Information Governance Grabs Center Stage
What comes to mind when you hear the phrase information governance? Arbitrary rules and regulations? Barriers to you doing your job well? Impediments to productivity? Obstructionist thinking that stymies progress? Or that most negative of sentiments: What’s wrong with the way we’ve always handled our information? It worked just fine for umpteen years. Surely electronic records can’t be that much different from paper.
Or do you view information governance more positively? Hint: You should view it very positively. Does information governance streamline your access to needed information? Does it save time by eliminating outdated and redundant information from your search results? Do you see information governance as a key component to keeping you and your company out of trouble? Does information governance take center stage for you and your employer?
I know, lots of rhetorical questions and emotional responses there. The fact is that most people will either embrace or castigate information governance depending on their individual situation at a certain point in time. It’s that level of frustration when you know exactly the document you want but it seems tantalizingly out of reach and, with nothing better to blame, you single out the information governance policy. Probably with a few choice words that I can’t repeat in this civilized setting.
It’s entirely possible that someone might curse a rule as arbitrary while simultaneously recognizing the necessity of it from a security standpoint. Someone else could easily applaud relevant search results without actually realizing the role information governance played in facilitating that relevance. And there’s always “that guy” who complains regardless of whether the complaint is justified.
Like it or not—and on the whole, people do like it—information governance is an important and necessary component of modern organizations’ information infrastructure. It’s our job, as information specialists and knowledge managers, to combat any negativity about information governance within our organizations and to manage expectations. Information governance is an integral part of both information technology and knowledge management. Together, IT and KM bring information governance forward onto that center stage.
It’s Not Just a Good Idea
Information governance isn’t just a good idea, created by computer geeks or imposed by legal departments. It’s tied to international legislation about privacy—and that affects all organizations, whether they are involved in international trade or not. I’d heard about new laws coming out of Europe, but was unclear about what they were or how they would affect companies in the U.S. For clarification about new data breach laws and why I should be concerned, I turned to AvePoint’s chief compliance and risk officer, Dana Simberkoff.
She explained the ramifications of two new European Union laws—the EU-U.S. Privacy Shield and the General Data Protection Legislation (GDPL). I’ll confess I hadn’t really grasped the difference. She graciously straightened me out.
First, a bit of background. Europe has very strong data privacy laws on its books, and the U.S. doesn’t measure up to those standards of keeping customer and employee data private, at least not in the eyes of the Europeans. As a workaround, the “Safe Harbour Framework” provision has allowed for data transfer between entities in the U.S. and European countries for the past 6 years. However, on October 6, 2015, the European Court of Justice ruled that framework invalid, which caused consternation among U.S. multinational companies and put data transfer, even internally, in limbo.
After a series of negotiations, the Privacy Shield, announced on July 12, 2016 by the European Commission and the U.S. Department of Commerce, allows multinationals to transfer data, but with new, stricter obligations. Simberkoff stresses that U.S. companies must still comply with privacy regulations, as spelled out in the Privacy Shield. Keep in mind that the privacy we’re talking about here applies to both customer information and employee information.
Enter GDPL to Center Stage
GDPL is a more general and far-reaching piece of legislation, scheduled to come into full effect in May 2018. According to Simberkoff, it impacts any company with an office in Europe as well as any organization that provides services to Europe. That pretty much translates to all businesses, which is rather scary. Run afoul of this legislation and the fine is 4% of annual global revenue. That’s a large enough amount of money to get the attention not only of senior management but also of the Board of Directors. That makes it very scary. Want to be the person who has to explain why 4% of annual global revenue is being paid out because your employer was not in compliance with GDPL? I thought not.
With GDPL, the underlying assumption is that privacy equals data protection. GDPL mandates a data protection officer, but compliance falls on the shoulders of the IT department to put in place controls around personal data and maintain a data map of all customer information. Organizations need to conduct privacy both by design and by default, notes Simberkoff.
Data collection also comes in for scrutiny under GDPL. Given its assumption that privacy equals data protection, the logical corollary is that companies should only collect data they need. The notion that it might be nice to have a piece of information about your customers doesn’t play well with GDPL. Nice to have? Forget about it.
Having lived in Europe and being currently involved with Information Today, Inc.’s European conferences and publications, I may be more aware of the European point of view regarding privacy than other information professionals who haven’t had the hands-on experiences I’ve had. Europeans are much more cautious about revealing customer and employee data than companies in the U.S. The definition of privacy in Europe is more all encompassing than the U.S. definition—and Europeans don’t think the U.S. treatment of confidential information is nearly secure enough.
Each side, on occasion, views the other with stupefaction. A U.S. company can’t believe elements of its internal data are illegal to share with its European offices, while the European offices can’t believe the U.S. wouldn’t secure data they consider private.
Time to Reflect on Good Life Cycle Management
It’s Simberkoff’s position that companies should be looking at information governance not in reaction to legislation but as an opportunity to reflect on what is good life cycle management. “It’s a good time to put your house in order,” she says. Take archiving, for example. If data is archived in five different places, your potential exposure is multiplied by five. It’s also harder to determine which version is the most current and the most authoritative. Whether protecting your data comes first or having a streamlined archival system comes first is a chicken-and-egg question. The fact is it doesn’t matter—they can happen simultaneously and be of equal benefit to your organization.
Simberkoff believes it’s a KM responsibility to accentuate the positive about information governance. It’s good data management, not simply a bunch of random rules. Since it makes good business sense and should be presented as such, we need to foster a culture of compliance and to have both top down and bottom up support. Simberkoff uses the analogy of spell checking. We certainly don’t send documents with spelling mistakes; employees have the tools to avoid that. Similarly, we should make it easy for people to do the right thing, remove obstacles, build a stakeholder community, and incentivize them to comply. Removing obstacles, however, shouldn’t mean removing all obstacles. Policies should still restrict access to those qualified to view the data.