Effective information governance (IG) programs improve operational efficiency and compliance capabilities while leveraging information as an asset to maximize their value. Active IG programs are the hallmark of well-managed organizations, and increasingly IG has become an imperative, especially for global enterprises.
A âperfect stormâ of compliance pressures, cybersecurity concerns, Big Data volumes, and the increasing recognition that information itself has value have contributed to a substantial increase in the number of organizations implementing IG programs.
Most significantly, the European Union (EU) General Data Protection Regulation (GDPR), which went into effect May 25, 2018, left companies across the globe scrambling to gain control over the consumer data they had housed. The GDPR legislation applies to all citizens in the EU and the European Economic Area (EEA), regardless of where they reside, and also visitors and temporary residents of the EU. So any global enterprise doing business with EU/EEA citizensâor even visitorsâmust comply with the legislation or face a major fine. The primary goal of GDPR is to give citizens control over their personal data.
Brought about in part because of GDPR compliance concerns, membership in the International Association of Privacy Professionals (IAPP) grew from around 25,000 members in 2017 to over 40,000 members in 2018, and it continues to grow.
A first step in the GDPR compliance process is to conduct an inventory of an enterprise's information assets to create a data map showing where all incidences of data are housed. This is commonly the first major implementation step in IG programs, so the IG discipline and support for IG programs made substantial strides in 2018 with the lead-up to GDPR going into effect. Then California passed its California Consumer Privacy Act (CCPA), which borrowed many concepts from GDPR and required that any company (of a certain size) handling the personally identifiable information (PII) of California residents (in specified volumes) comply by January 1, 2020. Suddenly US-based companies could no longer ignore privacy regulations, and the momentum for IG programs that could manage privacy compliance requirements accelerated.
During this same time frame, data breaches and ransomware attacks became more prevalent and damaging, and organizations adopted IG programs to reduce the likelihood of cyberattacks, and their impact. IG programs implement effective risk reduction countermeasures.
A first step in the GDPR compliance process is to conduct an inventory of an enterprise's information assets to create a data map.
Added to that has been the continued massive increase on overall data volumes that organizations must manage, which results in managing a lot of unknown âdark data,â which lacks metadata and has not been classified. Organizations also retain large volumes of redundant, outdated, and trivial (ROT) information that needs to be identified and disposed of. Cleaning up the ROT that organizations manage reduces their overall storage footprint and costs, and makes information easier to fine, leading to improved productivity for knowledge workers.
IG programs are also about optimizing and finding new value in information. The concept of managing and monetizing information is core to the emerging field of infonomics, which is the discipline that assigns âeconomic significanceâ to information and provides a framework to manage, measure, and monetize information.1 Gartner's former analyst Doug Laney published a groundbreaking book in 2018, Infonomics, which delineates infonomics principles in great detail, providing many examples of ways organizations have harvested new value by finding ways to monetize information or leverage its value.
Infonomics is the discipline that assigns âeconomic significanceâ to information and provides a framework to manage, measure, and monetize information.
Early Development of IG
IG has its roots in the United Kingdom's healthcare system. Across the pond, the government-funded National Health Service (NHS) has focused on IG to ensure data quality and protect patient data since 2002. Although IG was mentioned in journals and scholarly articles decades ago, the UK is arguably the home of healthcare IG, and perhaps the IG discipline.2 Could this be the reason the UK leads the world in healthcare quality? Certainly, it must be a major contributing factor.
The United States has the most expensive healthcare in the world, the most sophisticated equipment, the most advanced medicines, the best-trained doctorsâyet in a recent study of healthcare quality, the United States came in dead last out of 11 civilized nations.3 The UK, Switzerland, and Sweden topped the list.
The U.S. healthcare problem is not due to poor training, inferior equipment, inferior medicines, or lack of financial resources. No, the problem is likely primarily a failure to get the right information to the right people at the right time; that is, caregivers must have accurate, current clinical information to do their jobs properly. These are IG issues.
Since 2002 each UK healthcare organization has been tasked with completing the IG Toolkit, managed by NHS Digital for the UK Department of Health. Although the IG Toolkit has evolved over the years, its core has remained constant. However, in April 2018 it was replaced with a new tool, the Data Security and Protection Toolkit, based around 10 National Data Security Standards that have been formulated by the UK's National Data Guardian.4