Data Privacy and Security

Information Governance Can No Longer Be Confined to the IT Department

Big data is big news and the headlines recently have been full of data-related calamities hitting blue chip names. From widely reported theft of customer details, wrangles with the European Union, and the highly publicised NSA scandal.

Behind those headlines, the management of corporate data plays a key role in preventing or ameliorating other growing financial and reputational risks for business, including anti-corruption, competition and consumer protection laws, and ever more assertive regulation in many sectors.

Failing to organise and monitor the information they generate can leave companies unaware of what is happening internally and without a defence in the event of a prosecution or regulatory investigation or major litigation. Consequently, while an organisation's data store is usually a significant asset, without careful management it can also be a serious liability.

Historically, responsibility for data management is left primarily with the IT department. However, the growing complexity of information governance and the ramifications if it goes wrong mean that this narrow approach is no longer appropriate. Instead, responsibility for information governance should now be a boardroom level issue, with input from the compliance team and significant input from the legal team, whether internal or external and from other specialists.

What makes for a good information governance policy?

The objectives of an information governance framework should be threefold. Firstly, what does the company need to do to prevent risk events occurring in the first place? Secondly, how can the company ensure that the board or senior management are made aware if something does go wrong? Thirdly, should a ‘triggering event’ (such as a regulatory investigation) occur, can the company assemble, process and deliver the information required and mount a defence of their actions?

What this means for organisations in practice is that information governance should include:

  • Policies on the use of company email accounts and the internet at work, social media usage policy and the management of employee-owned devices (BYOD) on company networks.
  • Monitoring of cloud networks to ensure that customer data does not end up in jurisdictions that contravene customers' home data protection or privacy rules.
  • Mechanisms and procedures to facilitate whistle-blowing and regular reporting to ensure that senior management are made aware of issues as they develop.
  • A review of data retention and destruction policies. These are often formulated locally and in response to specific needs and regulations. However, they also need to be considered in the wider context of the company to ensure it is not left holding onto data that could be used against it in the event of an investigation or legal dispute for any longer than necessary. Legal and other expert advice will be required to ensure that all of the company's obligations are met.

It is of critical importance that any information governance framework includes an action plan to make sure that the company complies with a regulatory information request or disclosure order from the court in the event of litigation or prosecution. The longer it takes to access and assemble data, the greater the chance that it will be lost or destroyed, whether deliberately or inadvertently, and the worse the potential adverse consequences for the company.

Key elements that should be in place before the event include:

  • A strategy to deal with data protection issues. These can seriously impede the progress of a data collection exercise as some jurisdictions require individual consent to be obtained from employees before information can be harvested from their devices. There are often also restrictions on removing data beyond national boundaries, in some cases with severe penalties for breaches.
  • A clear map of where a company's data is and who is holding it should be drawn up. As well as enabling companies to anticipate where data protection issues may arise, this also enables a business to move quickly in the event of an investigation or litigation.
  • A 'litigation hold' strategy should be in place to ensure that data is not destroyed, damaged or lost after the company is notified of an intervention or the commencement of litigation. Legal and technical advice on how this should be implemented should be sought.
  • Nominated personnel and teams to lead the project following a "triggering event", to include any external consulting or legal advice that may be required.

Finally, it also important to ensure that companies' information governance strategies need to be reviewed and updated regularly as technology, data protection legislation and the nature of the business and its employees change.


Mike Brown is the Director of Legal Technologies for EMEA at Control Risks and Ramin Tabatabai is a Senior Consultant for Legal Technologies at Control Risks


« Did Facebook Get a Bargain in WhatsApp?


News Roundup: Winkdexes, Social Media Lies and Glassholes »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?