Businesses around the world are upgrading the way they manage their information, moving from records and information management (RIM) to information governance (IG). More operational or tactical in scope, RIM describes the activities and tasks required to organise, secure, access and ultimately destroy information. IG can be described as the strategy that guides the management of information. It includes all the metrics, structures, policies, controls that establish how the organisation’s information is managed.
The move makes sense for business reasons — information governance treats information as a business asset and assures that appropriate and well-curated information is a key business resource that can have a positive impact by informing policy, supporting legal and financial affairs and giving companies a commercial edge. An organisation’s strategic and risk management goals can all be supported by information governance. Effective information governance also allows businesses to comply with regulatory demands, avoiding costly – and potentially irreparable – damage from legal action and sanctions.
The move to information governance is not, however, without its challenges. Some of these are technological, such as a lack of appropriate tools to enable the automated deletion of eligible and sensitive information when it reaches its retention deadline. Recent research from Iron Mountain, for example, has found that 65% of businesses have very little automation in place to facilitate their HR processes at present, and 52% have no current plans to implement HR process automation at all.[i]
According to another new study, Transforming Information Management, from Cohasset Associates and ARMA International, of which Iron Mountain is an underwriter, many of the major impediments to information governance are also rooted in corporate habits. A ‘keep everything’ culture persists in 81% of businesses, and 84% cite resistance to change as a key challenge.[ii]
Another significant challenge – also identified in the Cohasset study – is that of effective employee engagement. The active involvement of employees in carrying out and supporting activities related to information lifecycles is absolutely crucial to the establishment of good practice, and in achieving the ultimate goal of making information governance a seamless, ordinary part of day-to-day business. Yet the research tells us that while most management personnel (83%) are engaged and enthusiastic about information governance, amongst other employees, active engagement and support runs at just 68%. This is dangerous for organisations because if information governance is not embedded in daily activities, and its value is not understood by all employees, the dangers of non-compliance and ineffectual data management are greatly increased.
The dangers of non-compliance
We know that most companies have robust records and information management policies in place[iii], and of course that is very encouraging, but all the policy in the world is pointless if employees are not acting on it. When it comes into force in May 2018, the General Data Protection Regulation (GDPR) will result in swift and severe punishment for businesses that fail to comply with its regulation regarding the acquisition, use, transmission, storage, destruction and breach of personal data, with fines of up to 4% of annual world turnover or EUR 20 million, whichever is greater. [iv] If employees do not act upon legal requirements such as those set out in the GDPR, perhaps because they lack training, lack resources or simply do not understand why they must, an organisation is likely to find itself non-compliant and thus open to very unpleasant sanctions that could have lasting negative impact on the business.
Clearly, good information governance training for all employees would help to solve this problem — but the Cohasset study tells us that just 26% of businesses are providing it.
It is therefore vital that businesses take action now to engage staff in information handling and lifecycle issues, and educate them about the importance of treating information responsibly and in line with the law. This will not only protect the business involved, but also streamline the transition from records and information management to information governance and allow organisations to fully exploit the benefits that brings. The obvious way to do this is by introducing mandatory training and information governance-specific performance measurements for both individuals and departments.
Training and awareness matter
Training is essential because without it, employees may find it very difficult to handle data in line with policy; they cannot be expected to make good decisions unless they understand what to do and why it matters. Thus, employee engagement is important to ensure compliance with existing policy and the ability to use business information to the fullest advantage and stay on the right side of the regulations. Yet the advantages of training are not limited to these.
Training and awareness in information governance contributes to employees’ engagement, their ability and willingness to advocate good data handling behaviours across the organisation, their effectiveness and job satisfaction. Furthermore, the commitment and advocacy that training generates are indicators of a successful movement towards information governance. By contrast, low levels of advocacy can dampen the success of a business’s transformation.
There are lots of ways to train employees in information management. E-learning, face-to-face training, drop in sessions — these are just a few of the options. What matters is that staff at all levels understand what their responsibilities are, the risks and the benefits associated with them and the rationale underpinning company policy. When training is complete, the outcomes must be evaluated, not only to ensure that the training has been effective but also so that the organisation can assure itself that employees understand how they can contribute to compliance and have the resources they need to do so, and to provide evidence of the same to the regulators if it is required.
As the nature and volume of business information evolves, so must the demands of relevant regulations, and business techniques for dealing with these. The good news is that with good policy, forward planning and effective training, organisations can make a smooth and efficient move to information governance, and thus find themselves well-placed to enjoy a bright future.
[su_box title=”About Sue Trombley” style=”noise” box_color=”#336588″][short_info id=’60469′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.