Managing client-specific IG requirements for professional services firms and other service providers

The present regulatory landscape and the frequent incidents of security breaches are making organizations contemplate the various risks associated with poor data management practices.

Be it the SolarWinds hack or the more recent Kaseya ransomware attack, supply chain attacks have exposed the vulnerabilities associated with third-party service providers. Enterprise data is no longer confined to in-house servers, and as a result, companies are recognizing and working to manage third-party risks.

Several organizations are putting their professional services firms and other service providers under increased scrutiny for their information governance (IG) policies and asking for details regarding the data practices and management of their IG programs.

Clients are also defining “sensitive data” (such as employee or customer information or business trade secrets) and adding specific limitations on the data. These limitations may include who’s authorized to access it, the data’s geographic location, and requirements for additional controls such as data encryption while in use and how and when to dispose of it, etc.

Information governance and compliance don’t just run on an honor system anymore. Clients reserve the right to perform audits or expect third-party reviews of the processes to ensure these practices are followed.

When you have each client making specific IG requirements on how their data needs to be managed, there are some challenges involved in meeting these requirements. Increased demand for additional controls, regular monitoring, and audits can burden the professional service resources in the absence of the right systems and processes.

However, this can also present an opportunity to differentiate from the competition by demonstrating superior and robust IG policies and procedures. In other words, good data practices can be a great differentiating factor and can increase competitiveness.

Here are some best practices for information governance and records management professionals that will help with overall data management and make it easy to meet client-specific IG requirements.

1. Map and Identify

Mapping how the client data flows and who handles them can help you identify where to begin and areas that need more controls. Data Mapping can help you find out what information is present and where and how it flows through the various systems. Engaging the different departments to know what information they receive, how it is stored, and who has access to it can help improve stakeholder awareness and responsibility. This Data Map should be updated periodically to include new technologies, data, and processes as they are brought into the firm, and careful consideration should be given to information privacy, security and retention.

2. Update Policies

Most organizations have taken a policy-first approach. This has resulted in several organizations having too many policies that have been implemented over time without proper consideration. Decentralized implementation of policies and lack of coordination across segments has also resulted in these policies being contradictory to each other or not up to date with the current regulatory environment.

While updating the policies, you also get a chance to examine how to classify data as personal information, business record, etc. and what factors drive decisions around the location of data, its accessibility, data retention, and disposition.

3. Foundational Process

Having a clearly defined process is very important to the application of a successful IG program. IG could be the way to break down information silos within a firm by focusing on the common goals of client service, information integrity, and security and minimizing firm exposures.

A strong IG program will not only reduce risk but also provide compelling business advantages by reducing physical and electronic storage costs, adding efficiencies to search and retrieval processes, and, ultimately, building a firm’s competitive advantage.