Information Governance and Compliance Across Jurisdictions
Ever since the first online data breaches of the early 1990s, companies have rapidly adopted information security and management systems out of necessity. These early information governance systems were generally housed under IT departments, but because of increasing privacy concerns and the need to prevent related litigation, the push for more and better processes now tends to emerge from company legal departments.
When it comes to information governance and the protection of vital digital assets, there are some common mistakes that enterprises make. These usually involve either a failure to comply with jurisdictional requirements or a company unnecessarily or inadvertently taking responsibility for private information. Both often result in hefty fines.
Avoiding Common Mistakes
Are these mistakes avoidable? Ask Dean Felicetti of SullivanStrickler or Jason Shelton of InfoCycle, and they will answer with a resounding “yes.” These information governance professionals work directly with companies to develop and launch initiatives, which enhance data recovery and data storage systems.
A common starting point for these initiatives is metadata scanning of the environment, looking at things like file shares and databases. The goal is to clearly understand what’s being kept and why. That’s where companies like SullivanStrickler and InfoCycle can help to develop more mature systems for information governance.
The root cause of these disorganized information governance systems has been the rapid rise of online data gathering. The volume of information grew so rapidly that enterprise development of data systems was reactive and haphazard, rather than strategic. The work done by Shelton and Felicetti helps companies get back on track.
While virtually all organizations have some sort of information governance program in place, few have strategic information and security governance programs. One of the largest barriers to more centralized and robust programs involves the difficulty in securing key support within the company. Felicetti explains that a major “area of turbulence” is making sure all stakeholders from the various information governance silos within an enterprise are on board and actively engaged throughout the lifecycle, doing things like vetted testing at least every year.
“We’ve also found that certain clients may have more of a single focus versus a holistic view of the entire process,” Felicetti says. “So, down the road, as the decisions are being made, they’re being made specifically toward their own siloed environment. Again, communication between each group and the key stakeholders could be points of failure, not unlike with any process.
“And then, ultimately, the testing and vetting of the quality that they’re putting into quality assurance. Are they truly capturing the quality and controls and testing those environments? In other words, they may test their particular area, but not really understand the full impact on other departments within an organization. Overall buy-in from key stakeholders throughout the life cycle moving forward and vetted testing at least every year is vital.”
The Importance of Information Lifecycle Management
Without more strategic programs in place, companies can struggle to perform necessary functions like information lifecycle management or to develop systems for the timely elimination of data. Considering the costs involved in managing information, it is necessary for organizations to make sure that their information lifecycle management processes are as efficient as possible.
As Felicetti explains, there is a distinct connection between risks and costs. The realistic goal is not to mitigate every risk or reduce all costs, but to take proactive steps to reduce some of the risks, reduce some of the costs and get companies to buy into the overall approach, rather than feeling overwhelmed, throwing up their hands and enduring a total loss for particular departments.
Still, navigating lifecycle management, as well as data storage and data security, becomes more complicated under certain circumstances.
For example, active litigation, or possibly a government investigation, might require a company to hold onto information longer than it otherwise would. Also, enterprises undergoing things like mergers and acquisitions, or those that are trying to downsize, might also need to take special care. Under these circumstances, companies must correctly identify and deliver relevant data to ensure regulatory compliance.
But some companies simply may not have the capacity or know-how to get the job done. At that point, it makes sense to call on a third party, which specializes in information governance.
Information Governance and Compliance Across Multiple Jurisdictions
While a smaller company operating in only one jurisdiction may simply need help with data mapping – alongside enhanced data security, data recovery, and data storage – some enterprises operate under multiple jurisdictions. This is where it becomes particularly easy for organizations to get into trouble.
Global companies operating multiple locations throughout the United States can help us understand just how complicated processes become when multiple jurisdictions are involved. Just as most enterprises have organically begun to develop their own unique systems for information governance, U.S. states – and many countries – have come up with their own unique laws and regulations regarding such matters.
Developing a streamlined process involves looking at all of those different state and country regulations and uniformly adopting the most conservative rules. Or, as Shelton explains, it may even be worth considering special treatment for a particular jurisdiction in certain cases.
When it comes to information governance, regulations can sometimes vary by industry, but more often than not, the real source of variation has to do with jurisdictions. It is important to note that while the work done by companies like InfoCycle and SullivanStrickler tends to overlap, they usually assist in slightly different and often complementary ways.
Complementary Services to Solve Info Gov Challenges
This leaves space for services that supplement one another, as opposed to making them direct competitors. So, for example, while InfoCycle would focus more on the various silos of information governance that an enterprise currently has, SullivanStrickler would technically assist the organization with assessing the structured and unstructured data.
So, SullivanStrickler might be more involved in parsing out things like legacy data and figuring out to which categories they belong. On the other hand, InfoCycle might work in a slightly different way, looking systematically at the company functions and working to bring information governance processes into a single, holistic system.
“What we typically do is try to build what’s called an IG council that at least knows what’s going on,” Shelton says. “We’ll say, ‘What suggestions do you have on how we could do this in a different way, or potentially even change our direction to do something differently that you think might make sense to the organization?’ We’ll ask them for feedback because then they have a say; now when you’re asking them to do things and have their users do things, they know what it is and have buy-in. It’s not just blank communication.
“You have leadership of that organization or that department now telling your users, ‘Hey, this is what we’re doing and this is why it’s key.’ You’re not always going to get it because if you put a bunch of VPs in the same room together and start talking about projects, initiatives, they’re all going to be on their phones, responding to emails and other things. So, trying to keep it simple and scope it simply, but also get buy-in is a very hard balance to strike, but it is important.”
The concept of information governance is quite new for some. But it’s important for key stakeholders within companies to take the time and understand the value of well-developed programs. An enterprise particularly benefits when its general counsel or legal teams are working together with key leadership personnel towards more robust systems.
That had been the general trajectory of many companies, up until the global COVID-19 pandemic. At that point, the number of information governance initiatives dropped substantially. For InfoCycle and SullivanStrickler, clients in the healthcare sector were some of the first to make dramatic budget cuts in outside spending. Looking to the future, though, it’s clear that without those robust systems in place, it is only a matter of time until problems arise.
“We keep coming back to that constant theme of buy-in of communication,” Felicetti says. “Communication is vital to the success of any strategic plan. There’s a comfort level with the way things are done already, and that may seem easier. So, it really is a shift in focus and objectives from top-down for the organization that leads to success.”
And that success means securing data, reducing risk, and saving money.
SullivanStrickler provides some of the world’s leading organizations with legacy data services, including back-up and legacy management, data forensics, eDiscovery, tape restoration, regulatory and compliance, and legal services. Our proprietary software stack and workflows accelerate time-to-data and provide instant insight while eliminating cost and risk.
At SullivanStrickler, we believe companies should have total command of their legacy data. What would you like to do with yours?
Contact us to learn more today.