5 Things CA Companies Must Know About Information Governance in 2022

Talk About “Information Assurance,” Not “Information Governance”

One thing that Koti says consistently jumps out from her surveys is that few people understand what “information governance” even means. It’s true that calling it “information assurance” does not capture all of the nuances of creating an auditable approach to data management and protection. However, the word “assurance” does a better job of conveying the tailored actions of incorporating technology to increase accountability around data use – which is a step toward helping everyone in your organization understand its importance and increase its effectiveness. In addition, she notes, hard copies of certain documents remain key to various legal and internal business requirements, even as digital transformation initiatives increasingly take center stage. The ability to continue managing physical files, and scanning those files as needed, in secure offsite locations will remain a critical aspect of your information assurance strategy for a long time to come.

Prioritize Analytics

If you haven’t already started quantifying your data, Koti says, it’s time to start. Metrics are key to justifying your information assurance program, including measures of what data you have, what key initiatives it relates to and what results you’re getting from using it. In particular, Koti recommends deploying dashboards that automatically display and report on business metrics in real-time, so your executives can easily find data to support and align strategic business goals. In addition, records managers should also consider tracking analytics about the stored records themselves, she says, citing research indicating that 33% of stored data is ROT (redundant, obsolete, and trivial) and that proper records management practices can improve compliance by 25 to 32 percent.

Get Control of Your Data Universe

Koti says the time to review your records retention policies is now, create data maps, back up the data you need and purge data you don’t. Given the fires, floods and other disasters we saw in 2021, it’s more important than ever to make sure your core records management processes are in place to allow remote access to data and mitigate business interruptions in 2022. This kind of review presents a good opportunity to securely destroy ROT data according to a records retention schedule, which further reduces information-related risks. Routine data disposition is especially crucial for smaller organizations, whose lack of resources to bolster security and privacy make them low-hanging fruit for hackers in search of valuable personally-identifying information (PII).

Educate Your Employees About Data Privacy

The definition of “privacy” varies around the world—and keeps changing as new privacy-related laws and regulations emerge seemingly daily. That means everyone at your organization could benefit from reminders about which privacy laws your organization is required to comply with and how overarching regulations define compliance for your organization. Koti advises that you make sure your employees understand how your organization treats PII throughout the information lifecycle—and what qualifies as appropriate use of that data—by clearly defining each individual’s specific role in the process of ensuring compliance with both legal requirements and your organization’s specific privacy policies. You can further mitigate the risk of breaches by ensuring that your security measures, from online access to physical passkeys, appropriately limit who can access which records. Beyond that, it’s critical to understand what data your IT systems aggregate and how they do it. The more your company links and aggregates data across systems, the more you risk inadvertently violating privacy regulations. As she notes, even a few data points, such as purchases and location, can make it possible to identify specific individuals and aggregate additional information about them.

Get Ready for the California Privacy Rights Act (CPRA)

The CPRA builds on the requirements of the California Consumer Privacy Act (CCPA), which has been in effect since the start of 2020. If you’re already complying with the CCPA—for example, if your privacy program shows you what data you have, where it is and who has access to it—you’re likely already a responsible steward of your customers’ and employees’ data. That puts you in a good position to comply with the CPRA when it takes effect on January 1, 2023. Still, Koti suggests that you audit your privacy program to ensure you’re applying it as intended – and to conduct a privacy impact assessment early in the year if you haven’t done one already. Information governance is fundamentally about making the most of the data your organization collects. Record storage services, such as file indexing, retention schedule management and scan-on-demand services for fast access to stored documents all support your information governance policies and processes so your users can find the data they need quickly and efficiently. Managing your records properly is the first step toward helping your organization apply analytics and realize the value of your information while reassuring your customers and employees that you’re protecting them against data breaches.