Does Your Information Governance Program Look Like an Abandoned Fairground?
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Winter 2018). Copyright © 2018BDO USA, LLP. All rights reserved. www.bdo.com
“Our Information Governance program looks like an abandoned fairground in my mind… each old ’ride’ representing a technology, software or server with data and information we no longer use, need, can find or know what to do with.” – Quote from a Manager at a Public Utility
ARMA International defines Information Governance (IG) as a strategic, cross-disciplinary framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable for the proper handling of information assets. Using a combination of views about information governance, BDO defines it as the ability to integrate people, process, technology and data into a framework that is cross-functional throughout the enterprise. This model allows for the development of an enterprise information governance program that aligns business functions and the use of data practices with their technological, business, security, privacy and legal needs.
The “abandoned fairground” metaphor is a great visual. Imagine an old roller coaster being the legacy CRM program that was replaced by Salesforce. The Ferris wheel was your old accounting software package now in the cloud. Your on-premises Windows server infrastructure was the spider ride, which is now hosted in the cloud via Office 365 and MS Azure. These rides were the best when they were new, but now they lie dormant with no one actively using them. However, leaving them in place unattended incurs costs and presents risk.
One can compare this metaphor to the lack of resources an organization has to mitigate its records management functions, which is part of the foundation of a sound enterprise Information Governance program. Long seen as a line item on an organization’s balance sheet and a back-office function typically delegated to the Facilities or Information Technology (IT) departments, the cost and management of the program has long been considered a necessary evil — and, not a value add for the organization. However, with the software tools and processes that are now available, many organizations are realizing they can clean up their IG program with all its Redundant-Obsolete-Trivial (ROT) data and bring it into compliance in a timely and cost-effective manner. Organizations are also seeing that these mitigation efforts will drive increased productivity and business process transformation, which as a result, often improves regulatory compliance, reduction in costs and organizational risk, along with increased profitability.
What does an organization’s enterprise landscape look like?
Understanding what legacy systems your organization has and what it’s costing the organization to maintain them is the first step in an Information Governance assessment. To properly “map” out the enterprise landscape, both current and legacy systems containing data must be identified and tracked. Once systems have been identified, organizations should implement steps that include:
- Understanding who has access to the data or information and how it is used throughout the enterprise
- Identifying dormant data and information
- Identifying any additional data and information repositories that are outdated and outside the organization’s records retention schedule
Why is it important to have a strong IG program?
Aside from the normal regulatory reporting requirements that nonprofit organizations must comply with, nonprofits that are collecting or managing data on residents in the European Union (“EU”) are now subject to the recently implemented General Data Protection Regulation (GDPR). The specific requirements within the regulation mandate that organizations have a firm understanding of the Personal Data (similar to what the U.S. refers to as Personal Identifiable Information, or PII) they possess and control. Additionally, the organization must have documented processes in place to be able to provide any individual who is a resident of the EU a summary of what specific Personal Data is being maintained by the organization along with the mechanism(s) to delete their Personal Data, if they so request.
Examples of Personal Data a nonprofit might possess would be email addresses or newsletter mailing information the marketing department may be using to communicate to donors, subscribers or interested parties. According to Article 5 of the GDPR regulation, this information should not be maintained after the point in time in which the need/reason for processing it no longer exists. Once that point in time is identified, the Personal Data should be removed from the enterprise systems, including downstream systems, in a secure and timely manner.
Additionally, according to the Information Commissioner’s Office based in the UK (www.ico.org.uk), nonprofits can be considered both “data controllers” and “data processors.” There are several ways in which a nonprofit is then subject to GDPR:
- As an employer processing data of volunteers, employees or trustees
- As a campaign or fundraising organizer
- As a provider of services to beneficiaries
The GDPR provides the following eight rights for individuals:
- The right to be informed about the collection and use of personal data
- The right of access to their personal data and supplementary information
- The right to rectification of inaccurate personal data or completion of incomplete data
- The right to erasure of personal data
- The right to restrict processing that allows an organization to store data but not use it
- The right to data portability, which allows individuals to safely and securely obtain and reuse their own data for their own purposes
- The right to object to processing based on legitimate interests, direct marketing and for purposes of research
- Rights in relation to automated decision-making and profiling
What makes IG so challenging for most organizations is that it is as much about organizational structures as it is about data. Most organizations, including nonprofits, work in what the IG profession refers to as silos. Each of these silos is represented by various departments, locations and service lines who are all currently responsible for their own data and records with little or no thought as to how their individual programs or governance efforts may impact the organization as a whole.
Unlike mature enterprise information governance programs, these organizational and information silos result in increased liability and costs to the organization while also increasing the cost of managing and maintaining current and legacy systems. This is the exact opposite of what a mature IG program is designed to accomplish, which is the reduction of your data footprint (data minimization) through the elimination of ROT data. Improving processes and controls will result in reducing the organizational risk profile while increasing efficiencies and controls over your data.
Due to the implications, the recent passing and implementation in May 2018 of the GDPR as mentioned earlier, and the passing of the California Consumer Protection Act (CaCPA) which takes effect Jan. 1, 2020 (and may have up to a six-month look back), nonprofits cannot continue to do business without prioritizing how to secure and manage their sensitive donor and organizational information.
Can creating a strong information governance program create strong ROI?
The simple answer is “Yes!” Every organization is unique, and every organization has its own strategic business goals, so it is difficult to quantify a return on investment (ROI) without specific information. However, what a strong IG program supports and shows results in, is better control and security of your information and an improved ability to leverage that information to make more informed decisions. Another result that may occur is improved efficiencies that generate better outcomes. In a nonprofit this could result in the ability to better understand which, and how, donors and volunteers are engaging with the organization. Clean, accurate, available and meaningful data will allow the organization to look to the past to guide the future.
What are some examples of benefits that are a direct result of improved IG programs?
- A reduced risk profile for the organization
- Improved outcomes of regulatory audits
- Minimization of the data footprint which results in lower costs to store, maintain and dispose of data in all its forms
- More productive employees in their daily activities by making the data and information they need available in a safe, secure and timely manner
- Better decision making by having data that is more accurate, available and trustworthy
How do you start to prepare to make changes?
Existing corporate culture and changes within that culture pose difficult challenges specific to bringing an organization into compliance and building an effective IG program. The first and most important step is to get executive sponsorship and involvement of all stakeholders to support the success of an IG program. Developing and nurturing a culture of compliance does not happen immediately. Organizations should implement programs where employees are asked and encouraged to change habits and business processes so they understand the benefits to the organization as a whole. Additionally, seeing how these changes will impact each of their specific jobs and responsibilities will result in saving the organization money and prevent exposing the organization to unnecessary risk.
Don’t Let Perfection Get in the Way of Progress
One of the justifications organizations use to stall change is that the proposed new processes are not perfect. No IG program will ever be perfect. The variables involved in any organization, particularly those that are larger, make it difficult to create a program that’s perfect. What is needed is to create an ongoing and iterative IG program that:
- Has executive sponsorship and ongoing support
- Has deep and continued stakeholder involvement
- Is audited and evaluated on a regular basis
- Is nimble enough to make changes in a timely manner to address new regulatory requirements, business changes and personnel turnover
An IG program that does this will create and support a culture of compliance in an organization and lead to efficiencies across a variety of areas including records management, e-discovery, information security and reporting.
Get Help and Participation from These Areas
The creation of an IG program takes some planning and is the responsibility of multiple people within the organization. The creation of a strong IG program will require input, knowledge and expertise in at least five areas of the organization. As shown in the Information Governance Reference Model (IGRM), these areas need to work collaboratively to create a strong and successful IG program. Start by fostering positive relationships across the business lines that include the security, IT, RIM and legal teams. Discuss the priorities each group has and the responsibilities they currently oversee. Finding synergies can develop partnerships to achieve shared goals. Ultimately, including these stakeholders will allow the organization to identify areas that need attention and a strong well-rounded IG can accelerate.
A strong Information Governance program is possible to accomplish. Understanding where the organization is maintaining data benefits the organization as the organization will reap the rewards of a properly managed program. Engaging key stakeholders throughout your organization is the most important activity and step an organization can take to get started. The benefits that result from creating a strong IG program will support efficiencies and reduce risk profile. And most importantly, a well thought out IG program will create a culture that functions every day. As with our fairground metaphor, to make sure your data is accounted for and maintained is synonymous with ensuring the fairground is not abandoned, but maintained, so all rides, new and old are safe and fun, and a place where everyone wants to go!Sign up for e-news and alerts