Today’s organizations are faced with the overwhelming challenge of managing, finding, and leveraging their information. On average, organizations use 88 applications to power their workforce, a 21% increase from just three years ago. From privacy and compliance to security and eDiscovery, enterprise information is no longer something that merely needs to be stored. Today, it’s a major part of our economy, a valuable knowledge asset, and many times, a significant liability. It’s clear we’re in the midst of a powerful technological shift pushing us to rethink information governance.
In collaboration with FTI Consulting, we’ve gathered leading information governance experts from F500 companies to understand how this discipline is evolving, what new challenges they’re facing, and how their organizations are approaching them. Here’s what we learned:
It’s no secret that global privacy regulations like GDPR and CCPA are on the rise, and their requirements are becoming more and more strict. This prompted discussion of how imperative it is to not only have a privacy officer on your information governance team, but also how critical monitoring, retaining, and defensibly deleting information is. This is especially mandatory for global companies that need to develop policies that comply with privacy concerns across multiple geographies.
Participants also discussed a mindset switch in retention as organizations are reconsidering keeping their information forever, and instead getting rid of what they don’t need. In some ways, we found that litigation risk is growing to be comparatively less of a concern than privacy. The reason being that privacy is more ubiquitous than litigation. PII (Personally Identifiable Information) is universal — everyone has it, therefore everyone is vulnerable, and in a way, it levels the playing field. It’s not something organizations can be defensive about. For these reasons, privacy should always factor in at the decision-making table.
Although employees’ behavior has always been a concern when it comes to preserving and securing information, one of the pitfalls of newer, more dynamic technology is that it can enable more dangerous user behavior. One participant referred to this as the “bleeding functionality” that cloud apps have and how it can allow the user to take riskier actions such as sharing confidential information, integrating with foreign applications, and even manipulating retention settings. We spoke about the advantages of turning off these compromising functionalities before rolling out new apps as a way to combat this issue.
We also discussed how distinguishing between valuable knowledge and basic conversation in newer technologies can be challenging. The content of chats, workspaces, and even emails is much more substantive than it used to be. For example, sorting through hundreds of thousands of old school emails vs. hundreds of thousands of Slack messages can hold vastly different elements. A Slack message alone can hold edits and deletions, audio files, folders, links and much more. Deciphering between commonplace conversation and valuable knowledge is hard for information governance professionals without proper identification and classification.
When it comes to rolling out new technologies to your organization, all participants agreed that litigation needs to be on the same team as IT. Both departments are critical to assessing new tools, yet they both have different priorities in mind. IT may be looking at the technicalities of the product and its security measures, but litigation needs to look at its collection, search, and privacy features. Being able to decipher if they’re able to collect from the tool natively or have a solution partner that can, is a necessary box to check early-on that IT might not be thinking of. Not doing so can lead to major issues down the line when litigation strikes or information needs to be retrieved for compliance.
Although the value of information governance is widely understood, many participants agreed that leadership still doesn’t advocate for it as much as they need to. IG professionals need backing from the executive level to receive the necessary finances and resources to build out a strong program, not to mention, to set the tone for the rest of the organization’s IG posture. We discussed how spreading awareness is key to buy-in. Communicating to your COO or CIO the risk vs. benefit of keeping information versus purging it, explaining why it may not be a good idea to keep long retention periods, and demonstrating how bolstering IG can benefit the business, are all ways to start the conversation.
Since information governance encompasses such a vast array of disciplines, building relationships throughout different sectors of your organization is key. From IT, to legal ops, to compliance, and more, participants agreed that building a culture where each of these stakeholders can express their needs is what forms stronger policies and operations.
Speak to stakeholders frequently, form an IG committee to help establish priorities, and figure out where you may need to involve yourselves in each other’s processes. For example, if you’re an eDiscovery professional and need to be able to collect from new tools being brought on, insert yourself in the onboarding and decommissioning process with IT. Building cooperative relationships will not only make your lives easier, but might also apply pressure for more IG support from the executive level.
As we mentioned earlier, deciphering what’s valuable knowledge and what’s basic conversation is getting harder to do. While larger organizations may find this harder to scale, some of our participants have found success leaving it up to employees to decide for themselves what content of theirs is valuable. While many might hesitate to give users control, many have found that giving employees a choice works well. Whether that means moving all content over to a more secure repository or categorizing what should be saved, it gives IG professionals more flexibility with retention policies when the users claim what they want to be saved. Of course, this is a baseline, and further investigation can be done to assess risk on a deeper level.
We hope you found the insights from this roundtable informative and thought-provoking. Thank you to all of our attendees for graciously sharing their knowledge and experience.
For more information on how Onna powers information governance head to onna.com/information-governance.