Tackling the growing data regulation headache: Practising good information governance

In today’s information driven world, data is at the heart of enabling business and government to operate and innovate effectively. However, the exponential growth of data, combined with increasing regulation, has left many organisations struggling with the complexity of compliance required to manage all their precious information. The statistics point towards a rapid rise in business data, which is on a trajectory to grow 56% year on year. There are potentially thousands of pieces of legislation impacting companies, peaking at over 100,000 legal requirements relevant to multinational companies. Adding even further potential upheaval is impending regulation currently under proposal by the European Commission to unify and harmonise data protection within the European Union (EU). Facing this barrage of legal and regulatory requirements it is no wonder many organisations are seeking out expert advice on how to best manage, store, archive and retrieve their data for compliance, but also to ensure its valuable information can be more easily harnessed for innovation.

 

Organisations within the EU, in particular, are being affected by increasing regulation. There are a number of different regulations including Solvency II, Dodd-Frank, HIPAA, Gramm–Leach–Bliley Act (GLBA), Basel III and new tax laws, as well as the expansion of state-regulated privacy initiatives and new rules relating to disaster recovery, transportation security, value chain transparency, consumer privacy, money laundering and information security. Many of these regulations often vary across jurisdictions and, if you are an organisation operating across several markets, a collaborative and integrated international approach is required for security, retention and disposal of data. To compound the challenge, even when you might think you have a hold on a piece of legislation you will find it has evolved and the policies and processes you had put in place to address it are no longer valued. So it is clear organisations cannot afford to address each legal requirement separately. Instead, a holistic approach to Information Governance is needed. An approach which can flex to an increasingly regulatory environment yet is seamless and transparent across your operations business systems.

 

One new law, currently under proposal, presents a momentous change for large enterprises operating in Europe. The European Commission plans to unify and harmonise data protection within the EU with a single law, the General Data Protection Regulation (GDPR), together with a police and criminal justice directive. The adoption is aimed for 2014 and the regulation is planned to take effect in 2016. Under discussion is a strict data protection compliance regime with severe penalties of up to 2 % of a company’s worldwide turnover. Should the proposal become law, organisations will have to completely rethink how to comply across their entire business. It is no wonder many enterprises are looking to get ahead of the compliance curve. But where to begin?

 

Information Governance

Information Governance describes how data is controlled within organisations in order to meet regulatory, environmental and operational requirements. Gartner’s official definition of Information Governance is: “…the specification of decision rights and an accountability framework to encourage desirable behaviour in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organisation to achieve its goals1.” It therefore looks to address important considerations key stakeholders within an enterprise face. For example a CIO may ask “How long do we need to keep information?” whilst a Head of Compliance might proffer: “How can we ensure compliance in multiple jurisdictions?” meanwhile a Records Manager might question: “How can we respond to the regulator’s request for information?”

 

In HDS definition, Information Governance is a comprehensive programme of controls, processes, and technologies designed to help organisations maximise the value of their data while minimising associated risks and costs. Any organisation which is therefore looking to ensure compliance in the face of mounting regulatory requirements firstly needs to assess their Information Governance maturity and put policies in place to ensure that their data supports the agreed framework.

 

Addressing Information Governance however can be a significant undertaking, which is why many organisations look to consultants and other experts for advice in shaping and deploying their framework and guiding policies in the most effective way. Understanding the full scope of the requirements themselves is a heavy task. An important foundation stone for ensuring effective Information Governance is to assess your business maturity.

 

Firstly, by interviewing key stakeholders within the organisation to gather a full picture of what types of data you own – from structured to unstructured data (anything from word processor, spreadsheet and PowerPoint files, voice recordings, video, sensor and log data, or external data such as social media feeds) and how this information is collected, stored, used and managed – for the long term. This must be done in tandem with a content audit to identify where your information assets are, who uses them, whether they have regulatory significance and how they are currently protected. Multinational organisations are likely to find this considerably complex given assessment must take place across all jurisdictions in which you operate and take into consideration the varying regulatory requirements across markets. In addition, a thorough review of Information Governance must investigate roles and responsibilities in regards to the creation and management of data within your organisation. Current regulatory compliance across the business must also be assessed to identify weaknesses and strengths. Depending on the size and scope of your organisation, again, this can be a significant effort.

 

For any Information Governance programme to be successful, the key executive stakeholders must participate in the governance framework being established and support the deployment of policies to support that framework. Investment signoff is also likely to be required, and with the volumes of data to be considered, automation of the processes to support policy enablement is key to containing costs and providing the option to drive value from the data under management as well as supporting regulatory and governance requirements.

 

There are also a few key stakeholders to address. For example, Information Officers typically have a view of the entire data estate and understand the principals of policy-based management, while Information Security, Risk and Compliance Managers have a view on the regulatory and corporate data classification requirements. Furthermore, Business Managers often have a view on how the data assets should be managed to support their business requirements, including the protection of, access to and relationship between various data sources such as trading information.

 

Stakeholders will then need to consider a few key questions, including: What are their requirements for regulatory or internal governance? Which data assets need to be classified and which applications need specific data management policy established? Are there specific data retention requirements from a business perspective? Where are their relevant data assets and how do they need to be protected, considering data jurisdiction relevant to them? How are they going to manage the costs associated with data management for governance purposes? Do they have a desire to manage all data assets in a private cloud or data centre environment?

 

Having a clear understanding of their requirements at a regulatory, business and corporate asset level will enable organisations to better understand how best practice can be applied, where they could take advantage of established processes and policy definitions to support their requirements, and how they can manage cost effectively for the future. Information Governance today is about establishing a solid foundation upon which to build for the future, to set out the framework for cost effective management of assets and to target the key items which of most value or causing most pain today. The process could take between four to six weeks, but if an organisation already has a framework in place and wants to optimise their approach, then two weeks may be sufficient for the process.

 

IDC research has found that failures and issues in document-driven business processes have led to serious business risk and/or compliance issues in 75.9% of businesses, within which 24.9% lost major customers as a result of document process failures and 17.3% paid a financial settlement of at least $50,000.

 

However, thorough assessment is only one rung on the ladder to compliance and effective Information Governance. Once an enterprise has evaluated its maturity in these areas, the next step is to develop a robust policy framework which addresses all legal and regulatory requirements, industry standards as well as company policy. This includes the creation of retention schedule rules, the classification of legacy content, identification of duplication, and how metadata could be used to enhance the support for regulatory compliance and data governance. In essence, this ensures the digital house is in order, to mitigate risk from initial creation of electronically stored information through to its final disposition. This framework is then the basis for all lifecycle workflow within the organisation.

 

Finally, with this extensive groundwork laid, an organisation should deploy and enforce the policies in regards to all data the company holds, manages and interacts with. This incorporates applying Information Governance policies to assigned content using automated tools and migrating data from current to new systems.

 

This is the suggested approach an organisation could take in order to effectively address regulatory compliance in the most cost-effective and efficient way. Not only that, by putting processes in place to more effectively manage data estate, enterprises can better harness information as one of their most valuable assets for innovation and growth. Practising effective Information Governance benefits organisations in several key areas:

 

Data Growth: Ensures you can manage, preserve, protect, discover, analyse and leverage data of all types to satisfy governance and e-discovery, uncovering new information for competitive advantage.

 

Cost: Increases business efficiency and utilisation of resources whilst future-proofing the data asset infrastructure

 

Complexity: Frees data from applications and infrastructure and ensures information assets are more effectively available for discovery or business revenue purposes

 

One thing remains certain and that is the volume and complexity of data enterprises create, store and manage is growing exponentially. Compliance with legal and regulatory frameworks is a critical concern for organisations especially as risks and potential fines are increasing dramatically. The negative impact on reputation, should your business fail, can also be irrevocably damaging. Getting ahead of the compliance and governance curve is therefore critical and if effective Information Governance practices are implemented, compliance becomes less complex and costly. However, practicing good Information Governance brings advantages over and above this by giving you true information lifecycle management across your business, centralised, policy-driven data management, and the elimination of unusable or inaccessible siloes of data. All key in ensuring enterprises unlock high value from their data assets to drive innovation, minimise customer churn and identify new revenue opportunities.

 

1 Debra Logan, Research VP : Gartner Blog: What is Information Governance? And Why is it So Hard? (January, 2012) http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/