Merging Information Governance and Compliance

by in Information Management & Governance

This blog is the final installment of a four-part blog series excerpted from a panel discussion among leaders in the Information Governance space earlier this year. In this installment, we attempt to bridge the gap between the imperative to enforce regulatory compliance and bringing in the needs and strategies of stakeholders outside the compliance and legal organizations.

Moderator

Achmad Chadran, Product Marketing Manager, Micro Focus Archiving and Risk Management

Panelists

Tom Bachrach, Lead Principal Consultant, Micro Focus Archiving and Risk Management

Matthew Bernstein, Information Governance Strategist, MC Bernstein Data

Jonathan Frieder, Compliance Technology Lead, Accenture US Regulatory Compliance Practice

Michael Osterman, Principal Analyst, Osterman Research

Debbie Reynolds, Co-Founder and Chief Data Privacy Officer, Debbie Reynolds Associates

Information Governance and Compliance: Bridging the Gap

Chadran: I'm wondering – and this is for anyone on the panel – to what degree do the people that you work with look to you to help identify the new risks that they need to stay on top of? Conversely, to what extent do they spell out the risks that they've already identified?

Reynolds: I guess it depends on the maturity of the company. I work a lot with technology companies, especially in emerging technology. Much of the time, there aren’t even laws yet for what they are doing. 

Being able to tie the data you're collecting helps you retain to a purpose. I feel that people are doing indiscriminate data collection and retention and not really classifying that data in terms of its importance. Obviously, highly regulated industries are better at this because they have to be, but I think there's a lot of data that's generated within organizations that could probably be classified better. I think that the price regulations and the cybersecurity risks are really forcing companies to look at this more because the more data you have, the more risks you have. Then, regarding the retention of data, if you have things you don't need, you're creating unnecessary risks within your organization.

Bernstein: I think it depends on the size of the organization. Smaller organizations tend not to be aware. In mid-sized organizations, there usually is somebody who actually has a good handle on what the risks are but may not know how to solve the problem.

It becomes problematic again at the largest organizations because there’s not one single owner of this problem. You get the Legal Department worrying about eDiscovery, and then there’s somebody in the Legal Department who’s kind of worried about privacy, but they’re not actually joined up with the person who’s doing legal holds. You’ve got the person in Records Management who’s off on the side, fighting to get their attention, and now trying to use GDPR to elevate the need to do disposal.

I find when we’re talking to organizations of a few hundred or a few thousand, people there usually have a pretty good handle on what the risks are. They don’t usually know how to close or mitigate those risks, but they have a pretty good handle. It’s the smallest organizations – and Debbie makes a really good point, particularly when you’re in the technology space or the start-up space – that have no idea. And when you get into the largest organizations, there are twenty people who have a really good idea about one particular risk, but rarely somebody who’s bringing it all together. At least that’s my experience.

Osterman: Well I think that underscores the need to get all the stakeholders together because if you look at good governance, compliance, and so forth, it impacts virtually every part of an organization. But there aren’t enough organizations that today bring together all those stakeholders and address the competing interests that need to be addressed.

Compliance vs. Strategic Insight

Chadran: That raises an interesting point. We’ve focused so far on the compliance aspects of information governance and of archiving in particular. There are opportunities to applying Big Data analyses to this treasure trove of data, but are people too overwhelmed by the compliance work to think about these opportunities?

Bernstein: I think it’s the other way around. I was moderating a panel a couple of years ago at the Data Management Summit in New York, and we asked the question, “who here is familiar with GDPR?” About twenty peoples’ hands went up. Then we asked, “who here has heard of CCPA?” and about half those people put their hands down. When we asked “who knows the privacy officer in your company?” then everybody put their hands down. These were people creating data lakes, Hadoop environments, and all those things to find the value, and…you know? They may or may not have good compliance practices in place.

Chadran: What is the opportunity to break down these silos?

Friedman: Absolutely. Even this past Spring, as the pandemic was starting, we were doing some work to help align data management, information governance, and records management capabilities at a fairly significant, regional, multi-financial company. I think that underscores the silo commentary. People tend to know what they need to know for their primary job responsibilities. Debbie, I don’t know if you were going to jump in there.

Reynolds: Silos are a problem in almost any organization that I can think of. When I’m working with companies big or small, it’s helpful for me to come in as an outsider, because I’m not necessarily associated with any one silo. So being able to float between all those areas and talk with people and join people together is really interesting. I think that whatever companies do, there has to be a way to bridge those gaps and be able to go through those silos because a lot of the things we’re talking about impact the whole business.

Bernstein: I don’t think you’re going to see compliance as the driver of finding other value in data. I think compliance is going to continue to do what they’ve done, subject to the pressures of regulators, to bring more sophisticated tools to bear, and get away from semantic search and ninety percent false positives. The major banks are already well underway with artificial intelligence, machine learning, and sophisticated NLP [neuro-linguistic programming], but it’s very much driven by compliance. Where you’re going to find the innovation and the seeking value is coming from people like chief data officers and the front office, seeking to find value in data.

Bachrach: What we’re seeing on the technology side is that the individual business units in our client organizations are all extremely hungry for this data. However, historically both compliance and legal have kept the chains on the archive, to the point where it’s been almost impossible to use that data for any other purpose. However, the businesses are persistent. The competition is extremely strong now in the banking sector. They’re trying to get any little insight that’s possible, and what we’re seeing is that there is negotiation going on now between the business units and compliance. Even information that provides information about the sender and the receiver gives some idea of what’s going on, communication-wise, with customers. That has a lot of value.

The key piece to this is the reassurance to legal and compliance that all of the controls are in place and that the bank isn’t going to be vulnerable to any risks in that arena. There are various exercises where for various business purposes – whether it’s wealth management, whether it’s sourcing – there are all sorts of use cases where even the most minute information from this archive can be extremely beneficial.

A new Osterman Research white paper, Archiving and Data Protection with Microsoft Teams, provides a stark view of the challenges organizations face when social collaboration platforms unwittingly offer employees to thwart compliance rules. 

Be SURE to register for our upcoming webinar….. Link to come!

Labels:

Information Governance
Anonymous