By Alex VanVeldhuisen, IGP
“Our Information
Governance program looks like an abandoned fairground in my mind … each old
’ride’ representing a technology, software or server with data and information
we no longer use, need, can find or know what to do with.” Quote from a
Manager at a Public Utility
BACKGROUND
ARMA International defines Information Governance (IG) as a strategic, cross-disciplinary framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable for the proper handling of information assets. Using a combination of views about information governance, BDO defines it as the ability to integrate people, process, technology and data into a framework that is cross-functional throughout the enterprise. This model allows for the development of an enterprise information governance program that aligns business functions and the use of data practices with their technological, business, security, privacy and legal needs.
INTRODUCTION
The “abandoned fairground” metaphor is a great visual.
Imagine an old roller coaster being the legacy CRM program that was replaced by
Salesforce. The ferris wheel was your old accounting software package now in
the cloud. Your on-premises Windows server infrastructure was the spider ride,
which is now hosted in the cloud via Office 365 and MS Azure. These rides were
the best when they were new, but now they lie dormant with no one actively
using them. However, leaving them in place unattended incurs costs and presents
risk.
One can compare this metaphor to the lack of resources an
organization has to mitigate its records management functions, which is part of
the foundation of a sound enterprise Information Governance program. Long
considered a line item on an organization’s balance sheet and a back-office
function typically delegated to the Facilities or Information Technology (IT)
departments, the cost and management of the program has long been considered a
necessary evil—and, not a value add for the organization. However, with the
software tools and processes that are now available, many organizations are
realizing they can clean up their IG program with all its
Redundant-Obsolete-Trivial (ROT) data and bring it into compliance in a timely
and cost-effective manner. Organizations are also seeing that these mitigation
efforts will drive increased productivity and business process transformation,
which as a result, often improves regulatory compliance, reduction in costs and
organizational risk, along with increased profitability.
WHAT DOES An Organization’s Enterprise Landscape Look Like?
Understanding what legacy systems your organization
has and what it’s costing the organization to maintain them is the first step
in an Information Governance assessment. To properly “map” out the enterprise
landscape, both current and legacy systems containing data must be identified
and tracked. Once systems have been
identified, the organizations should implement steps that include:
- Understanding who has access to the data or
information and how it is used throughout the enterprise
- Identifying dormant data and information
- Identifying any additional data and information
repositories that are outdated and outside the organization’s records
retention schedule
WHY IS IT IMPORTANT TO HAVE A STRONG IG PROGRAM?
Aside from the normal regulatory reporting requirements that nonprofit organizations must comply with, nonprofits that are collecting or managing data on residents in the European Union (“EU”) are now subject to the recently implemented General Data Protection Regulation (GDPR). The specific requirements within the regulation mandate that organizations have a firm understanding of the Personal Data, (similar to what the U.S. refers to as Personal Identifiable Information, or PII) they possess and control. Additionally, the organization must have documented processes in place to be able to provide any individual who is a resident of the EU a summary of what specific Personal Data is being maintained by the organization along with the mechanism(s) to delete their Personal Data, if they so request.
Examples of Personal Data a nonprofit might possess would be
email addresses or newsletter mailing information the marketing department may be
using to communicate to donors, subscribers or interested parties. According to
Article 5 of the GDPR regulation, this information should not be maintained
after the point in time in which the need/reason for processing it no longer
exists. Once that point in time is identified, the Personal Data should be
removed from the enterprise systems, including downstream systems, in a secure
and timely manner.
Additionally, according to the Information Commissioner’s Office based in the UK (www.ico.org.uk), nonprofits can be considered both “data controllers” and “data processors.” There are several ways in which a nonprofit is then subject to GDPR:
1. As an employer
processing data of volunteers, employees or trustees
2. As a campaign
or fundraising organizer
3. As a provider of
services to beneficiaries
The GDPR provides the following eight rights for
individuals:
1. The right to
be informed about the collection and use of personal data
2. The right of
access to their personal data and supplementary information
3. The right to
rectification of inaccurate personal data or completion of incomplete data
4. The right to
erasure of personal data
5. The right to
restrict processing that allows an organization to store data but not use it
6. The right to
data portability, which allows individuals to safely and securely obtain and
reuse their own data for their own purposes
7. The right to object
to processing based on legitimate interests, direct marketing and for purposes
of research
8. Rights in relation to
automated decision-making and profiling
What makes IG so challenging for most organizations is that
it is as much about organizational structures as it is about data. Most
organizations, including nonprofits, work in what the IG profession refers to
as silos. Each of these silos is represented by various departments, locations
and service lines who are all currently responsible for their own data and
records with little or no thought as to how their individual programs or
governance efforts may impact the organization as a whole.
Unlike mature enterprise information governance programs,
these organizational and information silos result in increased liability and
costs to the organization while also increasing the cost of managing and
maintaining current and legacy systems. This is the exact opposite of what a
mature IG program is designed to accomplish, which is the reduction of your data
footprint (data minimization) through the elimination of ROT data. Improving
processes and controls will result in reducing the organizational risk profile
while increasing efficiencies and controls over your data.
Due to the implications, the recent passing and implementation in May 2018 of the GDPR as mentioned earlier, and the passing of the California Consumer Protection Act (CaCPA) which takes effect Jan. 1, 2020 (which may have up to a six-month look back), nonprofits cannot continue to do business without prioritizing how to secure and manage their sensitive donor and organizational information.
CAN CREATING A STRONG INFORMATION GOVERNANCE PROGRAM CREATE STRONG ROI?
The simple answer is “Yes!” Every organization is unique, and
every organization has its own strategic business goals, so it is difficult to
quantify a return on investment (ROI) without specific information. However,
what a strong IG program supports and shows results in, is better control and
security of your information and an improved ability to leverage that
information to make more informed decisions. Another result that may occur is
improved efficiencies that generate better outcomes. In a nonprofit this could
result in the ability to better understand who, and how, donors and volunteers
are engaging with the organization. Clean, accurate, available and meaningful
data will allow the organization to look to the past to guide the future.
What are some examples of benefits that are a direct result of improved IG programs?
- A reduced risk profile for the organization
- Improved outcomes of regulatory audits
- Minimization of the data footprint which results
in lower costs to store, maintain and dispose of data in all its forms
- More productive employees in their daily
activities by making the data and information they need available in a safe,
secure and timely manner
- Better decision making by having data that is
more accurate, available and trustworthy
HOW DO YOU START TO PREPARE TO MAKE CHANGES?
Existing corporate culture and changes within that culture
pose difficult challenges specific to bringing an organization into compliance
and building an effective IG program. The first and most important step to is
to get executive sponsorship and involvement of all stakeholders to support the
success of an IG program. Developing and nurturing a culture of compliance does
not happen immediately. Organizations should implement programs where employees
are asked and encouraged to change habits and business processes so they
understand the benefits to the organization as a whole. Additionally, seeing
how these changes will impact each of their specific jobs and responsibilities
will result in saving the organization money and prevent exposing the
organization to unnecessary risk.
DON’T LET PERFECTION GET IN THE WAY OF PROGRESS
One of the justifications organizations use to stall
change is that the proposed new processes are not perfect. No IG program will
ever be perfect. The variables involved in any organization, particularly those
that are larger, make it difficult to create a program that’s perfect. What is
needed is to create an ongoing and iterative IG program that has:
- Executive sponsorship and ongoing support
- Deep and continued stakeholder involvement
- Is audited and evaluated on a regular basis
- Is nimble enough to make changes in a timely
manner to address new regulatory requirements, business changes and
personnel turnover
An IG program that does this will create and support a
culture of compliance in an organization and lead to efficiencies across a
variety of areas including records management, e-discovery, information
security and reporting.
GET HELP AND PARTICIPATION FROM THESE AREAS
The creation of an IG program takes some planning and is the responsibility of multiple people within the organization. The creation of a strong IG program will require input, knowledge and expertise in at least five areas of the organization. As shown in the Information Governance Reference Model (IGRM), these areas need to work collaboratively to create a strong and successful IG program. Start by fostering positive relationships across the business lines that include the security, IT, RIM and legal teams. Discuss the priorities each group has and the responsibilities they currently oversee. Finding synergies can develop partnerships to achieve shared goals. Ultimately, including these stakeholders will allow the organization to identify areas that need attention and a strong well-rounded IG can accelerate.
CONCLUSION
A strong Information Governance program is possible to
accomplish. Understanding where the organization is maintaining data benefits
the organization as the organization will reap the rewards of a properly
managed program. Engaging key stakeholders throughout your organization is the
most important activity and step an organization can take to get started. The
benefits that result from creating a strong IG program will support
efficiencies and reduce risk profile. And most importantly, a well thought out
IG program will create a culture that functions every day. As with our
fairground metaphor, to make sure your data is accounted for and maintained is
synonymous with ensuring the fairground is not abandoned, but maintained, so
all rides, new and old are safe and fun, and a place where everyone wants to
go!
For more information, contact Alex VanVeldhuisen, manager, TBTS Governance and Risk Compliance, at avanveldhuisen@bdo.com.