The Mirage of the GDPR Solution

On April 4, we conducted a webinar on GDPR Compliance. (What? You missed it? No worries, it’s here)

One of the key points I made during this session was that GDPR requirements are so comprehensive, no single technology or solution could possibly meet them all. And as such, any vendor who claims to be selling a GDPR Solution was either over-simplifying the path to GDPR compliance, or they were being dishonest in the marketing. There is no such thing as a GDPR Solution; if you look closely at something that claims to be one, it will vanish upon closer inspection.

“Wait! You claim GlassIG is an Information Governance Platform! How is that any different?”

Guilty as charged. GlassIG was the first technology branded as an Information Governance Platform; we’ve been flying the IG Banner for almost a decade. Our view is that IG means:

  • Defining and centralizing your policies
  • Identifying which of your information assets need to be governed according to those
  • Actively enforcing policy on these information assets

 

 

 

 

 

 

 

 

 

 

The thing is, IG is a marketing term. Not every vendor would agree with our definition of it. Once the label began to get some traction in the marketplace, every technology within shouting distance of IG began to claim it: Records Management, Retention Schedule Management, E-Mail Archiving, E-Discovery, File Analysis, even Electronic Archive Systems identified themselves as Information Governance Solutions. They still do today, and on behalf of the Vendor Community at large, I presume to apologize to the market for the confusion we have caused.

GDPR is different. There is a very clear set of standards, codified and ratified last year by the EU Parliament. GDPR spells out:

  • What is personal data?
  • What rights do individuals have regarding their personal data?
  • What responsibilities do data controllers have regarding personal data?

The answers to these questions touch on Business, Privacy, Security, Risk, IT, Legal, and yes, Records Management. In many ways, I likened this to the E-Discovery Reference Model, in that the spectrum of responsibilities spans almost the entirety of a company’s information management practices. What’s a company to do?

Well, Step 1 is to firmly reject any vendor who tells you they have a technology that will get you in compliance. I’d ask you to be polite about it… we are a Swiss company, and would never advocate rudeness. But firmness is certainly acceptable here.

Step 2 is to assess your risk profile and appetite, and begin with GDPR requirements that most specifically map to your business and potential for costly compliance violations. GlassIG can help with some of these, including:

  • Defining of your information assets should be managed according to GDPR requirements
  • Creating a cross-repository inventory of these information assets
  • Retrieving, exporting, or deleting information assets as required by GDPR and other information management regulations
  • Measuring and Auditing such activity for compliance reporting

 

Behind the scenes, we are working with one of our closest partners to build out an end-to-end GDPR Compliance Model. While I claim that no single technology can meet all your GDPR Requirements, that doesn’t rule out the possibility that a blend of cohesive platforms might do so. Watch this space for a white paper and webinar later this summer, where we will describe a full GDPR Compliance Suite.

Highlights from #InfoGov CrowdChat – A different perspective on the Information Governance journey

Those who fight against cloud will be left out of conversations. You must understand the business goals and give reasonable parameters for success.” – Matt McClelland, Blue Cross Blue Shield NC.
This was just one of the many wisdoms revealed and explored during GlassIG’s recent #InfoGov CrowdChat, which discussed the steps to take on the never-ending information governance journey.

GlassIG thought leaders were joined by Alison North, Chris Walker and Matt McClelland as panelists, all industry experts in information governance.

It was a brilliant discussion, with key points being the definition of information governance, as well as the new challenges and changes companies face today, such as cloud, rules / regulations and new skills.

To see some of the illustrations and to get a flavour of the chat, take a look at the summary below or visit the chat page where you can read the full conversation.

For more info on GlassIG, please attend our webinar this Wednesday, June 29, 2016.

Why Redefine Information Governance? 3 of 3

Redefining Information Governance

At GlassIG we aim to redefine how an Information Governance program should be perceived and implemented. We believe that key improvements are needed to accelerate adoption and facilitate deployment. We have leveraged 8 years of Information Governance market trends and customer experiences from all over the world to build solutions that fix today’s challenges and are flexible enough to welcome future requirements and evolutions. The list below is not exclusive, but gives a first level of benefits organizations will have by utilizing our solutions.

 

A shared vocabulary

“Retention schedule”, “lifecycle management”, and “record class” are key words to Information Governance experts but are understood by very few people in a typical organization. For the broad acceptance of any Information Governance program, we need to open up the vocabulary to non-experts. Information Governance cannot be a field that only trained records managers or information management experts can discuss. For collaboration purposes, the language of Information Governance must be easy to understand and accessible to all. Otherwise we cannot adopt an Information Governance program and we cannot recruit the information workers of tomorrow.

 

Setting policies needs agility…

Up to now, information policies have always been created and maintained by a small core of experts within an organization. Most of the time these are based on corporate rules and processes, and focused on the component or function of the business that needs governance. Corporate rules cover only broad questions, such as, “What do we do with all customer files?” (This can be different from industry to industry, of course.) Also centrally defined, are information policies linked to laws and regulations. Typically a policy is approved by an executive decision based on input from the legal department after a risk/value analysis. This needs to be done to identify which laws and regulations require strict compliance to avoid legal cases or litigation.

With the evolution of technologies, and the opportunity to access a large number of cloud based services, any information worker has the potential in the future to create policies. Rather than simply proscribe this facility, companies need a flexible model where policy creation is allowed but is traceable, using an Information Governance solution that keeps track record of who set the policy and why. The solution needs to be able to fit these “local” policies into the organization’s generic global policies, empowering information workers while still allowing oversight, metrics and feedback.

 

And a multi-jurisdictional approach

The model in place to manage all these policies must be agile and it must scale: today’s start up organizations can very quickly expand their business coverage to an international scope, where additional laws and regulations from different jurisdictions will have to be integrated very quickly.

Experience with the implementation of European directives within European member states has taught us that even international regulations have local variants and interpretations. So, it not just about being able to add new policies, but also to be able to link global policies to local ones. Companies cannot afford to change their existing solution in place as they enter new markets. They have to be sure that their current solution is sophisticated enough to answer these new compliance requirements and any future requirements they may encounter.

 

Information is everywhere: a hybrid approach is a must have not a nice to have

From the new challenges organizations are facing today, it is apparent that information is everywhere, from on premise information systems to cloud based drives and repositories. It is simply unrealistic to assume that information can be extracted from all existing and future systems where it is created and consumed, and migrated to a central repository where, out of context, it can still be accessed and correctly interpreted. This means that an Information Governance solution needs to enforce information policies in place, while the organization’s information remains where it is most usefully created, stored, maintained, used and reused.

The adoption of cloud based repositories is growing rapidly in organizational departments, they simply cannot be ignored or managed individually. Global and local policies need to be enforced the same way in the cloud better, because it is more distributed, than they used to be in an entirely on premise repository. Hybrid information governance is the only way to bring consistency and apply the same information policies across the organization irrespective of the information type and format.

 

We are all information managers

Even with these new and more integrated ways of working, information management will not be understood by all. Unfortunately Information Governance solutions in their current form are too complex for many staff, who lack expertise and training; and who, themselves, have very few opportunities to learn and contribute to the information management strategy of their company or organization. We have seen that a first step is to develop and share a simplified vocabulary. Once this is done, the second step to increasing adoption is to transition to easier tools and simplified processes that hide or remove complexity and transform a painful and complicated information management program into one that is logical, simple and easy to understand and apply.

For example, everybody in a company should be able to access its information policies and be able to quickly find corporate and local policies related to any information under governance that they work with on a daily basis. Having identified a relevant policy they should be able to understand it and apply it, or if automated, how and when it is applied. It is by achieving this level of Information Governance adoption through a solution that embodies radical and disruptive approaches that organizations will be able to increase adoption, facilitate the understanding and importance of Information Governance, and raise the contribution by staff towards a successful deployment and ongoing program.

 

The most important success factor

Information Governance will succeed if it is adopted and embraced by every information worker who creates, uses and values information inside your organization. That way you can be sure that your organization is fostering an internal culture of good governance.

It is time to redefine your Information Governance program with GlassIG today.

 

Click here to read part 1 and part 2.

Challenges of Information Governance: the daily reality! 2 of 3

The pace of digital innovation

Technological innovation is permanent and irreversible. In today’s competitive landscape, businesses are leveraging each new technology to improve their time to market, enhance their customer services and expand their channels of distribution; or, alternatively, to reduce their costs with fewer points of sale and with optimized processes. This transformation has created the “digital universe” we know today where the quantity and the variety of information produced and consumed is exploding, year after year.

Organizations are now facing new challenges: moving into this digital universe means that manual processes related to organizing and managing information are no longer viable. A global information management strategy requires flexibility in order to facilitate the integration of each new service deployed, and each new department or acquisition. Such a strategy also needs to give end users an opportunity to be involved digital transformation and provide platforms for them to collaborate from day one.

Moving to cloud-based services

One important part of digital transformation is the transition from traditional server room software licensing arrangements to cloud-based services. Here we find a good example of what for many organizations is an increasingly urgent consideration. Cloud service models require no hardware purchases or deployment costs and can usually be brought online in mere hours. Often, up-front licensing costs are small or non-existent and the service adopts a pay-per-use mode. Not only that but cloud services are available from everywhere, facilitating a mobile workforce and work from home arrangements.

Cloud-based services have many great advantages. Nothing is easier for any department such as marketing or customer services, to deploy and use a new service with a simple credit card. However, because they are simple and easy to initiate by anyone in any department, they are often implemented outside of any information management or IT control, and information created and manipulated by these services is not accounted for by traditional records management, and avoids governance by information policies, the information lifecycle, retention schedules and disposition.

Cloud services therefore introduce a new complexity and represent a clear challenge for an information governance program. It simply won’t work if a company defines a set of global information policies but is unable to apply them to corporate systems and services in the cloud. Information policies must be enforced on any information wherever it resides and whatever the application that has created it, otherwise the organization cannot meet its compliance goals.

One particular cloud-based service, so-called cloud drives or cloud boxes contribute significantly to these challenges. Their deployment, in personal apps, exploded with the BYOD wave some years ago. This effectively provided an opportunity for any employee to access and sync all of their professional documents and files from their work computer or laptop onto a personal device such as a tablet, outside the control of the IT department. At the time this represented a big breach in information risk management and compliance.

Roll forward a few years, and we find that the cloud box suppliers have developed professional editions, that can be set up for an entire department in a couple of clicks. These business editions provide a new and easy file sharing system, with key collaboration features and basic lifecycle management functions, that can replace and bring many benefits over traditional local area network shared drives. But here again, these cloud boxes are not under the radar scope of records managers, and global information policies are not enforced on the documents they store. The breach in compliance is still there, and content consolidation in one place to facilitate its management is not a solution. Management has to be done in-place in every cloud-based service that the organization subscribes to.

Are records managers Information Governance managers?

This question is one that we have been commonly asked over the last few years. The answer remains open. From what we have learned (see the previous post LINK) and from the technology challenge discussed previously, it seems that record managers are challenged as well in their daily life. They fight to get their existing information policies understood and applied. But often in the digital world, their processes and workflows have too many analogies with physical records management. This may have worked when electronic records were first introduced, but many employees nowadays have never worked in environments where they needed to manage a paper workflow. These employees have come straight from school or college where there assignments are submitted electronically, and where the most popular device is their smartphone or their tablet.

It is increasingly tougher for traditional Records Managers as they try to balance their own priorities, preserving the long archive heritage of physical records, increase their collaboration skills across multiple departments, and to digest the new and permanent workplace technologies like cloud boxes and other new services. And, of course, they are also expected to define the strategies that need to be in place for implementing future Information Governance programs and initiatives. If new technologies allow end users to collaborate, find what they need, and improve the organization’s time to market, it is a clear indication that we need technologies that can answer the Records Manager’s challenges as well. If the relationship between Record Managers and the IT department haven’t been always good, at least this should provide an opportunity to reconcile their objectives.

Aren’t we too ambitious?

Many companies have perceived the Information Governance program as a global one. And only as a global one. Executives think that because Information Governance deals with risk management, the perimeter of the project has to be global. Some very specialized vendors have demonstrated that Information Governance could be similar to a journey. This means starting small, and following an iterative process, enlarging the program step-by-step, and adding functions or departments one-by-one.

Trying to introduce Information Governance guidelines into the mindset of any business manager or information owner and change organizational culture and behavior is inevitably a long process. The best chance of success is to start by looking for those areas of the organization where an Information Governance program will make the biggest impact, and the biggest value.

It is also critical to have metrics in place to objectively measure the program’s efficiency. These need to be set around the three key objectives: Minimizing Risk, Minimizing Cost and Optimizing Value. Organizations have found that defining a broad ROI for Information Governance has not been an easy thing to do. By focusing on these objectives the question, “Are we being too ambitious?” can be replaced with “Where can I find a flexible and innovative solution that can fit a progressive and flexible approach to my Information Governance program?”

Compliance and Governance

The interaction between the two concepts of compliance and governance is a key aspect of an Information Governance program. As described earlier, information policy related laws and regulations are increasing across all industries and in all countries. Today’s organizations need to protect themselves from any non-compliance. They are also looking for multi-jurisdictional capabilities as they provide their products and services all over the world through their website or on mobile apps. Often they have defined some information management policies in regards to their own internal processes, but they need to extend their policies by adding those relevant to their business in the countries where they operate. More than this, a multi-jurisdictional approach is now a must. Most countries have local adds-on to international regulations and must comply with laws that are defined at different levels. Examples of multi-jurisdictional legislation include the European GDPR (General Data Protection Regulation), the EU-US Privacy Shield, etc. Organizations need to stay on top of these emerging regulations.

For organizations where a changing information policy landscape is a permanent condition, any Information Governance solution that can evolve with customer requirements and offer a flexible value proposition is sorely needed. It is time to redefine Information Governance.

 

To find out more, read part 3.

The secret sauce of Information Governance: Education

Education

The root of the verb to “educate” is the Latin word “educare” which means to “lead out” (for example, to educate children is to lead them out of childhood or, as we would be more likely to say, to “raise them”). The word “educare” in turn comes from a conjunction of two other Latin words, “ex” meaning “out” and “ducare” meaning to “lead”.

The reason for this diversion is to point out that right from the very origin of the word itself, a great deal of the meaning of “education” revolves around leading and leadership. This still applies today to all forms of education including education in Information Governance.

Cultural shift

To change an organization’s culture requires more than simply adopting new tools and technologies. In many ways, adopting an Information Governance solution such as GlassIG is the easy part of implementing an IG program (and we are committed with each new release to continue to make it easier and easier). However, not even GlassIG can help an organization to add a governance layer to its information if staff remain unwilling or unable to adapt their habits and behaviors.

Cultural change is therefore necessary but not guaranteed as part of an Information Governance rollout. It will require change management and in particular a program of education. In other words, the organization must be led out of its former state where unmanaged information use was the norm, and everyone arranged their information to fit themselves, into a new state where information is governed for the benefit of all.

There are lots of educational and change management resources available out there, so instead of attempting to give all of the possible ways in which you could approach and adopt education in Information Governance, we would like to challenge you to think about new and different ways in which you can educate others in Information Governance. Here is an example that we came up with:

Gamification

For the organization’s Information Governance program to succeed, staff must be committed to putting it into practice. This means that they must not only see the benefits and advantages it brings to the organization, but also the benefits and advantages it brings to themselves and their careers. Think about how to motivate staff to better adopt Information Governance through rewards based schemes – even, if possible, through gamification.

More and more, gamification is being used to motivate people to keep their email inboxes clear, reach fitness and health goals, and to complete tasks and challenges. Why can’t the same techniques work with Information Governance? We have never seen end-of-year bonuses of company employees linked to how well they have managed their information and filed their documents throughout the year, but why shouldn’t it be? When a staff member adopts good Information Governance hygiene then it is for the benefit of all, not just themselves. What about putting up a picture in your entrance foyer of “The Information Governance Employee of the Month” and seeing if this attracts attention and interest to your IG program?

Back to leadership

If education is about leadership then that means the organization’s Information Governance officers and its Information Governance team must become leaders ready to lead the organization forward into the future – a different future to the one that the organization faces today. This is a serious undertaking. If you are reading this and you are a Records Manager, Information Officer, or other information professional then do you have the leadership qualities you need to be a leader in your organization?

Are you prepared and able to empower staff to work towards your Information Governance vision? Are you prepared to fight for the resources you need to put in place an Information Governance strategy? Are you able to put together a strong business case to successfully bid for a budget to undertake an Information Governance program to put that strategy into practice? And are you ready for the hard slog of implementing that program, if necessary over multiple years, and educating, educating, educating until Information Governance is accepted and adopted across the whole organization from the executive level to the back office?

Working for an Organization is not the same as working for yourself

Personality

Are you a neat person or a messy person in your Information Governance habits? Chances are that if you look around your house you will be able to find some evidence that will help you.

Do you have a box file containing all your utility bills in chronological order? Or are they scattered around in different drawers, some unopened, half of them kept for no reason while half have been thrown away, also for no reason?

Do you have all your receipts in a neat pile ready for you to make out your next expenses claim? Or are they jammed into your wallet, loose in your pockets, left in the bottom of your briefcase, or will you have to check through the drawers in your desk, just in case you left them there?

Do you keep a logbook of your car’s mileage and petrol consumption? Or is it all you can do just to reach a pump on the last gasp of fumes in the tank and pay to fill it up each time it is running on empty?

By now you are probably getting the idea that people who practice good personal discipline are, by and large, more likely to adopt good Information Governance habits in the workplace. This is not necessarily universally true, but from our experience we think it a reasonably reliable indicator.

Now you might also be thinking, therefore, that this is an article about how Information Governance Officers are slightly more anally retentive, or slightly more likely to suffer from OCD, than the average person in the population. But actually that is not what this blog post is about at all. You see, when you are organizing or dis-organizing your personal life that is up to you. But when you work as an employee of an organization you are a contracted information professional.

Professionalism

No one pays you to mow your lawn or clean your house. You do it, if you do it, for your own convenience, whether motivated by your conscience, your pride, a sense of duty or responsibility to your family, conditions of your tenancy, genuine interest, concerns about health and cleanliness, because that is how you were raised, or one of a number of other reasons that only have meaning to you.

In the workplace, however, you are not working purely for yourself. You have a duty to the organization, and a responsibility to your subordinates, your colleagues, other team members, and of course to your managers. This duty of care extends to your behavior around Information Governance.

It is simply not good enough to mismanage your email, for example, if your job requires that you ensure that all evidence about a particular matter is captured and made available to everyone working on the project team. If you are away one day and another team member gets a phone call but cannot respond to it because you have not declared or catalogued the relevant item of information, then you are no longer just harming yourself, you are cause harm as well to the organization itself.

That is why we stress that good Information Governance hygiene is as valuable a personal and professional trait as speaking politely to your clients, filling in a leave form before you take your holidays or making sure that the board papers are correctly collated.

A better employment contract

One final point for Information Governance Officers; what does your organization’s standard employment contract template say about Information Governance? This is well worth following up with your HR department. Make sure that you have a clause in the duty statement for every position in the organization that specifically states that one of the duties of this position is to implement and put into practice the organization’s Information Governance program.

In our experience, most employers ensure that their employees specifically sign up to the organization’s information security policies; including misuse of the Internet, taking unencrypted information out of the office, and so on. But very few employers ensure that their employees sign up to taking specific and personal responsibility for adopting the organization’s Information Governance program.

The rise and rise of Information Governance

In the beginning

Was there really a beginning for Information Governance? If we are talking about Information Governance as a term, then yes it was coined and came into popular use as recently as in the last ten years. If, however, we are talking about the concepts behind Information Governance then they are lost in the mists of time. Surely as long ago as there was recorded information there was also someone trying to manage it, store it, and restrict access to it.

Definitions

As a discipline, Information Governance is closely related to information management and records management. In fact, some would say that Information Governance represents a superset of traditional records management that wholly incorporates RM as well as a number of related information activities, such as ediscovery. But, this simplistic definition needs a little unpicking.

The relationship between information and records

ISO 15489 defines a record as, “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business”. This definition narrows the idea of a record from all information to a specific set of information, specifically an item of information that is related to a legal requirement or business transaction. Many organizations have information and data, important and otherwise, that may fall outside such a narrow definition but is still significant to the organization.

This broader definition of an organization’s information as opposed to only its formal records has been more generally recognized over the last two decades since the original publication of ISO 15489. In the 2000s, Records Management professionals and their professional associations started changing their titles from “RM” to “RIM”, meaning “Records AND Information Management”.

Within the information management community, practitioners also looked beyond the records repository and started seriously talking about what to do with the insubstantial information at the other end of the spectrum from the formal record: namely ROT (the “Redundant, Obsolete and Trivial” information – the sort that fills up our shared drives, Sharepoint sites and email inboxes). In the paper days of yore, this information would find its way to the shredder or the bin under the desk. In today’s digital world it hangs around forever, as no one is brave enough to destroy it, “just in case we need it”.

Information Governance then, is built on this broader definition of information. It deals with all of the information within an organization and all of the many uses and directional flows of that information. As a consequence, the brief of today’s Information Governance Officer can range far more widely than that of the Records Managers that came before.

Governance versus management

If the term Information Governance is broader in scope than that of records management, then it is narrower in respect to the whole field of information management. This is because information can be managed on any basis and for any purpose. Information Governance, by contrast, refers only to information that is “governed”, where governance refers to a highly specific management process.

When information is “governed” then it is managed so as to comply with a specific information policy. That is how one governs whether it be people or entities: by establishing a policy covering a particular case and then ensuring that where that policy applies, the entities under governance are so directed as to comply with it. Organizations that practice Information Governance therefore, must do four things:

  • first establish their information policies
  • then apply or associate those policies with their information assets
  • enforce those policies
  • and finally, check the outcome and adjust as necessary the policy

The last step is essential to good governance: a governing regime cannot simply issue policy edits, it must implement some kind of feedback loop to ensure that its underlying intentions in imposing a particular policy are actually being met.

If this process is not at the heart of your Information Governance practices then what you are practicing is not really Information Governance at all but just another form of information management.

Information Governance is here to stay

Here at GlassIG we believe that Information Governance is here to stay. There are many reasons for this and implementing an Information Governance program for your organization will provide you with many important benefits. But, the main driver for the rise and rise of Information Governance is that it provides exceptional accountability.

Because information must be managed in accordance with an information policy, odd and erratic information management activities are eradicated. Each policy is developed and checked and approved before it is implemented. Each policy can be traced back to one or more policy objectives, for example, to comply with a particular law or regulation, or a specific company directive.

This accountability makes Information Governance activities “defensible”. Each of the steps of policy development and enforcement can be challenged and tested. We can answer important questions such as, why a particular item of information was destroyed, or indeed, why a particular item of information was not destroyed.

Automation

But there is more. Another argument for the future growth of Information Governance lies in the field of automation. There is little doubt that many tasks that were previously performed manually, by humans, will increasingly in the future be performed by automated processes. This is as true for the field of information management as for any other field of human endeavor related to information technology.

Because Information Governance involves the management of information through the setting of well defined information policies it can be seen as an excellent candidate for full or partial automation in the future. In fact this is already being done to some extent in Information Governance solutions today, including in GlassIG.

In part this is because automation technologies and algorithms continue to improve, but it is also made necessary because of the exponential growth in the amount of information produced and consumed by modern organizations. Manual processes, staffed by humans, simply can no longer do the work necessary to directly manage an organization’s information assets. This can be readily seen in the many organizations that are struggling to maintain control over their digital information, and the several who have lost control altogether.

Fortunately, through the implementation of an effective Information Governance program this control can be regained. An Information Governance program, combined with intelligent automation, enables the modern organization to work smarter rather than harder.

What have we learned about Information Governance? 1 of 3

Information Governance Objectives

Information Governance, even if still not recognized as an official discipline by key market analysts, is nevertheless winning a huge battle: to be recognized and adopted as a key corporate program by top level management and information managers. There are different approaches to building an Information Governance program, but the good news is that there is a clear consensus around its objectives:

  • Minimize Risk,
  • Minimize Cost, and
  • Optimize Value.

These three indicators all need to be set and evaluated by organizations engaged in an Information Governance program, based on their expectations and requirements, and included as part of their program scorecard.

The technologies around Information Governance that exist today, allow organizations to assess quite effectively cost and risk factors. But there is still a long road to travel before we see accurate and easy valuations of an organizaton’s information assets. We are waiting for new approaches and models such as Infonomics to emerge.

Information Governance is not a short-term initiative, but a long-term program

Top level management need to take into consideration that the introduction of an Information Governance program is not a quick fix to the organization’s information and compliance ills. Once introduced and Information Governance program will remain with the organization for life. An Information Governance program should be compared to the organization’s corporate governance program or its health and safety program; as something permanent that the organization will always have. This means the establishment and operation of an Information Governance program needs a strong commitment from the executive suite and drive from key sponsors to make it happen, and make it continue. Selected departments from Legal to IT, and from Finance to key Business Units, must commit to the program and must collaborate to make it a success.

Who drives the Information Governance program?

Because Information Governance needs to be owned and driven by a program manager with strong collaborative skills and information management competencies, it is often thought of as something only large organizations can invest in; organizations with the necessary resources such as the Records Managers.

However, small and medium businesses also have compliance issues to manage. They also operate under regulatory scrutiny and they also want to maximize the value of their information. An Information Governance program for these businesses is therefore just as important, but their requirements may differ. For example, small to medium business often take faster decisions, as their time-to-market is their unique opportunity for growth. These businesses will need a solution able to support their requirements and their limited information management and IT resources.

Today, who drives the Information Governance program is not an easy decision to make. Information management professionals are fighting to get a seat in the boardroom, and to have their role in the organization valued and recognized, while information owners and content owners in Business Units or Functional Divisions are struggling to understand key concepts of Information Governance, such as information lifecycles and retention schedules. There is still a long way to go!

Where is the value?

From analysts’ reports and customer surveys, we know that there is a clear need for a new way of managing information. Information is everywhere and organizations are still fighting to extract quantifiable value from it that can add to their bottom line. Worse than this, organizations often don’t even realize how their legacy information may expose them to risks, and the dangers of non-compliance. As a result many organizations, underestimate the opportunity for an Information Governance program to transform their compliance concerns into a proactive approach.

Growth in the number and extent of laws and regulations forces companies to be more vigilant or face expensive penalties. It is important that they are able to interpret and apply these laws and regulations with the same efficacy and transparency as they do their internal information policies.

Conclusions

Information Governance is still an emerging discipline, and still very broad in terms of the technologies available. Many suppliers from software to service vendors try to sell their products by positioning them under the Information Governance umbrella. Once example is the attempt to widen the appeal of eDiscovery tools and services. Law firms and software vendors from that market are trying to enter the Information Governance landscape, but with a more complex message and a temptation to consider only the risk management component that should be part of a more comprehensive Information Governance program. That doesn’t help organization’s to benefit from one unified view on Information Governance.

That is why we need to redefine Information Governance, to bring it back to basics and focus on what organizations really need.

 

To find out more, read part 2.

2016 will be a tipping point in the Information Governance Space

2015 was the year in which Information Governance became mainstream. Data hacks / breaches are now so common, we shrug them off. (Most recent example here: 191 Million US Voter Registration Records Leaked). Facebook privacy settings, “The Cloud”, and ownership of corporate / government email records are now acceptable terms and topics in general parlance. People CARE when their personal information goes to places where it shouldn’t.

What does that mean for 2016 in the Information Governance and Records Management spaces?

Decentralization of Content Management Systems and Programs

For upwards of 20 years, ECM has been promising to centralize our information. Keep it in one place, apply a single set of policies to that information, and trust the system to manage content access and life cycles. And for 20 years, information produces and consumers have found their requirements were not met. Need more evidence? EMC was talking about killing Documentum, and replacing it with a set of content management applications. Then Dell bought EMC, and has yet to express any interest in remaining in the ECM space. (A nice summary, here: The Fate of Documentum.) As a result, large companies have found themselves maintaining dozens of departmental-level content systems, each thinking it was the King of its own domain.

I have always likened those who create and use content to water: both will find their way, both will choose the easiest path, and most importantly, both ALWAYS win, in the end. They will not be denied. In 2015, users learned that the easiest path went to the Cloud. Dozens of RSD customers maintain content in public or private clouds. In some cases, this was a corporate-sponsored initiative; in others, it just… sort of… happened. Either way, the result is now the newest buzzword in our space: Hybrid. Here’s a challenge for you. Research what Microsoft says about SharePoint 2016, and see how long it takes for them to say or write “Hybrid”. I’ll wait. It won’t take long.

Companies have content sitting inside and outside of their infrastructure, in shared environments, and in data centers over which they have absolutely no control. This trend is not reversing itself. On premise systems have embedded themselves, and they will not be quickly displaced. The adoption of Cloud-based systems is increasing. In 2016, information will, more than ever, be everywhere.

The question we must answer then, is this: how do Information Governance programs evolve to accommodate an increasing diversity of content systems?

Policy to Enforcement

It used to be said that companies were better off having NO policy (no retention schedule, no formal information management practices) than having a policy that was not adhered to. The natural conclusion, then, was unsaid: “Don’t have a policy unless you were willing to enforce it.” While it might seem strange to us as RM professionals, many companies chose precisely that path. They did not hire RM or IG expertise, and chose willful ignorance as the least costly, most easily implemented approach. They were wrong. We saw a shocking number of such companies come to us for assistance in developing IG policies, or revamping information classifications and retention schedules that had been defined a decade ago (and largely ignored since). This is progress.

The pain has been felt, the remedy prescribed. The trend in 2016, then, will be in the direction of actually, actively, even pro-actively enforcing the policy.

Large, Centralized Information Governance Projects

I’ll wrap up with a mental exercise for you: meld these two challenges in your mind. Decentralization of content and content management practices, overlaid against increased attention on enforcing policy. How do companies manage both?

In the past, our answer was to undertake a centrally sponsored (and therefore funded) corporate-wide Information Governance initiative, whose end result was to place all corporate data under governance. This is ambitious, and without the right level of sponsorship, virtually impossible. Our analyst friends at Gartner and Forrester keep telling us they are still waiting for their first case study.

In 2016, we see a new trend emerging: just as the content management systems and practices become decentralized, so do governance projects. In the past, this was impossible, with governance platforms aimed at the corporate-level (and priced accordingly). We see a trend towards reducing the barrier to adoption, allowing department-level records management teams to undertake these projects at a much smaller scope (and, naturally, budget).

What will this look like? We believe that over the long-term, Information Governance will become a service to be subscribed to, like Security / Directory Services or other SaaS offerings.

2016 – A Tipping Point for Information Governance

If 2015 was the year in which IG concepts became mainstream, then 2016 will be the year in which IG projects themselves become equally commonplace. Consider: over Thanksgiving, I explained the concept of “metadata” to my father, who is now 82 years old. I cannot imagine having that conversation with him when I first joined RSD in 2010. And yet, the ubiquity of IG failures has brought a new awareness to what we do, and what we’re about. We (RSD and our industry at large) must be primed to meet these demands. We have some exciting developments to share with you in the coming weeks and months, which will enable our customers to get and remain ahead of these challenges, not just in 2016, in the years and decades to come.