Organizations are concerned about the impact of rapid digital transformation on their data privacy, security, compliance and legal risk. In a survey of corporate legal departments, most respondents indicated that they feel underprepared to face the implications of emerging data sources, particularly as their organizations’ digital footprints expand in volume, variety and velocity. There are several key information governance considerations that have emerged alongside the increased enterprise use of collaboration and cloud-based systems that are helpful for organizations to understand.
One important step is refreshing information governance policies and programs to account for cloud-based messaging and other forms of communications beyond email, which may include private cloud, hybrid cloud, public cloud, infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) offerings. Each of these brings unique challenges around user access, governance and e-discovery. A key first step in updating policies to assess the organization’s maturity and governance needs regarding newly implemented data sources or any tools planned for deployment in the near future.
There are a number of considerations organizations can review to evaluate where they fall on the spectrum of information governance and e-discovery readiness for digital transformation and identify opportunities for improvements. These considerations include:
- Is the organization’s data landscape mapped? Knowing where data resides is arguably the number one priority in information governance. Given today’s regulatory landscape, organizations must understand where their data are stored, including in which jurisdictions their cloud providers store or transfer data. It can be easy to violate data protection regulations or other data-related laws when data are flowing among numerous cloud-based applications. A detailed data map will help avoid compliance mistakes and make it easier to track down information when needed for a legal or regulatory discovery request.
- What existing work has been done to implement governance programs for on-premise data stores? Organizations that have invested in a strong information governance program for their traditional systems can often leverage that framework and the governance capabilities of those traditional systems for the governance of cloud-based data sources. For example, retention management tools used for email or legal hold may be extendable to implement preservation controls on the organization’s preferred collaboration tool.
- Have the time-to-implementation capabilities and lag times of cloud applications in use or under evaluation been researched and noted? This is critical as it will dictate how systems and controls interact with each other and the type and speed of access the organization will have to its data in the event of an e-discovery search, data subject access request or other data inquiry. It is also necessary to understand how long it will take for a cloud provider to put an organization’s retention policy in place and the pace at which the provider will continue to execute the policy.
- Are applications using encryption? If so, how will that impact the legal team’s access in the event of e-discovery requests? How will encrypted files interact with information governance controls? And if encryption is not in use, what data protection implications may arise as a result? Teams should address these questions and set parameters for the use of third-party encryption within information governance policies.
- Is the team contemplating the way emerging data sources deviate from established sources and looking to the horizon? An array of unexpected governance and e-discovery challenges are arising alongside new ways of communicating, and even if they have not yet materialized, teams should be thinking about and preparing for them. For example, linked content within emails and messages and the emergence of version history within documents can impact all workstreams across governance, risk and compliance. Existing models are built to deal with records with four distinct corners, but those boundaries have expanded tremendously. At some point, governance and e-discovery workflows will need to be brought up to speed with these changes.
- Does the team include a dedicated expert who can serve as a bridge between the many legal, compliance, security and IT issues that will arise as information governance policies are updated? Currently, emerging data and regulatory developments are constantly moving targets, and it is common for organizations to overlook potential pitfalls or place too much reliance on their cloud providers without adequate diligence. Appoint an internal or third-party expert who knows what questions to ask and can examine the full scope of risk within new applications and workflows.
The wave of emerging data is still building. Although it has not yet started causing significant widespread issues for most organizations, many are starting to feel the impact or can see it coming. By assessing governance readiness now, and updating policies to meet the new challenges, teams will reduce risk, minimize e-discovery headaches and avoid costly downstream legal and regulatory issues.
Editor’s note: For further insights on this topic, read Tim Anderson, Ted Barassi and Tracy Bordignon’s recent Journal article, “Partly Cloudy or Clear Skies Ahead? Information Governance Amid Digital Transformation,” ISACA Journal, volume 4, 2021.