The data managed by organisations is set to increase by 76 per cent over the next 12 to 18 months[i]. This, coupled with emerging types of data, means Information Governance strategies are becoming a significant challenge for businesses. The adoption of social and collaborative platforms means businesses must incorporate social media posts, texts, instant messages and online file sharing into the formal processes that manage information, all while considering security, compliance and employee behaviour. This poses vast complexities, as many face difficulties when attempting to apply existing rules to information types that are unstructured, considerable in volume and difficult to categorise.
This is particularly concerning as the imminent arrival of the Internet-of-Things (IoT) will make Information Governance even more complicated for businesses. Connected device-to-device communications is already used in many sectors and is on the rise. In 2015, the number of connected devices and systems in use is expected to reach 4.9 billion, with estimates suggesting global connected devices could reach up to 50 billion by 2020[ii]. It is important, therefore, that organisations start adjusting their Information Governance strategies now to accommodate emerging information types, before the data volumes generated by connected devices threaten to overwhelm them.
In light of the evolving landscape, there are a number of challenges that organisations need to consider when creating and implementing secure and efficient Information Governance strategies:
- Firstly, many organisations are not clear on who owns, or should own, the content created by these communications channels. According to a recent survey of information professionals[iii] we undertook with AIIM, around one in three organisations has no-one responsible for governing the content of instant messaging (39 per cent of firms), mobile (32 per cent), social media (28 per cent) and cloud-sharing (33 per cent).
- Another major challenge for businesses will be the compliance and regulatory implications of data that will be moving between devices as it will put new demands on data protection, security and recovery policies. Legal frameworks tend to lag behind technological capability, and the complexities of the data landscape generated by connected devices and systems will likely pose interesting legal and regulatory challenges. For example, a connected device within a domestic fridge which could be designed to monitor energy use or even shopping needs, for example could simultaneously be generating personal information about things such as health, lifestyle and changing family structure. Consequently the security of this information would need to be regulated and protected.
- Storage and retention of the information generated presents another significant challenge – it’s both impossible and undesirable to be able to store and retain it all. Information Governance frameworks are already struggling under the weight of emerging digital channels, and could buckle under IoT unless organisations get better at classifying their data and knowing what to retain and store and what to delete. The task of determining what data has potential business value, together with applying an appropriate retention rule, will leave many businesses overwhelmed – especially as many are already overloaded with growing volumes of information in multiple formats.
Content management, storage, retention and retrieval policies need to be applied as rigorously to information created and distributed through these digital communication channels as they should be to more traditional data sets and paper records. This may not be an easy task, however failure to take on the challenge is going to expose many organisations to unacceptable levels of risk.
The answer is for businesses to adjust their Information Governance strategies to accommodate the changing information landscape. As part of this, Iron Mountain and AIIM recommend making use of the following checklist to ensure all information is managed responsibly:
- Ensure every type of content has an owner – allocate responsibility to records and information management, IT, legal/compliance, marketing or HR, for example
- Segment and prioritise content – and focus on the high priority/sensitive/confidential records
- Rigorously implement data capture, retention and deletion policies
- Automate the retention and deletion policies
- Implement an Enterprise Content Management (ECM)/Enterprise Risk Management (ERM) system to replace informal online file shares
- Create and communicate clear employee policies and guidelines
- Outsource data management and storage if required
With strong Information Governance in place, businesses will find that making challenging judgement calls about the information and data it holds will be helped considerably – so the time to start putting this in place is now.[su_box title=”Sue Trombley, Managing Director of Thought Leadership at Iron Mountain” style=”noise” box_color=”#336588″]Sue Trombley, Managing Director of Thought Leadership at Iron Mountain, has more than 25 years of information governance consulting experience. Prior to her current role, Trombley led Iron Mountain’s Consulting group responsible for business development, managing a team of subject matter experts, and running large engagements. Trombley holds a Master’s degree in Library and Information Science and recently was certified as an Information Government Professional. She sits on the AIIM Board, the University of Texas at Austin of School of Information Advisory Council, and is President of the Boston ARMA Chapter. She is Iron Mountain’s representative on the newly formed Information Governance Initiative and is frequent speaker at association events.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.