The adoption of a smart, effective information governance program allows businesses and organizations to thoughtfully manage and value their data. But what happens when information governance principles are not in place?
The eight guiding principles for creating this structure apply to any regulated and functioning organization that takes Governance Risk and Compliance seriously. Without using these rules to help guide your organization, you may face dangerous mistakes in your information governance policies.
Here are eight mistakes based on each of the information governance principles:
Mistake #1: Senior leadership doesn’t see the value in implementing program compliance monitoring/audit for the organization’s workforce.
This mistake goes against the Principle of Accountability, which compels someone in an authority role to oversee the information governance program. This person should delegate responsibility for information management to appropriate workforce members and ensure they have input in company-wide initiatives, including establishing and following policies, improving the program, and cultivating best technology practices.
Mistake #2: The lead of the compliance team fails to document his or her information governance program, saying, “I understand what’s going on, and no one else needs to know.”
This breaks the Principle of Transparency, where the workforce is left in the dark about its information governance policies at the appropriate levels. If one part of your team is slapped with a litigation hold, those team members may not know what’s confidential, what’s not, and what they need to produce. Having documented, transparent principles and processes can save your organization this headache.
Mistake #3: There are errors in your file for clients and vendors. The attributes of data quality go unchecked without an effective information compliance program.
If your data quality doesn’t include completeness, accuracy, consistency, timeliness, validity, and availability, you’re breaking the Principle of Integrity. Clients and teammates need to rely on information within your organization, meaning there should be consistent information governance practices throughout the information lifecycle of the business. Transparency becomes critically important when you need to build acceptable audit trails in case of pending litigation.
Mistake #4: Senior leadership fails to make a contingency plan during information breaches, causing work disruptions during and after the incident.
Breaking the Principle of Protection can cost you big, especially if your data is being held by ransomware (when cyber attackers lock up your system until you pay them). If you don’t have a plan for uploading information onto a server or cloud other than your system computers, you’re leaving yourself open to attack. Information protection can take the form of the appropriate levels of workers and other authorized parties managing security access controls on the company’s data. The level of access to documents must be changed to match the role of each person in the company. All precautions must be taken to suppress the release of personally identifiable information, even if it happens during a seemingly routine automated file transfer.
Mistake #5: The head of the information governance program sees laws, regulations, standards, and organizational policies as suggestions instead of airtight rules.
The Principle of Compliance means every organization has a duty to fully comply with the appropriate laws and regulations. These laws and regulations may depend on your industry; for example, the healthcare industry has a particularly important interest in adhering to the healthcare requirements of privacy and confidentiality, fraud, and abuse in the course of business. Every organization must know: 1) what information to log into its records, 2) how to enter that information so that it complies with laws and regulations, 3) how to maintain the information per those same standards, and 4) how to develop internal controls to ensure the company is in full compliance with these requirements.
Mistake #6: A stakeholder makes a legitimate request for records, but the appropriate member of the workforce can’t find it in a timely manner, if at all.
A great organization must be able to identify, locate, and retrieve information in a manner that’s efficient, accurate, and timely per the Principle of Availability. You should also be able to routinely back up your information in case of a disaster, data corruption, or system malfunction. Without that, you can lose the requesting stakeholder’s trust.
Mistake #7: Your records retention management policies? What records retention management policies?
It’s key to hold on to your information, but more than that, how long and in what form? That’s the crux of the Principle of Retention. The organization must establish a retention schedule that spells out which information should be retained and for how long, based on the type of information and the organization’s legal, fiscal, and historical requirements, just to name a few factors.
Mistake #8: Your organization is a packrat.
It didn’t work for Big Edie and Little Edie of Grey Gardens notoriety, and it won’t work for your company. Not establishing rules based on the Principle of Disposition means you’re holding data and information that are no longer required to be kept under applicable laws and company policies. Appropriate methods of disposition include destruction of information in a secure manner and, in the case of healthcare patients, transferring the patients’ records to them directly.
There you have it: the eight big mistakes when it comes to information governance and why it’s important you don’t make them. Hanzo can help you avoid these costly, potentially litigious gaffes with our suite of stored web archiving solutions. If you’d like to learn more about information governance, archiving web content, or some of our solutions, please contact us at firstname.lastname@example.org.