Information Governance = Data Governance + Disclosure
By Tera Ladner, Director, Information Governance, Aflac
It’s time to look beyond data governance which in most instances represents data quality and stewardship to Information Governance (IG). Semantics, yes, but historically, data governance has attended to the data handling issues primarily related to structured data, and has not addressed legal and compliance issues associated with disclosure.
In corporate environments, structured data is only a small part of the stock of daily transactions. The majority of these transactions are unstructured in the form of email, documents, images and text messages. Sometimes called content, this unstructured data has the potential to expose the enterprise to compliance and regulatory risks, legal risks, or information security and privacy risks. Not knowing what information we have, where it resides, its basis for, and its business use puts us in a lessened position to be responsive to compliance, legal, and regulatory matters. This can result in costly fines, sanctions or damaged reputation. In the anticipation of or in the process of litigation, ungoverned data increases the risk of spoliation of data. In the case of a breach, not properly managing information security and privacy increases the potential depth and breadth of information released. Narrowly focused data governance initiatives are not comprehensive enough to address these risks and the necessary elements of disclosure. What’s needed is an enterprise Information Governance program. This is a program that is not to be labeled as a defensive compliance mandate—read cost center—but instead as a strategic business enabler with the capabilities to protect privacy, minimize risk, enhance the user/ customer experience, and decrease the costs of information management.
• Information Governance
Information Governance (IG) goes beyond, but includes, the key facets of data governance to ensure the integrity, authenticity and reliability of information in the enterprise. Its scope is both unstructured and structured data. It defines and applies information handling policies; establishes accountabilities; guides information management processes; establishes practices for data quality and protection. Additionally, it enables the identification, collection and processing of information for litigation discovery and disclosure; and it applies retention policies for the defensible destruction of end-of-life-cycle data.
• Implementation of Information Governance
It is easy to state the goals and benefits of Information Governance, but implementation requires a strategic program embraced by senior leadership and woven throughout the business. Once established, the data apparatus must be put into place. Information and its lifecycle must be addressed at the onset. Policies must be defined and automated not only to identify and classify business process information, but also to assign and manage the retention and destruction of data. Tools have to be acquired, integrated and put into play to ensure transparency to the business user, while also supporting legal and compliance processes.
A key aspect of information governance is to understand the lineage and chain-of-custody of data and its validity and integrity. This applies to current and future information handling. Looking toward the future, Information Governance has to be built into programs that are applying advanced technologies such as machine learning, AI, and data analytics. Although powerful in application, inherently complex algorithmic techniques and models have the potential to bring forth the next wave of litigation. Models and algorithms, and other automata will be challenged and may be a launch point for litigation dealing with inherent biases or lack of transparency. In the current literature there are an increased number of articles on this phenomenon.
• Security and Protection
Another aspect of IG that extends beyond the reach of data governance is aligning with information security capabilities. Not all information is created equal, and not all information should be protected at the same level of rigor. By understanding information holdings, proactive IG gauges the risk versus value of information to ensure that the appropriate controls and security are in place. Privacy management is one aspect of this. A common risk exposure is personal information of customers or other sensitive data in the laptops of employees or corporate file shares. IG operational processes enabled by data profiling tools have the ability to identify and support the remediation of this data.
Setting forth on the journey to enterprise Information Governance requires innovation in the fundamentals of information management and architecture; collaboration with corporate compliance, legal, IT, and business; and resources skilled broadly in information management, technology, and the compliance and legal disciplines. The dialog and focus of the program has to be proactive, and pre-emptive, not only decreasing risks inherent in ungoverned information, but creating business value. Lastly, the IG program must go beyond the narrow lens of data governance, including the fundamentals of data governance, and enabling the key aspects of disclosure associated with litigation and compliance.