(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
Day by day, effective information governance (IG) is made more urgent and more complicated by disruptive technologies and new business models that are rocketing throughout organizations. Many companies are still in the early stages of solving such digital-age challenges as big data and the bring-your-own-device (BYOD) model, but advanced technologies continue to emerge. The Internet of Things (IoT), for instance, is a phenomenon that offers profound business opportunities while carrying great risk.
In a 2015 white paper titled “Internet of Things: Privacy and Security in a Connect World,” the FTC defined IoT as “the ability of everyday objects to connect to the Internet and to send and receive data.”
Examples include cameras that permit users to post pictures online with one click; automated systems that let users turn lights on and off remotely; and sensors in storage systems that can detect RFID data in order to manage inventory more efficiently. The IoT umbrella also includes such wearable devices as bracelets that track and share your workout data and heart implants that monitor and transmit health information.
The business benefits — and detriments — of IoT
Many companies hope the IoT will enhance productivity and generate new business models and revenue sources. Typically, IoT devices collect data and flow it to other devices. Some smart televisions, for example, can detect whether anyone in the room is actually watching the screen and transmit that information to other smart devices. Companies then use the data to negotiate ad rates, or to target products or other programs for that household.
Organizations are eager to pursue IoT because they stand to benefit dramatically from using the information they collect through it. For example, smart meters can help utility companies reduce the costs of manual meter reading and can monitor and predict resource usage at peak times. This information helps them ensure adequate supplies to meet customer demand. It might also help them justify rate hike requests to public utility commissions. The technology helps customers understand their power usage so they can make beneficial changes.
But there are down sides as well.
Such data generation and aggregation present big challenges in the governance of information because the IoT intensifies the volumes of data, the variety of sources and how it is dispersed. IoT devices spread immeasurable volumes of data to other connected devices, some of which may be external to an organization’s infrastructure and therefore beyond its sphere of information security. Thus, organizations that turn to the IoT for business advantage must be prepared for the associated information risks — especially when it comes to privacy and security.
Chief among the IG concerns and potential risks is the organization’s duty to protect customer privacy. Customer identification and banking information is linked to that smart meter, and the customers may be skeptical of the organization’s ability to protect that information from unauthorized use. And of course, managing and protecting such large volumes of information are challenging for most companies.
Providing adequate security for the information throughout its capture, transmittal, and storage requires financial resources that management may not have anticipated. Information is vulnerable at any of these points. And as the sensitivity of the data and functionality increases, consumers’ concerns about privacy protection may increase as well. Consumers may be more sensitive about banking information transmitted through Apple Pay than they are about their consumption of electricity. Take it a step further and think of the “smart home.” The security measures must be extremely effective to prevent unauthorized access.
These are but a few examples. In short, the IoT world is changing rapidly and it’s easy to foresee an overwhelming volume of data entering the corporate environment.
Planning for IoT initiatives
With that said, organizations must address the full scope of IG considerations as they implement IoT applications. In the following list are steps they can take to plan for IoT initiatives:
- Convene an IoT implementation team: It should include representatives from IT, RIM (records and information), legal and the relevant business units. If your organization has an IG steering committee, this would suggest a natural fit. Otherwise, convene a collaborative team to understand the benefits and risks and to make decisions on the implementation, considering all the factors involved.
- Conduct a risk assessment: Depending on the specific application, the organization may be taking on a greater degree of information-related risk.
- Make a plan: An IoT initiative must be taken seriously. Build the plan around specific business goals and strategies. Establish benchmarks and metrics to evaluate the success or failure of the initiative.
- Integrate regulatory and compliance requirements. These requirements will continue to apply, regardless of how information is captured.
- Assess the impact of IoT on the retention/disposition policy and schedule. You will be greatly lengthening the retention period for some types of information. Make sure you can delete the information when the retention period has expired and that the necessary retention schedule modifications are made.
- Ensure that IT has the capacity to deal with the additional volumes of information. The growth in data that requires storage can quickly overwhelm an organization. Such volumes can hinder business efficiencies, make e-discovery more costly and jeopardize the defensibility of legal holds.
While the IoT trend can be overwhelming, a sound IG program can give your organization a head start on addressing the challenges that come along with the opportunities.
The building blocks for a sound IG program are the Generally Accepted Recordkeeping Principles® developed by ARMA International, a thought-leader on IG. These Principles — Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention, Disposition — work together to foster a collaborative approach that ensures information is treated as an asset, protected in compliance with all regulations, and disposed of according to a legally defensible retention plan.
Accompanying the Principles is the IG Maturity Model, which defines characteristics of various levels of recordkeeping programs. It’s an assessment tool you can use to evaluate your IG program against the Principles. It helps you identify the gaps between your current situation and your desirable level of maturity for each principle. More information on both the Principles and the Maturity Model are available on the ARMA website.
The collaborative IG approach and conformity to the Principles will ensure maximum information security and a sound, holistic IG program that will prepare your organization for virtually any information-related challenge.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.