As massive data breaches continue to make headlines, companies of all sizes are focusing their efforts on information security. But before an organization can put security policies and procedures in place, they need a well-crafted information governance framework to properly manage valuable data and minimize risk.

The connection between information security and information governance

Information security is the protection of systems and assets through controls, policies, procedures, software, and hardware. The type of security measures put in place may depend on a business specialization or the focus of a particular team. Oftentimes, when areas of a business are not integrated in these security procedures, gaps in coverage are revealed which can hurt the organization.

Information governance provides a framework that bridges these gaps by horizontally integrating business areas that operate in vertical silos. According to the Sedona Conference, “Information Governance is an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”

Before an organization builds an information governance policy, it’s important to consider:

• The increased complexity of emerging data privacy regulations
• The exponential expansion in volume of ESI, given the accessibility and growth potential with public cloud storage options
• Newer data forms (especially from social and mobile applications)
• Historically high activity in M&A and divestiture events
• Increased demands on compliance, security, and breach incident response

Having a strategic information governance vision, as well as understanding all of the options to protect valuable information from a possible breach, is crucial. Companies need to make sure they are implementing policies to help them defend against attacks and respond when they happen, not if they happen. Being proactive rather than reactive on privacy and compliance is key.

Especially during a time of crisis, companies should know where their information is stored and how it’s organized across the network. However, many businesses struggle with managing their data in today’s complex regulatory environment. 

The EU General Data Protection Regulation (GDPR) has global reach and as such, poses many new challenges for companies with data subjects in the EU. Organizations must understand how their own regulators currently view the GDPR and how their business could be impacted. In the US it becomes more complicated as there are also state data protection laws, state privacy requirements, as well as U.S. federal regulations to take into consideration.

As the regulatory environment becomes more and more intricate, there are ways to effectively navigate it:

• Understand how your information is being generated and transmitted
• Educate employees on regulations and simplify processes for them to follow
• Have a chief privacy officer or chief information officer to focus on governance and regulations
• Increase engagement with industry groups and consultants for outside expertise
• Think global—once employees leave a company, they may move to a new country (and global laws would apply). 

Key takeaway

Where a company is physically located is just the beginning. Many laws apply to the location of the data, not the location of the company. People often fixate on where the company has a presence, but risk may be elsewhere. Some laws require more of larger companies; often small businesses are exempt. By fully understanding exposure, legal requirements, and potential penalties, you can better monitor where the company’s data is stored and transmitted, and where your employees and retirees are located, should you need to comply with global rules.

What’s next?

We are likely to see the GPDR continue to grow and evolve, with more companies facing steep penalties. This will force companies of all sizes to have data protection officers to ensure they aren’t making headlines. Additionally, the CCPA (California Consumer Protection Act) is paving the way for more privacy laws and regulatory legislation globally.