Compliance is a fact of (business) life. Increasingly, jurisdictions are enacting new data protection and privacy regimes, requiring companies to bolster efforts to meet the strictures imposed by a growing patchwork of laws and regulations. How should companies approach the challenge of compliance when facing what seems like an ever-expanding array of regulatory and statutory requirements? 

My recent webinar, “Simplification and Information Governance,” explores the key issues and offers a straightforward framework for information governance. If you missed the live webinar, you can watch it on-demand here. 

It’s a Risky Business. Sound information governance starts with appreciating the idea that information is risk. Any information you collect, process, store, or pass along poses the risk that sooner or later, a governing authority could investigate your information governance processes and procedures, deem them inadequate, and fine or sanction (or both) your company. 

Ask Why. This means that you must understand your data: both current and legacy and, most importantly, why you have particular types of data. Remember: because any piece of information generates risk, you must always challenge whether you need particular data. In other words, you need always examine whether, from a business perspective, the usefulness of having that data is worth the risks of legal, financial, and reputational harm from mishandling or misusing it. Don’t simply accept the notion that having particular information is necessary; instead, ask, “But why?” and insist on answers that justify the risks involved. Sometimes, the sensible course is to simply stop collecting, storing, or using certain kinds of data. 

Ask What, What, and What? If you genuinely need the data in question, you should then ascertain how you are currently protecting it. Complacency is dangerous; never assume you’re already in compliance. What security and access controls are in place? What retention schedules and procedures are–or are not–being followed? What cyber- and threat-defense processes have you implemented? 

Get It in Writing... and Do It in Reality. You must also determine what written information governance policies you have. Are they followed? How do you know? And, are they regularly reviewed to ensure that you remain in compliance with the myriad regulations you must follow? Don’t assume that your written policy is up-to-date or that it accurately reflects what people in your company are actually doing. Regulators certainly won’t make those assumptions and will not take your written policies at face value. 

Test Yourself. You should anticipate and plan for examination by regulators. You need to be able to rapidly identify critical data, the employees responsible for compliance, and the relevant policies. A clear, cohesive, and accurate response to regulators will help persuade them that you have made good-faith efforts at compliance and have nothing to hide. A haphazard, confused, and inaccurate response will invite further scrutiny. You need to prepare a response plan–and test it–before regulators arrive. 

Create A Culture of Questioning. The role of culture in fostering good information governance cannot be emphasized enough. You must establish a culture that encourages staff at all levels to ask, “But why?” when it comes to policies and procedures. Questioning–even of policies and procedures that seem obviously sound–should be applauded rather than discouraged or dismissed. Better to face questions from your colleagues and improve procedures, than these questions remain unasked until posed by regulators.

Establish a Process. Ongoing questioning: “Why are we doing this? How do we know people are doing it? Is it sufficient?” underscores the point that compliance is a process, not an event. To that end, you should establish an information governance steering group (or similar organization) that meets regularly–not only to review what’s in place but also to question whether existing policies and procedures are sufficient– the “But why?” line of inquiry. Document your decisions. Identify who holds responsibility for which aspect of your governance efforts. You should not be satisfied with merely meeting minimum requirements–but instead strive to exceed them. Think of those requirements as a floor, not a ceiling. 

Establishing sound information governance policies need not be daunting. By thinking critically and proceeding systematically, your organization can create and implement policies that meet the evolving requirements of the jurisdictions in which you operate.