Information governance 101: The regulatory compliance survival kit

By definition, information governance formalizes the rules, roles, responsibilities, and technologies required to mitigate data’s risk while maximizing its yield. Independently, this practice isn’t necessarily high value, revenue-generating, or particularly fun.

But it’s the fulcrum on which every enterprise finds itself precariously balanced in an age of hypersensitive regulatory requirements. This reality is readily reinforced by a sprawling set of drivers, including these:

♦ Information privacy: Numerous regulations—from international mandates to statewide decrees—have sprouted up to protect consumers’ rights to privacy. This has resulted in “a fundamental shift in how data should be managed and governance is a big part of that,” according to Privacera CEO Balaji Ganesan.

♦ Personalization: Organizations are attempting to amass as much PII as possible to personalize interactions with consumers, fueling concerns about responsible limits.

♦ Managed services: Regulations such as GDPR necessitate that organizations govern the use of their data vendors, prompting them to implement what Rob Chapman, director of security architecture, Cybera, called “a really good vendor management process.” Mounting cloud reliance amplifies this driver.

♦ The broadening data ecosystem: The post-big data age has contributed to a situation in which “there’s more data and more different kinds of data, so there are more things to which regulations apply,” stated Irene Polikoff, CEO, TopQuadrant.

♦ Security breaches: Data breaches, which can result in loss of control of private and confidential information, are still growing in frequency and severity, expanding the need for regulations to make organizations more accountable.

These forces are responsible for the proliferation of horizontal and industry-specific regulations, increasing the difficulty for “even just understanding what applies to you and what doesn’t apply to you,” Polikoff said. Nonetheless, by focusing on the information governance fundamentals of data cataloging, data profiling, data discovery, enterprise architecture, data provenance, and more, organizations can clarify their regulatory obligations and comply with timely action.

Moreover, by putting these process in motion with automation, companies can transform governance from a passive set of principles to a means of “operationalizing data governance, which is where people are today,” added Robert Coyne, CMO and vice president of professional services, TopQuadrant.

Enterprise architecture

The first step for devising governance measures to comply with regulations is identifying what data is where and how it moves through the enterprise between applications, databases, and users. Whether assessing architecture for security or for governance, “you can’t do anything else in this space until you figure out how the data’s flowing,” Chapman said.
Digitizing traditional enterprise architecture maps to ascertain this vital information involves the following processes:

♦ Data discovery: According to Jans Aasman, CEO, Franz, “If you want to build your digital data catalog, you had better first spend a lot of time discovering where your sources are.” Creating a centralized data catalog of these digital assets enables granular insight into “the business line, which applications get fed by this database, the applications that actually deliver data to this database, the person or the list of persons that maintain the database, the machines it runs on, all the tables, all the columns within the tables, and the data types of these columns,” Aasman explained.

♦ Situational data governance: Tools such as the Zachman Framework are instrumental in distinguishing the what, who, where, and how of anything that’s situational, said Ralph Hodgson, CTO, TopQuadrant. Encapsulating these findings in a central repository such as a knowledge graph supports “mapping application dependencies for information needs across boundaries in an organization,” Hodgson maintained. Such mapping is a helpful starting point; data provenance reveals what actually took place in the data’s journey to support “the ability to move from what can happen to what did happen.”

♦ Security: Mapping data’s flow throughout the enterprise is pivotal for securing information assets. Understanding this movement allows organizations to consider what they’re trying to protect and what that requires. When complying with PCI regulations, for example, Chapman said, there is often a misconception that the only things that matter are things that are immediately touching, transmitting, storing, or otherwise interacting with payment. Protecting connected systems is just as essential for safeguarding valued payment data.