Information governance grabs center stage.
Or do you view information governance more positively? Hint: You should view it very positively. Does information governance streamline your access to needed information? Does it save time by eliminating outdated and redundant information from your search results? Do you see information governance as a key component to keeping you and your company out of trouble? Does information governance take center stage for you and your employer?
I know, lots of rhetorical questions and emotional responses there. The fact is that most people will either embrace or castigate information governance depending on their individual situation at a certain point in time. It's that level of frustration when you know exactly the document you want but it seems tantalizingly out of reach and, with nothing better to blame, you single out the information governance policy. Probably with a few choice words that I can't repeat in this civilized setting.
It's entirely possible that someone might curse a rule as arbitrary while simultaneously recognizing the necessity of it from a security standpoint. Someone else could easily applaud relevant search results without actually realizing the role information governance played in facilitating that relevance. And there's always "that guy" who complains regardless of whether the complaint is justified.
Like it or not--and on the whole, people do like it--information governance is an important and necessary component of modern organizations' information infrastructure. It's our job, as information specialists and knowledge managers, to combat any negativity about information governance within our organizations and to manage expectations. Information governance is an integral part of both information technology and knowledge management. Together, IT and KM bring information governance forward onto that center stage.
It's Not Just a Good Idea
Information governance isn't just a good idea, created by computer geeks or imposed by legal departments. It's tied to international legislation about privacy--and that affects all organizations, whether they are involved in international trade or not. I'd heard about new laws coming out of Europe, but was unclear about what they were or how they would affect companies in the U.S. For clarification about new data breach laws and why I should be concerned, I turned to AvePoint's chief compliance and risk officer, Dana Simberkoff.
She explained the ramifications of two new European Union laws--the EU-U.S. Privacy Shield and the General Data Protection Legislation (GDPL). I'll confess I hadn't really grasped the difference. She graciously straightened me out.
First, a bit of background. Europe has very strong data privacy laws on its books, and the U.S. doesn't measure up to those standards of keeping customer and employee data private, at least not in the eyes of the Europeans. As a workaround, the "Safe Harbour Framework" provision has allowed for data transfer between entities in the U.S. and European countries for the past 6 years. However, on October 6, 2015, the European Court of Justice ruled that framework invalid, which caused consternation among U.S. multinational companies and put data transfer, even internally, in limbo.
After a series of negotiations, the Privacy Shield, announced on July 12, 2016 by the European Commission and the U.S. Department of Commerce, allows multinationals to transfer data, but with new, stricter obligations. Simberkoff stresses that U.S. companies must still comply with privacy regulations, as spelled out in the Privacy Shield. Keep in mind that the privacy we're talking about here applies to both customer information and employee information.
Enter GDPL to Center Stage
GDPL is a more general and far-reaching piece of legislation, scheduled to come into full effect in May 2018. According to Simberkoff, it impacts any company with an office in Europe as well as any organization that provides services to Europe. That pretty much translates to all businesses, which is rather scary. Run afoul of this legislation and the fine is 4% of annual global revenue. That's a large enough amount of money to get the attention not only of senior management but also of the Board of Directors. That makes it very scary. Want to be the person who has to explain why 4% of annual global revenue is being paid out because your employer was not in compliance with GDPL? I thought not.
With GDPL, the underlying assumption is that privacy equals data protection. GDPL mandates a data protection officer, but compliance falls on the shoulders of the IT department to put in place controls around personal data and maintain a data map of all customer information. Organizations need to conduct privacy both by design and by default, notes Simberkoff.
Data collection also comes in for scrutiny under GDPL. Given its assumption that privacy equals data protection, the logical corollary is that companies should only collect data they need. The notion that it might be nice to have a piece of information about your customers doesn't play well with GDPL. Nice to have? Forget about it.
Having lived in Europe and being currently involved with Information Today, Inc.'s European conferences and publications, I may be more aware of the European point of view regarding privacy than other information professionals who haven't had the hands-on experiences I've had. Europeans are much more cautious about revealing customer and employee data than companies in the U.S. The definition of privacy in Europe is more all encompassing than the U.S. definition--and Europeans don't think the U.S. treatment of confidential information is nearly secure enough.
Each side, on occasion, views the other with stupefaction. A U.S. company can't believe elements of its internal data are illegal to share with its European offices, while the European offices can't believe the U.S. wouldn't secure data they consider private.
Time to Reflect on Good Life Cycle Management
It's Simberkoff's position that companies should be looking at information governance not in reaction to legislation but as an opportunity to reflect on what is good life cycle management. "It's a good time to put your house in order," she says. Take archiving, for example. If data is archived in five different places, your potential exposure is multiplied by five. It's also harder to determine which version is the most current and the most authoritative. Whether protecting your data comes first or having a streamlined archival system comes first is a chicken-and-egg question. The fact is it doesn't matter--they can happen simultaneously and be of equal benefit to your organization.
Simberkoff believes it's a KM responsibility to accentuate the positive about information governance. It's good data management, not simply a bunch of random rules. Since it makes good business sense and should be presented as such, we need to foster a culture of compliance and to have both top down and bottom up support. Simberkoff uses the analogy of spell checking. We certainly don't send documents with spelling mistakes; employees have the tools to avoid that. Similarly, we should make it easy for people to do the right thing, remove obstacles, build a stakeholder community, and incentivize them to comply. Removing obstacles, however, shouldn't mean removing all obstacles. Policies should still restrict access to those qualified to view the data.
When you talk about privacy and data breach laws, the underlying emotion is fear. According to Simberkoff, the real issue is risk avoidance. One of AvePoint's best practices includes understanding the data life cycle. As Simberkoff emphasized in our conversation, retention policies should recognize that data has a beginning, middle, and end. "It's born, collected, used internally, shared inside the company and externally, and then it should have a define disposition." Disposition might mean it's archived but it might also mean it's destroyed.
Organizations should comply with legal requirements and not dispose of data too quickly. On the other hand, hoarding data doesn't help with risk avoidance, either. If you think that data might have long-term implications, possibly to identify trends, you still don't want that sitting in SharePoint. Archiving it and getting it out of a production environment could be the answer, but if and only if you're not saving it simply for the sake of saving it.
Life cycle management of data starts with thinking about how data is created or collected. Did it come from internal sources? Was it gleaned from an external repository? Was it provided by customers? This will differ from company to company and even from one industry sector to another. Next is access policies--who is authorized to access and use the data. The point is to strike a balance between being punitive to the point of inhibiting compliance and restricting access to preserve privacy and security. Sharing data is an important component of modern data management and the cornerstone of KM, but excessive sharing creates more problems than it solves and sharing across national borders raises potential legal issues. Retention policies and disposition practices are integral to good information governance, as is the understanding of what can and should be shared.
Setting the Stage
Information governance is deeply allied with privacy and security. But to set the stage for an effective governance program, it's important to look at the content you're governing, says Adlib's Isabell Berry. She echoes Simberkoff's thoughts about information security making good business sense. It's clear that when a data breach makes headlines, it's not fear of European legislation that comes first to a CEO's mind. No, its how customers and investors will react. It's the sullied reputation of the company and the loss of trust. It's the assault on brand integrity.
Berry puts information security at the top of the list when organizations develop their strategies for information governance. Interestingly, she notes that 40% of breaches come from within the organization and cites the Panama Papers as one example, albeit an extreme example. She thinks that Adlib's "holistic approach" to content identifies business intelligence that the business didn't know it had. When businesses don't know they have information, let alone where the information resides, it's way too easy for sensitive and private information to leave the confines of the business. You can't secure data you don't know you have. Thus, a process of identification, value extraction, classification, and archiving needs to occur.
Dan Latendre, CEO of Igloo, values information sharing and sees knowledge as "internal currency" that needs to be managed wisely, which is where a governance procedure would be helpful.
The Intralinks approach to information governance focuses on enterprise productivity tools. Todd Partridge, VP of product marketing, is convinced that tight access control is necessary now that companies are sharing sensitive information outside their firewalls. Like Simberkoff, he stresses the importance of the content life cycle, but from the external to origination perspective. His recommendations include determining access rights to documents shared externally, encrypting documents, avoiding viruses by closely monitoring devices, instituting an information rights management program, and ensuring compliance by monitoring and auditing information sharing practices.
Digital asset security is the concern of Nuxeo's Mike Urbonas. Having a digital asset management (DAM) program in place minimizes the threat posed by those trying to break into your system and steal confidential data, whether it's about customers, employees, marketing plans, or future strategies. Minimizing security vulnerabilities is key to avoiding those data breaches feared by organizations. His metaphor of the castle is striking, particularly when he identifies threats as coming from both within and outside the castle walls.
With almost everyone in an organization contributing content, the role of information governance is ever more critical. Information governance is hardly an impediment to productivity; it's actually a productivity enhancer. As AvePoint's Simberkoff points out, the publicity surrounding data breaches has led to increased scrutiny and more stringent laws and regulations. Risk management in the form of information governance, data security processes, and legal compliance stands center stage for organizations of all sizes and types.
By Marydee Ojala, Conference Program Director, Information Today, Inc.
Marydee Ojala is conference program director for Information Today, Inc. She works on conferences such as Enterprise Search & Discovery, which is co-located with KMWorld, and WebSearch University, among others. She is a frequent speaker at U.S. and international information professional events. In addition, she moderates the popular KMWorld webinar series.
Ojala is based in Indianapolis, Indiana and can be reached at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Date:||Sep 1, 2016|
|Previous Article:||Getting more from SharePoint--part 2: improving user adoption.|
|Next Article:||5 best practices for information governance and risk management.|