Skip to Content (custom)


Creating an Information Governance Structure

  • Information governance
  • 6 Mins

A well-crafted information governance framework can properly manage valuable data and minimize risk. But not all data protection programs are created equal. Security measures taken by an organization should protect your specific information in your specific environment—it’s a matter of scale and matter of risk. To create the right structure for your company, it is crucial to assess your data, understand the information you need to protect, and know how you are expected to comply with the law. Is your data subject to EU GDPR requirements, US HIPPA controlled, confidential, or propriety information?

Before taking steps to protect data, create a records retention schedule to reduce the costs around storing unnecessary data. This ensures records are protected and reduces litigation and government enforcement discovery risks. It also minimizes exposure and helps companies create a data classification structure in which records can clearly be labeled as low risk or high risk.

Keep in mind, migrating your company’s information to the cloud as part of this process means you are shifting the custodial residence of your data to a 3rd party provider. Depending on service provider you choose to work with in housing this data, you can be exposed to more or less risk. Therefore, it is imperative to know where your data is, what is housed externally, and how it’s being transferred back and forth so you can quickly recover it from a breach or potential data loss.

The benefits of a regulatory compliance plan

A compliance plan should take into account information governance regulations and requirements, manage training of employees; establish measurable actions for every year; and annually assess risks and performance. Having a compliance plan in place allows you to view a problem across the company and disciplines. Consider:

  • How can employees use information or a lack of information governance to be an insider threat?
  • Why would they use this information?
  • What pressures could they be under to use it?

Companies can protect themselves from an internal threat by determining who has access to certain information and why. Compliance plans can further establish controls by using cyber protection tools, document retention tools (requirements and action items to manage information that is cloud and software based), and destroying unneeded records per the records retention plan. Additionally, educating the workforce helps organizations identify “at risk” employees to ensure training is targeted.

Technology to shape your Information Governance program

Technology isn’t the “silver bullet” or simply a box to be checked. While it is needed to facilitate the information governance process, it’s not the overall solution. Before kicking off a new program or enhancing your current program, outline your objective for the technology solution. Start with the basics:

  • What data do you have?
  • Where is it?
  • How long do you keep it and how do you get rid of it?
  • Is it documented?

There are many technological solutions, including:

  • Document/Content Management
  • Records Management
  • Data Classification (this aids in other solutions like content management and records retention)
  • Data Governance / Data Privacy
  • Data Migration
  • Imaging (digitize hard copy docs – can outsource this)
  • Archiving

Remember, implementation is only successful once you understand your data and outline your goals.

When bad things happen

Even companies with the most rigorous data governance programs and response protocols can still find themselves in a dire situation. When faced with a breach, quick diagnosis of the problem is critical to controlling the situation.

  • It is the controller duty to report within 72 hours under certain conditions.
  • Describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. If you have a full breach or an investigation for sabotage, you need to know what data was compromised, which goes back to having data classification in place up front and knowing where your data lives.
  • Identify a data protection officer within the company for the authorities to contact for updates and communications. Provide the name and contact details of the data protection officer or other contact point where more information can be obtained.
  • Describe/understand the likely consequences of the personal data breach (were social security numbers taken?).
  • Have a protocol in place (a checklist within legal or IT departments) to mitigate personal effects of a data breach. For worst-case scenario planning, think about how data could be used if it got into the hands of a competitor and what it means for the company. By thinking ahead, your legal department can be proactive on protecting the company. Understanding what the different breaches might look like and mapping out the protocol will help when the situation occurs and keep everyone aligned.
  • After determining what data is in play, decide who to contact—a regulatory authority, law enforcement agency, the public? Determine if your corporate communications team needs to make an announcement about the response.
  • Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including measures to mitigate its possible adverse effects. Damage mitigation is only effective if the data classification and records retention has been done.
  • Throughout the process, be sure to document every action thoroughly to demonstrate what you did to legal and regulatory authorities, as well as learn what could have been handled better, or what you did well.

Protecting data and getting information governance right is a coordinated team effort. To mitigate risk, tackle the issues collaboratively. It should be a cross-functional team effort that includes legal, compliance, IT, HR, pricing, contracts, procurement, finance, and executives. While it requires a certain skillset to understand the rules and technology, getting the internal politics right is a huge part of the process. Everyone in an organization can play a role in exercising their information governance muscles, ultimately strengthening how a company responds, recovers, and improves their strategy.


The contents of this article are intended to convey general information only and not to provide legal advice or opinions.

Subscribe to Future Blog Posts

Learn more about Epiq's Service offerings
Our Services