Corporate Information Governance: Whose Job Is It Anyway? (Part II) via Above the Law

by Mike Quartararo

Last week, we talked a little about the importance of information governance and how critical it is to get stakeholders to the table. We asked why fully 40 percent of companies do not have a formal information governance policy and why half of organizations do not have a dedicated individual assigned to lead information governance.

This week, we look at that leadership function, the executive support that is needed to get an information governance initiative off the ground, and some specifics for implementing an IG program.

Data managers are repeatedly asking questions like who is creating data, where is it stored, and how are people accessing it? Additionally, they want to know who owns or controls the data, if it is needed and for how long, and how do they maintain and secure the data.

Talk to any CIO or IT director and they will tell you that their challenges lie in one or more of these questions.

But with everything else they have on their plates, it should surprise no one that many IT leaders have neither the money nor the time to formally implement an information governance program. And this says nothing about all the other potential obstacles they face.

An information governance program sounds like a big deal, after all. Some might argue that it’s okay to back-burner such plans in favor of more pressing needs. Done right, however, and IG plan can solve many of the issues facing IT leaders today.

First, get the right stakeholders involved. It starts, frankly, with legal operations. As the principle risk managers for the organization, lawyers and legal ops professionals should be leaning in heavily to press executive leadership for funding and resources. But that’s just the beginning.

Every business unit leader needs to be involved in the IG conversation. Because one of the first questions (i.e., who is creating data?) reaches across the enterprise, each leader must be engaged. Data silos that previously existed need to be broken down and centralized.

And there needs to be a formally appointed leader who is empowered to direct and manage the IG program moving forward. Some organizations have CIGO or CISO roles, others have less attractive titles. It really does not matter what the role is called, just that it exists.

The IG leader not only needs authority, they also need to be a strategic thinker. Realistic IG solutions involve coordinating a lot of moving parts, including people, processes, and software tools. The goal is to make the process as seamless as possible; it’s difficult to do in a bureaucratic and siloed setting.

Second, it is necessary to take an organization-wide inventory. From every business unit, it is necessary to answer each of the initial questions data managers repeatedly ask. What tools are they using? Where is data stored? How are they using the data?

Next, consider using data classification tools. Data classification is a relatively new term to some, but large organizations have been classifying data for many years. In order to properly manage data, it is essential to understand precisely what data is under management.

Fourth, determine the organization’s legal obligations to retain information. This is typically a broad undertaking, but a retention schedule should apply to all information under management. And, perhaps most critically, if data is not needed it should be subject to disposition.

Every organization is different, but once the stakeholders are engaged, and scope of the data and the need to retain it are understood, the next step is to begin focusing one at time on the other substantive issues, like security (device and user access, data loss protection, intrusion prevention), regulatory and compliance (privacy, corporate governance, GDPR and reporting), and legal requirements (legal holds, data preservation and collection, eDiscovery).

Information is the soft tissue that holds an organization together. Many executives don’t see it that way. Things like eDiscovery have almost invariably been called a nuisance by top management. That is, until a litigation event hits or there’s a failure to preserve data. The point is that through a strategically thought-out process, that is implemented functionally and with all the proper stakeholders involved, organizations can easily reap the benefits of information governance and everything that comes with it.

Mike Quartararo

Mike Quartararo is the managing director of eDPM Advisory Services, a consulting firm providing e-discovery, project management and legal technology advisory and training services to the legal industry. He is also the author of the 2016 book Project Management in Electronic Discovery. Mike has many years of experience delivering e-discovery, project management, and legal technology solutions to law firms and Fortune 500 corporations across the globe and is widely considered an expert on project management, e-discovery and legal matter management. You can reach him via email at Follow him on Twitter @edpmadvisory.

Previous articleNew York enacts new data breach security laws – SHIELD Act
Next articleJesse Wilkins of AIIM provides advice on how to handle records when an employee leaves

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.