Having been raised as an identical twin, I’m very familiar with confusion around believing two items are exactly the same when in reality they are just very similar. I’ve seen the terms “Information Governance” and “Data Governance” used interchangeably and would like to clarify what I believe are the major differences.
Data Governance is typically an IT owned responsibility and should account for all aspects of the data – both structured and unstructured – as it relates to information storage and movement. Common areas involved in data governance include:
- Data Security. Includes network and infrastructure security, encryption and physical security surrounding your data.
- Data lineage. Includes defining the system of record for various types of data, how does it move between systems, and what transformations were applied in the process. Determination of reconciliation processes applied during movement or transformation of data also fall within data lineage.
- Service Levels. Includes the timeliness of data delivery, data access and synchronization between multiple copies of the data.
- Master Data Management (MDM). Includes the processes, governance, policies, standards and tools that consistently define and manage the critical data of an organization to provide a single point of reference. Examples include how to identify all data belonging to a given customer.
- Data Loss Prevention (DLP). Includes applications and policies to prevent data loss and data leaks via intrusion detection, masking sensitive data, encryption of data in transit and at rest, etc.
Information Governance (IG) on the other hand is typically a business or compliance/legal driven approach to managing and controlling how all enterprise content is used, retained and destroyed. It is defined by Gartner as “the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements”. On a much more practical level, the Information Governance Initiative (IGI) defines IG as “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” Including both unstructured and structured data as well, typical IG strategies and initiatives include:
- Categorization. Includes the identification of where all content (not just electronic files, but also paper, rich media, social media etc.) should be assigned based on not only business categories such as invoices, loan documents and transactions, customer correspondence, twitter feed, etc. but also its value to the organization.
- Information Lifecycle. Includes categorization of data in terms of whether it is subject to regulatory requirements (e.g. HIPAA, FINRA, SEC), PII, intellectual property, historical requirements etc. This is done in order to apply the appropriate retention to help meet compliance, privacy and/or business mandates.This process also helps to determine how long each item should be kept, when and how it should be purged, who needs to approve the disposal and the process of disposition to be utilized.
- Definition of Use. Helps to define the appropriate and inappropriate use of content, especially in the case of regulated environments such as broker dealers (e.g. what type of analytics can be used)
- Information Access. Includes the definition of a finer level of security at the file and item level. This determines who should have access to what content and helps to ensure speed of appropriate access.
- Audit and eDiscovery. Includes how best to manage investigations and response aspects of governance including the eDiscovery process, requests processing, search, preservation, notification, review processes and export.
- Defensible disposition. Includes applying governance policies to remove digital debris or redundant, outdated and trivial content (ROT) from your information landscape to reduce costs and undue risk while improving search efficiencies.
There are certainly aspects of both of these governance approaches that overlap and need to be coordinated and implemented across many different business units within an enterprise. Defining the scope and definition of governance for all of the content involved in your organization is merely the first step towards a holistic approach to agreement on a common understanding of roles and responsibilities. The language used to describe the types of governance can go a long way to getting there.
Viewpointe can help you with establishing best practices around these strategies. Contact us if you have questions on how to get started.