A solid information governance plan is only good if it complies with current security best practices and compliance regulations. As we close out 2021, now is a good time to review your information governance plan – or create one if you have not yet – and update it to reflect the current situation.
We recently had a conversation with an industry insider on the topic of mistakes in information governance. That chat went like this:
What’s the biggest information governance mistake we should avoid?
We think there are three great IG mistakes today:
- Failing to have a program in place that will facilitate taking inventory of your organization’s data;
- Failing to have an updated data map so you know where to find all your data; and
- Having policies and procedures for the governance of an organization’s data because there are still organizations out there who do not have an IG program.
If you fail to have an IG program in an organization, you won’t know what data you have, where the data is located, who has access to the data and how to protect it. Even worse, you can’t leverage the data within your organization.
What can happen to an organization if we make these mistakes?
All these mistakes can be corrected if you have an up-to-date information governance program and policy. If your organization doesn’t have an IG program, it cannot locate and leverage, secure and protect, and review and produce data when appropriate. There are many worst-case scenarios when your organization doesn’t have an IG program. Standing in front of a judge receiving sanctions and a jury instruction that costs your organization money and causes a public relations nightmare is about as bad as it gets. Also, being denied cyber insurance and getting breached is a huge organizational mistake.
What’s the best way to avoid making these mistakes?
It is important that companies, law firms and government agencies hire information governance professionals and allow them to put a data governance program in place. Conduct a data mapping project, segregate data based on classification, control access to your data and put policies in place that meet the requirements of the highest legal standard, across the board. Also, allow IG professionals to have a seat at the table when discussing information security and information technology. IG professionals need to know what is going on in an organization.
What else should we do?
Don’t forget to include a defensible disposition policy and procedure. New standards recognize the risk of keeping data beyond its appropriate business purpose.
Learn about our risk management services here.