Managing risks and unlocking potential of data through Information Governance

Executive Summary

We are living in a world full of information. It’s one of the most critical and strategic assets for organisations today. The exponential growth of data, the changing regulatory landscape and the adoption of new technologies has all had an impact on how much we now prioritise data and information as an asset that needs strategic oversight and executive governance. In this paper we discuss how to navigate the ever evolving data landscape, starting with Information Governance.

Introduction

There is no escaping the necessity of appropriately managing the data and information that organisations create, receive, process, retain, archive and eventually destroy. Organisations, regardless of their size, have an obligation to manage data and information for a whole multitude of reasons, be it legal, regulatory, historical, ethical, operational, reputational, cost, commercial, environment, social and the list goes on!

It can feel completely mind boggling trying to navigate all the requirements surrounding data, let alone keeping up to date on how it is changing and evolving with new technology and new legislation always on the horizon. Most organisations break it down and divide the responsibility between different functions within the organisation to own and manage, and that makes perfect sense. But often this leads to departments working in silos and this can have a negative impact resulting in inconsistency, inefficiency and gaps in compliance and controls exposing the organisation to risks.

This is why Information Governance is so important and is the foundation to successfully managing your data and information appropriately across the whole organisation. Information Governance recognises information as a strategic asset that must be subjected to high-level coordination, have senior sponsorship, a robust framework and ongoing oversight. This ensures accountability, integrity, preservation, and protection of information enterprise-wide, and as its own discipline, aims to treat the task holistically by removing silos and fragmentation, improving ROI on the technology and resources needed to manage data and information.

The Evolving Landscape of Information Challenges

The Exponential Growth of Information

It’s not breaking news that information is growing exponentially, and we’ve all heard various statistics that bring this to life, such as:

90% of the world’s data was generated in the last two years alone. Increasing to an estimated 120 zettabytes in 2023, from just 2 zettabytes in 2010. This figure is expected to increase by over 150% in 2025, hitting 181 zettabytes.

To put this into context, a zettabyte is equal to a thousand exabytes or a billion terabytes or a trillion gigabytes. Or to put it another way, it would mean one billion, one terabyte hard drives would be needed to store one zettabyte of data.

64% of organisations already manage at least 1 PB of data, and 41% manage at least 500 PB of data. This growing data volume further challenges information management strategies, making it crucial for organisations to mature their strategy to manage and optimise their data effectively.

Just think about what impact this is having on organisations and their networks, systems and applications, not to mention efficiencies, operations and the environmental and social impacts. It’s no wonder that Information Governance is now getting visibility at board level to ensure cross functional collaboration and the development of a strategic framework.

Coordination with all specialist functions who have a responsibility to manage or advise on an organisations’ data, such as Data Governance, Information Security, Data Privacy, Records Management, Legal and Compliance and Risk Management is no longer a best endeavours activity, but should be mandated by senior leadership, embedded into corporate governance and supported by dedicated Information Governance roles and/or teams to develop an effective Information Governance/Management strategy.

While 88% of organisations claim to have an information management strategy in place, 44% lack basic measures such as archiving and retention policies and lifecycle management solutions, resulting in an inadequate strategy that contributes to data quality issues, including accuracy, integrity, and excess.

Data, Privacy and AI Regulatory Compliance

The privacy and regulatory landscape will always continue to change to keep up with evolving technology, business and economic growth. But we have seen this accelerate more rapidly around the globe in recent years, in part due to the GDPR setting a precedent and the rapid adoption of new technologies such as AI.

In addition to already existing and well established global privacy and data protection laws, we observe many new data related legislative developments that require constant monitoring and response. Some examples:

• More US states are introducing privacy laws, and the debate continues whether a federal privacy law is needed;
• Canada is proposing a new Consumer Privacy Protection Act (CPPA), Personal Information and Data Protection Tribunal Act and Artificial Intelligence and Data Act;
• 2020 saw the introduction of the New Zealand Privacy Act and the Brazilian General Data Protection Law (LGPD);
• In 2021, Singapore’s Personal Data Protection Act (PDPA) came into effect as well as China’s Personal Information Protection Law (PIPL) and the German Telecommunications and Telemedia Data Protection Act (TTDSG);
• In 2022 we saw Thailand’s Personal Data Protection Act 2019 (PDPA).
• 2023 - Switzerland’s new Federal Act on Data Protection (nFADP) and Saudi Arabia’s Personal Data Protection Law (PDPL);
• India’s Digital Personal Data Protection (DPDP) Act is expected to come into force in 2024;
• The European Parliament are proposing new ePrivacy laws,
• The EU Data Governance Act, Data Act and AI Act are in force.

New or expanded data, privacy and AI laws are having an undeniable impact on global organisations with an international presence, since countries may take different approaches creating another challenging dimension for organisations to tackle. They must now adapt to a wide range of regulations, often with different requirements and restrictions. This is when a comprehensive information governance strategy is indispensable.

At the core of this strategy is a defensible data retention schedule. A regularly maintained and effective retention schedule can identify data retention and disposition requirements across global jurisdictions and industries, consolidating these requirements into one, global, consistent and integrated policy. Thus, supporting the management of ever-changing data compliance requirements, mitigating information risk and protecting and unlocking the value of the information held.

Digitisation and the Digital Customer Experience

AI and the adoption of cloud technologies is becoming almost central to everything we do, but the critical success of AI relies on good data quality and clean data, data accessibility and data sharing. With the rapid, exponential growth of information, and in some industries a general nervousness to delete data, combined with the pressures of cost savings during an economic crisis and global pandemic, the result of years, even decades of neglect to properly manage unstructured data are now becoming apparent.

The top 3 concerns of AI implementation in organisations:

1. Data privacy & security (71%)
2. Quality & categorisation of internal data (61%)
3. Integration complexity (59%)

We know that most organisations will be storing around 60% of Redundant, Obsolete or Trivial (ROT) data, all of which will negatively impact the effectiveness of AI and ultimately the ability of organisations to make sound decisions, improve customer experience or improve operational efficiencies. More companies are deploying generative AI tools with the intention of improving business processes and employee efficiency, but is your data truly ready for AI? Has your organisation explored the impact of its information governance strategy in order to achieve AI success?

Although most organisations (80%) believe their data is ready for AI, more than half (52%) faced challenges with data quality and categorisation during implementation, highlighting a significant gap between perceived readiness and reality that must be addressed to successfully implement AI.

Having and implementing a robust data retention policy is one of the most fundamental and impactful measures an organisation can put in place to ensure that their data is current, relevant and accurate which can improve the accuracy and reliability of AI outcomes.

The Foundation of Information Governance

Information Governance covers a vast array of data and information related disciplines and the associated regulations, legislation, standards, and policies that determine every aspect of managing, using, storing, sharing, and disposing of data and information.

So it seems we may have identified a potential flaw with the principle of Information Governance as an approach. Is Information Governance too broad and too vague and is the C-suite concerned? It’s not common to see an executive Chief Information Governance Officer (CIGO) purely focused on Information Governance sitting on the board. So does that mean it’s not necessary? On the contrary, some of the key challenges faced by organisations today and discussed by the C-suite include Information Governance topics, such as:

1. Data Residency: Compliance with local and international regulations
2. Data Transfers: Ensuring secure and compliant data transfers
3. Data Governance: Establishing clear policies and frameworks
4. AI Governance: Ethical use and regulation of AI technologies
5. Data Privacy: Adhering to privacy laws and regulations
6. Data Security: Protecting against data breaches and cyber threats.

For Information Governance to be effective and a benefit to the overall business, it has to have a strategic approach and be centralised without bias on one particular discipline. We could give oversight of Information Governance to the CDO, the CIO, CTO or the CLO for example, but would that end up biassing Information Governance towards a specific agenda?

We are seeing an abundance of new roles with ‘Information Governance’ in the title lower down in the organisation hierarchy. However, these roles still tend to be somewhat operational and inconsistent in their job descriptions and bias towards one discipline, showing there is a need for executive leadership to recognise the value of Information Governance as a strategic discipline in its own right.

The reluctance to truly embrace Information Governance as a strategic discipline, might be due to a lack of understanding, maturity or perhaps organisations are still unsure what it all means and what to do first. Or do they really believe the current way of working is enough to get the job done?

What we do know is that Information Governance has many benefits, for example:

1. It helps to uncover & mitigate data risks, for example risk of data breaches, cyber attacks, data quality and integrity issues, data privacy non-compliance, availability, inappropriate data access and data sharing to name a few
2. Meet legal & regulatory compliance requirements
3. Protect the confidentiality, integrity and availability of your information assets
4. Securely dispose of and minimise your data and information, reducing the impact of incidents and data breaches
5. Increase efficiency and reduce costs
6. Discover and unlock potential and value in your Information

How to Develop a Robust Information Governance Strategy

We’ve discussed the benefits of Information Governance, why it’s important and why it’s the foundation to mitigating data and information management challenges. We know we should invest in developing and implementing a comprehensive Information Governance strategy. But how?

We believe every Information Governance Strategy should strive to achieve three goals:

• Knowledge: Understanding the data your organisation has: what it is, where it is located, what risks it contains, and what opportunities it may present.
• Governance & Control: Establishing structure and control over your data based on industry, location, policies, and compliance requirements.
• Monitoring and Management: Maintaining best practices so that your data is retained, managed, accurate, can be used as a strategic asset and disposed of economically and with minimal risk.

To achieve these goals, you’ll need a structured methodology and approach. By way of example, we refer in this paper to the approach developed by Iron Mountain. This four step process allows an organisation to successfully implement Information Governance best practice across the multiple domains and specialisms.

Getting Started: Defining your Information Governance strategy

When developing your Information Governance Strategy your organisation needs to know where they are starting from. Are your current practices in line with best practice and industry standards? Are they compliant with laws and regulations and within your organisation’s risk appetite? What do your current policies and controls, operating model, executive sponsorship, training and awareness and Information Governance culture look like?

Step 1: Where are you aiming to go?

Then you need to decide where you want to go and why. What are your business objectives and what are you ultimately trying to achieve? Do you need to reduce your regulatory risk and exposure? Improve efficiency and reduce costs? Respond to an audit finding or legal issue? Improve the quality of your data for AI and analytics? Make better business decisions?

Understanding this will help you decide what level of maturity and control you need to achieve to improve your Information Governance to an acceptable level and within your risk appetite.

Iron Mountain utilises IG ADVISE to achieve this. It defines your organisation’s current level of Information Governance maturity against best practice and determines what level you are aiming for. After completing a risk assessment to establish your priorities, an Information Governance Strategy and Roadmap is formulated to enable your organisation to get to where you want to go. Your organisation’s strategy will be unique and aligned to your business objectives, designed to balance mitigating risks, achieving compliance and unlocking the value of your information.

Step 2: Putting in place good governance and controls

By this stage you will have a clear Information Governance strategy and roadmap. Next you will need to create a business case and obtain funding to establish a formal change programme to implement it.

Often change requires new people, policies and technology and it is at this stage you will identify what change is required to deliver your strategy and execute your roadmap.

In Step 2, Iron Mountain utilises IG RETAIN, to develop data retention and privacy policies and manage data consistently in line with regulatory, legal, and privacy obligations. It provides the ability to automatically apply policies to content ensuring defensible action is taken in a compliant manner.

Step 3: Remediating legacy data.

Having put in place good governance and new controls to manage your data going forward, you will still need to think about how you remediate all your legacy data and information. This is often a job left until tomorrow! But this must be part of your Information Governance Strategy now. Organisations are facing new risks as they adopt AI technology which means they can no longer put legacy data remediation on hold. Data quality, integrity and security are fundamental to ensuring organisations achieve AI success.

Tackling this manually is no longer an efficient or cost effective option considering the impact of the exponential growth of information and the volumes of information you are likely to have stored. Therefore you will need to consider technology as a solution to tackle this risk.

In Step 3, Iron Mountain uses IG CLEANSE, a technology solution that quickly and easily de-risks data by identifying, remediating, automatically classifying and governing your digital content.

Unfortunately, it’s not uncommon for 60% of the data retained by an organisation to be Redundant, Outdated or Trivial (ROT). Examining information to identify and only retain critical information, while reducing the storage demands and risk of ROT is vital to achieving good Information Governance.

Step 4: Getting more economic value from your information

By creating and implementing your Information Governance Strategy you will be well on your way to achieving data that is well managed and governed, of high quality, secure and protected, available and accessible, compliant, trusted and defensible.

It’s now that you will start to be able to reap the benefits and Return on Investment of recognising your data as the strategic asset that it is.

Now that you have put in place the required Information Governance good practices and controls to see you into the future you must not forget about proper ongoing compliance and governance to review, monitor and maintain this. This will ensure you always consider new and emerging risks, threats, legal requirements and new regulations which might impact your business.

In the final Step 4, Iron Mountain utilises IG MONETISE to help implement sustainable techniques to better organise and govern information into the future so it can be more easily identified and accessed and can deliver economic value to an organisation.

By continuing to reduce information volumes, creating usable classification structures and identifying the highest value information assets, your organisation can gain competitive advantage and extract additional value from your data.