Information governance may not be one of the big stories of 2020, but it is still very much at the forefront for legal, compliance and privacy professionals. Now faced with navigating an amplified risk landscape due to the shift to work from home and an influx of newly onboarded applications, IG teams are reevaluating their approaches. Many are realizing that dealing with the new normal may require an adjustment of priorities or retooling of projects already underway.

In a recent roundtable discussion, we hosted a group of IG leaders from Fortune 500 corporations and startups to share their success stories, biggest challenges and tips for strengthening IG. Below are a dozen insights from that discussion. These serve as lessons learned and guidance for other organizations looking to build a resilient approach for addressing short-term challenges and building toward long-term success.

  1. Stop seeking the silver bullet. The current volume of data, and the trajectory of new data creation, demands a blended approach of technology and process. One without the other will not have the ability to scale to the size of the impending challenges.
  2. Brace for fallout. Fear mongering aside, organizations need to recognize that implementing an effective IG program can be fraught with danger if not carefully planned. Missteps in IG implementation can lead to IP theft, leakage of personally identifiable information, compliance violations and high costs in the form of penalties, damage control, privacy fines, etc.
  3. Find balance. Landing on the perfect program that is simultaneously robust, actionable amid day-to-day operations and enables business needs is a massive challenge. An important first step in finding that middle ground is understanding the many sources of data across the company and how they flow among business users.
  4. Stay friendly with IT. Legal teams have struggled for years to establish an effective working partnership with IT. Building those bridges is difficult for a variety of reasons. But among the organizations that participated in the roundtable, there’s been good progress on this front. Legal professionals who have invested in collaboration with IT reported far more success in getting their programs off the ground than those who haven’t.
  5. Saving everything is common but costly. Our roundtable participants all agreed that most data loses its relevancy in a matter of weeks, but convincing other stakeholders to buy in to shorter retention periods is very difficult. Some suggested that IG should take the stance that the value of all communications expires after two or three years. From that standpoint, they can walk back on certain areas as needed, such as pulling out regulated communications, labeling them as records and storing them under unique retention rules that meet compliance obligations. A similar process can be followed for any other communications that users need to keep as a business record beyond baseline retention periods.
  6. Establishing categories for valuable information is essential to reducing storage volumes and gaining control over where data is flowing. IG and e-discovery teams can educate business users that email is not the place to store information that is valuable to the business, and provide them with records categories and repositories into which they can transfer any information that holds business value. Ultimately, leaders agreed that some degree of responsibility must sit with the business users when determining which information to elevate as a high value record. Helping employees follow the IG taxonomy requires training and a culture of good faith in people to do the right thing.
  7. Make IG a team effort. Partnership—with vendors, employees, key business units and the C-suite—goes a long way. The experts were unanimous in their belief that a collaborative approach is required to streamline governance processes and workflows, bolster security and build momentum toward perfect records management.
  8. Learn from consumer tech. IG leaders want to see more functionality in enterprise/IT software that mirrors advancements and predictive analytics from the consumer goods and services sector. They expressed interest in tech that provides data insights that may be applied to IG programs (such as analyzing patterns of communication that can predict if an employee is going to do something they shouldn’t do).
  9. Leverage privacy awareness. Privacy has been a forcing function for data remediation and stronger IG at many organizations. Leaders still see litigation and regulatory drivers as equally important to privacy, but appreciate the increased visibility around privacy as a tool in the toolkit to gain senior leadership’s buy-in for programs and resources. They also commented on the fact that privacy requirements are ubiquitous—every organization houses some volume of sensitive personal data—so organizations are forced to simply accept it rather than be defensive about it.
  10. Be thoughtful about boundaries. With the proliferation of tools and collaboration apps being used for business, information is now exchanged through many platforms, not primarily email. IG teams continue to face the difficult task of balancing between enabling and stifling innovation. Drawing that line is further complicated by nascent rules and regulations, and the need to distill all that complexity down into a reasonable company policy.
  11. Establish KPIs and benchmarks. Metrics that measure IG success are often lacking, but this needs to change. Understanding what’s working, and what needs work, is critical to developing policies, setting budgets and making technology decisions.
  12. Expect constant change. The COVID-19 pandemic will impact IG in a myriad of ways, beyond the growing data footprint. Ramifications will include business continuity plans, and a possible shift away from BYOD in an attempt to regain control over remote devices and data flows. Privacy implications will arise as well, including obligations around contact tracing data stored on company mobile devices and how mask wearing will affect the use of facial recognition technology or other biometric data.