In the first part of our 4 blog series, we kicked off the discussion with a look at the biggest challenges companies are facing today. This third article gives you further excerpts from our panel of leaders in the Information Governance space we convened, looking at opportunities in information governance.
Achmad Chadran, Product Marketing Manager, Micro Focus Archiving and Risk Management
Tom Bachrach, Lead Principal Consultant, Micro Focus Archiving and Risk Management
Matthew Bernstein, Information Governance Strategist, MC Bernstein Data
Jonathan Frieder, Compliance Technology Lead, Accenture US Regulatory Compliance Practice
Michael Osterman, Principal Analyst, Osterman Research
Debbie Reynolds, Co-Founder and Chief Data Privacy Officer, Debbie Reynolds Associates
Fast Evolution Among Social Collaboration Platforms
Chadran: Matthew brought in Bloomberg, where there's no built-in incentive for companies to make this information accessible for compliance means, for archiving, or for supervision. They have narrowly charted missions and sticking to them means teams can change on a dime without prior notification. Tom, that's got to be a major headache for your customers and I imagine it really colors your conversations with them. I wonder how many of them realize how prone to change some of these channels are.
Bachrach: With Office 365, and with so many different social media arenas, they’re actually changing on a week-to-week basis. At the same time, there's no incentive for these sources to provide the alerting and the information necessary to ensure everything is captured. Therefore, it's a real battle on the front line with all these sources. If it were only a handful, that would be one thing, but there are 80+ sources that are changing as frequently as on a weekly basis.
So from a testing standpoint, that’s what makes this such a challenge to an individual customer. To satisfy the regulations you must go through all the various scenarios and functionality use cases to ensure they're getting captured to the archive for compliance purposes. We're also working with our customers on the inherent value of that data for business purposes. It’s really the combination of the two – maintaining compliance and tapping into the data’s business value – that is driving our customers’ need for our assistance. We have the knowledge and expertise to accommodate the changes that are taking place at this extremely fast pace.
Chadran: At this point, we've explored the shape and dimensions of the changing compliance landscape. We've identified and assessed some of the new threats and risk factors that highly regulated companies face today. The question that follows is: how have compliance strategies changed in response to these threats? Conversely, are there new opportunities that have opened because of the changes driven by COVID-19? Michael, what has your research turned up? Changes in strategy, changes in emphasis, the identification of new opportunities?
Rethinking Regulatory Compliance
Osterman: I think companies are reevaluating how they need to comply with regulations. Data protection statutes in the European Union were harmonized and transformed with GDPR. We're seeing this all over the world with GDPR-like statutes in various US states, particularly California, in addition to Brazil, Australia, and India.
I think the new norm will include a very heavy emphasis on privacy rights and managing data in accordance with those obligations. One problem with using new tools all the time is people replacing WhatsApp with [end-to-end encrypted] Signal and so forth; these new data sources are generating business information that must be stored, but in many cases is not. If you're trying to satisfy something like a Subject Access Request under GDPR and you don't have access to 5-10% of your corporate data, that's going to create real compliance problems.
You can't say to a regulatory authority, “well, I was able to find 90% of my records and I did a search and was able to satisfy the Subject Access Request.” That's just not going to cut it. No regulatory authority is going to be satisfied with that. Therefore, organizations are seriously going to have to rethink how they comply, how they store their data, how they retain it, what tools they use, and ensure they are able to centralize the search and production of information.
This means a major rethink for a lot of companies, particularly those that have not been focused as much as they need to on things like privacy regulations that have been around for a long time.
Chadran: Jonathan, what’s your perspective? What conversations have you had with your clients? In what ways are strategies being reworked or reformulated for Information Governance?
Frieder: Going back to the problem at hand, for some companies there's a lot of confusion about what they actually are required to do. There’s turnover, there’s changes in role, changes that can lead people to ask fundamental questions about scope. What does the requirement say you must retain? What is the risk? You need to go back to the cornerstones of most risk and compliance programs, which are the policies, procedures, and standards. You need to take a close look at that. Do you need to fill any gaps or develop a plan to fill those gaps?
One area that tends to get overlooked is the reliance companies may have on third-party service providers. Some organizations are more reliant on third parties than others. There’s only so much you can control when you rely on third-party providers, and they can represent a large part of your business. Your provider is, by extension, subject to the same rules, regulations, and obligations you are. You have a responsibility to maintain those relationships in a way to ensure compliance is maintained in the same way that it is within your core organization.
I think many organizations have been hampered by the differences in capabilities between in-office and remote setups. There won’t typically be the same robust control environment when you're talking about a virtual work setup. Even if you know what you must archive and retain, there's a reduced ability to tag and apply metadata in the same way as if you were working in the office. Also, you may lack the access to search and retrieve certain information. Beyond that, there's also physical artifacts and material, even while they may not be a significant portion of your business, that tend to get overlooked.
Bernstein: Most well-run organizations have a process for introducing new or changed technology to the organization, such as release management and SDLC (Software Development Life Cycle) capabilities, that don't allow things to get out unless information security, business continuity, and backup-and-restore have been adequately addressed.
I think we need to introduce information governance and the associated regulations into that process, whether that's around retention, privacy, or surveillance. We should exploit those well-established risk control methods, rather than try to come in from the side. Every person in the organization must take responsibility for this, yes, but there are ways that we manage technology to avoid risks that are true for potentially every piece of technology.
I think bringing these information governance concepts into how we do change management and IT asset management in the organization puts it into the control process so that the people who do this work start to recognize these issues as critical risks. We always try to exploit existing risk management frameworks rather than introducing something new into the organization. One of the first things we ask people is: “is information governance or records management in your taxonomy already?” If it's there, then all the other things that organization is are already doing to manage risks can be applied and flow to that risk as well.
Frieder: One more challenge you're highlighting around governance is a shift around the roles and responsibilities between the first line of defense and second line of defense within the traditional three-lines-of-defense risk management model. The first line is essentially your business lines, the second is your risk and compliance oversight, and the third is audit. However, there's been a shift that has been increasing over the last few years between first-line and second-line responsibilities. So, the governance that you're talking about – specifically when it comes to records and information management – clarifying or redefining the roles and responsibilities between first and second lines of defense has been a trend that we've seen. This has now been going on for a good year or two.
Click here now to watch the full panel discussion, Compliance Archiving for the Remote Workforce Era, as an on-demand presentation.
Click here now to watch the on demand version of a recent webinar from Micro Focus, Social Collaboration – 5 Compliance Challenges You Need to Address Right Now.
Have technical questions about Information Management products? We have discussion forums for every IM&G product.
Do you have an Idea or Product Enhancement Request about IM&G products? Submit it in Idea Exchange.
We’d love to hear your thoughts on this blog. Comment below.