Information Management vs. Information Governance
Do you know the difference between information governance and information management? Kevin Gibson of Hanzo outlines four questions to differentiate between the two concepts. The details below can also help to shape your organization’s policies related to GDPR compliance.
“Information management” and “information governance” are one and the same. Or are they? The answer is “no” — and it’s important to understand the difference between the two. This is especially so given the General Data Protection Regulation (GDPR), slated to take effect in the European Union (EU) on May 25, 2018. Reviewing the answers to the following four questions can help clarify the intricacies of information management and information governance, as well as help create information management and information governance policies that best support GDPR compliance.
#1: How are “information management” and “information governance” defined, and how do they differ?
Information management is the process of handling information throughout its lifecycle. This lifecycle includes the acquisition of data from various sources, its custodianship and its distribution, as well as its disposition through deletion or archiving based on information governance policies. Information that requires management ranges from very simple, structured data that can be easily stored and searched using basic algorithms (e.g., customer histories) to unstructured data (e.g., data shared via social media and collaboration platforms).
While information management centers on action, information governance is proactive. It encompasses the technologies, policies, processes and strategies used by organizations to minimize risk by adhering to industry and legal regulations while simultaneously meeting their business needs and objectives. Thus, information governance strategies cover control over information creation, valuation, use, storage and deletion.
#2: Why is information governance as critical a component of organizations’ business strategy as information management?
Information governance provides the structure and rules — in other words, the framework — necessary to effect information management. Without these elements, it would be impossible to mitigate risk. For example, organizations that run afoul of the GDPR can face stiff fines when a breach in any of their systems exposes personally identifiable information (PII) associated with any EU citizen — whether customer or employee. However, if an organization’s information governance policy calls for using technology designed to safeguard PII, the risk of a data breach is lessened. There is also the additional bonus of cost savings stemming from that reduced risk.
Trust is part of the equation as well. Stakeholders as a whole (customers and employees) have increasingly come to view PII as a valuable commodity, worthy of protection. They demand that organizations treat their PII as such, and organizations in turn want them to trust that this is the case. Earning and maintaining that trust all comes down to good information governance.
#3: How should information management processes be configured or changed to foster GDPR compliance?
The type and volume of PII data in organizations’ custodianship will vary based on the nature of their business. However, compliance with the GDPR necessitates having in place information management processes that facilitate remaining “on top” of the PII lifecycle, no matter how much data exists and into which PII subcategory it falls. For all organizations, at all times, this means knowing what data they have and precisely where that data can be found.
Complying with the GDPR is easier when information management processes are created or modified to include the process of pinpointing and “mapping out” the whereabouts of individual categories of data. This supports compliance by making it easy to figure out whether or not data that should not be exposed is safe behind the “fence” of an appropriate repository and to rectify the situation if needed.
Under the GDPR, organizations are also required, when asked or following a breach of their systems, to prove that they have made every reasonable effort to protect data that warrants protection. When mapping is part of organizations’ information management processes, furnishing such proof is easy.
#4: How should information governance practices be laid out, in general and to facilitate compliance with the GDPR?
In general, information governance practices should align with business goals and objectives. For example, organizations may, in an effort to strengthen engagement with their best customers, want to structure certain data repositories to make it easier to access data pertaining to “preferred” clientele. Exploring a few key issues will help here as well. These encompass, but are not necessarily limited to, the importance — or unimportance — of all individual pieces of data to running the business and how the data will be used on a regular basis.
Meanwhile, to support compliance with the GDPR, information governance policies should dictate how and where customer and employee PII is shared and by whom. Organizations would also do well to carefully craft policies that specify how they will fulfill requests made by “data subjects” (i.e., customers and employees) in keeping with rights extended to them under the GDPR. For instance, the GDPR gives data subjects the right to ask that their PII be removed from any company system, even if they themselves have shared it and/or the platform is no longer in active use.
Finally, solid information governance practices allow for built-in GDPR compliance facilitated by technology. Such technology includes solutions that detect the presence of PII in systems or on platforms where it should not reside and automatically extract it without impacting functionality or users.
Creating and maintaining comprehensive information management procedures and information governance policies alike has always been important for organizations of all sizes, but some haven’t fully embraced the process. With the GDPR less than one year away, moving forward on this front now — rather than later — is more important than ever.