Are You on the Right Path to Governance?
Companies and professionals often use the terms “Data Governance” and “Information Governance” interchangeably―and they do so even without realizing it. What these companies fail to understand is that data governance is only a subset of information governance (IG), which is a much broader concept.
A common myth is that IG is a new term for records management, but it’s not just old wine in a new bottle. A true enterprise-wide information governance program would be not restricted to just records management but will also cover security, privacy, and data governance.
What is the difference?
According to the Sedona Conference, IG programs are about minimizing information risks and costs and maximizing information value. IG goes much deeper to ensure security and compliance while meeting the legal and ethical standards when managing information. On the other hand, data governance is about managing data within the organization to provide clean, non-duplicate, and structured data.
IG has become an integral part of corporate governance due to the growing concerns around data, security, and privacy. It goes beyond security and compliance to help you derive business value from the information you have, while data governance is the most fundamental step for implementing IG. When applied together with IG, it can lead to information management practices that can generate higher business value.
Governance within the Enterprise
Governance can mean different things to different teams, even within a single function. Some IT teams view governance as a means to manage the exploding data volumes across disparate data sources and reduce the overall data footprint. A team focused on master data accuracy might view governance differently.
From an IT security viewpoint, governance is about ensuring the data is kept secure. These teams would be thinking of ways to ensure the company’s crown jewels do not get into the wrong hands or how to secure externally hosted data. Here, governance would focus on processes to address different aspects of cybersecurity.
IG is also not just about defensible disposition or eliminating ROT data. Though it remains an important end-goal, IG is more about Implementing a strategy to effectively manage data from its inception to deletion. This involves ascertaining the purpose for collecting data, effective storage (centralized, secure, reduce duplication), ensuring an appropriate level of access, improving accuracy and quality, and eventually, disposition when no longer in use.
Due to the extensive nature of IG, it requires a top-down approach that must be driven from the top but implemented from the bottom-up. Irrespective of their definitions, data governance, and information governance are interrelated.
Finding the Balance
Security, privacy, and data governance are all quite complex and require teams with in-depth expertise in all these areas. The Sedona IG principle-1 states that an IG program should be implemented to make coordinated, proactive decisions about information for the company-wide benefits, and these decisions should focus on information-related needs and managing risks while optimizing value.
Maintaining just the different perspectives on governance without a company-wide, common, and shared understanding of governance will not yield relevant results. This impacts the overall risk profile around data and runs up costs around data governance.
As per Sedona’s IG principle-2, the IG program should be sufficiently independent of any specific department or division so that the decisions are made for the benefit of the overall organization. The personal objective to drive growth within their own team can easily take over the company-wide requirements. It is not possible to sustain an effective IG program in such a scenario.
Governance efforts get duplicated, and many times even occur concurrently. These efforts also get implemented as isolated projects without a larger strategic vision around how data should be managed.
As legal, cybersecurity, IT, and data analytics are all dependent on IG, it’s not possible to go on parallel paths as these objectives need to be aligned with each other. All these aspects are so intertwined that one can’t develop a robust IG program without active collaboration from all the different business units.
With different department heads leading their own agenda, true integration is needed for an integrated privacy or data management program. It requires true cross-functional collaboration where the objectives of all the stakeholders are aligned.