arise while you’re auditing data and assessing your legal obligations, so this step should happen naturally. As we mentioned earlier, success or failure with compliance typically starts with data, and maintaining an up-to-date data inventory is the best way to know what you have. If you’ve accumulated a bunch of never-used backup tapes, develop and implement a defensible deletion policy—or more seriously enforce what's already in place, if the procedures seem solid but just aren't being performed.
- Train employees and break down organizational silos. While a steering committee of stakeholders is responsible for defining your organization’s IG policies and procedures, at the end of the day, the enterprise's success depends on employees following the plan. To get that to happen, you need to train your employees—and they should have cross-functional knowledge to the degree that being a good data steward is part of their job. For example, employees on the Data Subject Access Request team should have knowledge of their job, as well as knowledge of how the entire process works and what's critical to success. They have to understand the policies and follow the necessary procedures on a daily basis. And they have to have access to the technology that will help them perform their duties. One key element in making sure training works is making clear “the why” behind the program. That’s what will motivate employees to change how they go about their jobs.
- Follow through with enforcement. Even if you create policies and train employees on them, you won’t get 100% compliance. People revert to old habits, even when they mean to change. You’re not looking to trap people in non-compliance, but you need to measure compliance and have corrective measures in place when problems crop up. So establish consequences before you need them, and then conduct random, periodic audits of employee compliance—and follow through when there’s a problem.
- Measure results. Define the metrics you will use to demonstrate success in your IG project up-front, before implementation. The metrics should align with both your organizational goals and the types and amounts of data you have within your organization. As more General Counsel and Chief Legal Officers become aware of the mounting Legal GRC challenges they face, we are beginning to see more data about how they're measuring results in their own organizations.