The challenges of the coronavirus emergency and economic crunch has caused many organizations to go into survival mode. They created satellite offices, used shadow IT and unwittingly put information governance at risk.
Despite established restrictions on operations and some limits on how organizations interface with customers, basic information models have changed. Many of these system adjustments came about because of social distancing rules and the use of a remote workforce. Now, as processes reopen and return, organizations believe everything is returning to business as usual, but at what cost and which normal?
All organizations have to step back and reexamine what security and privacy vulnerabilities they created in terms of information governance (IG). The industries potentially most affected by information overexposure are in financial services, retail and e-commerce, defense contracting, utilities, and credit card issuing. All of which have access to sensitive information. The list also includes any organization storing personally identifiable information (PII) such as Social Security numbers, which involves most organizations.
To guarantee the protection of information, companies must work closely with IT and security specialists to resolve data governance issues that have emerged during the COVID-19 crisis.
Following Information Governance Rules
Information governance, which manages and covers the prevailing technical, tactical, and routine processes, is an emerging “super discipline” applied to electronic document and records management, email, social media, cloud and mobile computing, and the management of information organization-wide.
Rapidly evolving regulations create business challenges, but privacy regulations are critical to data management today. Though no specific national privacy regulation currently exists, any nationwide or statewide rules would likely follow the European Union’s (EU) General Data Protection Regulation (GDPR) that took effect in 2018 and the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020.
Many U.S. firms that do business within the EU now need to deal with the GDPR, which rules over data protection and privacy for all individuals. It addresses the export of personal data and ensures there is a single set of criteria to protect individuals and help companies understand compliance issues when it comes to PII.
The CCPA, the first comprehensive privacy law in the U.S. provides California consumers with a variety of rights, begins enforcement July 1, 2020. Companies that do not comply with the CCPA act will suffer a maximum penalty of $7,500 and a minimum of $2,500 for each offense. Consumers also receive between $100 and $750 per person per offense, and the financial effect increases exponentially.
Understanding data access controls requires providing the right levels of transparency and traceability for personal information. If a company collects consumer data, it is inevitable personal data will move across the organization. Tracking this personally identifiable information requires deep visibility, and to solve privacy challenges organizations must be able to track PII movement across all internal—and external—systems.
Shadow IT Casts Governance Doubt
Another data situation that creates chaos is the existence of shadow IT—also known as embedded IT, stealth IT, feral IT, or client IT—which uses hardware, software, or cloud services by a department or individual outside the knowledge or security umbrella provided by an organization’s central IT group.
While shadow IT systems can help with innovation, the pervasiveness of shadow systems often results in a disjointed and application environment that forfeits reliability, security and governability to attain the required stage of business dexterity.
Research conducted by the California-based Dimensional Research, which surveyed more than 1,000 business and IT stakeholders in the United States and Europe, spotlighted the rise of shadow IT to deal with the persistent shortage of software developers and inadequate budgeting.
The survey recognized a shared belief that a huge pipeline exists of unmet requests for IT solutions. Almost 80% agreed business efforts to go about it alone or undertake shadow IT projects have greatly increased over the last five years. However, IT is strongly united in its fear that business professionals tackling application development on their own will create new support issues. To underscore their concerns, 91% considered it dangerous to build applications without understanding governance, data security, and infrastructure compatibility guardrails.
Data Governance Can Float Through a Black Swan Event
Systems are more susceptible today because people worked from home during a black swan event known as the coronavirus crisis. In the process, many businesses allowed workers to retrieve and/or access personal identifiable or secret information away from the organization’s security infrastructure.
However, do these organization know for sure if their IG rules covers access to data encompassing remote activity? All employees, whether working at headquarters or their home office, need awareness of information governance because it could come back to bite the organization in the form a compliance gap at some point. Organizations need to know how data governance within an organization practically sustains, remediates, and also validates itself during these kinds of operations. How can an organization’s IG system check that their company actually has restrictions on confidential information access, especially within a black swan occurrence such as the coronavirus pandemic?
Larger organizations may have all the bells and whistles and the principles of technology behind them, but medium and small sized operation must also consider the ramifications of their information handling at all times. They must do so especially during abnormal situations.
Bringing Information Governance to Your Data Table
Addressing the many regulations within many industries can intimidate many organizations. In the U.S., authorities include the Securities and Exchange Commission (SEC), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Federal Financial Institutions Examination Council (FFIEC), a formal U.S. government interagency body composed of five banking regulators.
Information governance ensures capable and effectual usage of technology enabling an organization to achieve its goals.
Providing information governance tools, guidelines, and actions helps shape compliance into a methodical, practical, and tactical framework offering the resources to demonstrate an organization’s lawful and principled security and data protection.