Most organizations today must follow at least some compliance rules, and chances are, following these rules requires...
detailed, reliable records management processes. In fact, the increased focus on regulatory compliance in recent years has likely forced many organizations to rethink their information governance approach as they adhere to relevant rules.
Jeffrey Ritter, an attorney and technology law expert, said that although regulatory compliance sometimes creates a burden on those charged with data management, following these compliance rules consistently ultimately benefits the business as a whole.
In this excerpt from a Q&A with SearchCompliance.com editor Ben Cole, Ritter discussed how regulations are influencing organizational information management, and the benefits of merging data governance and compliance operations.
Regulatory compliance is becoming a big headache for a lot of organizations today. What are some of the information governance-related compliance rules organizations need to be concerned with?
Jeffrey Ritter: Any company in business today faces requirements for records. To some extent, all regulation is, in and of itself, a call for information and records to be maintained and accessible. But what's happening in the 21st century is that the regulators are realizing that the regulated entities are no longer doing business on paper. So, for the regulators to have confidence, to be able to trust the information that's being used in auditing compliance, they are taking an interest in the regulated entities' information systems.
If we can improve the accessibility, if we can improve reliability and the speed with which we can access and take action on information, then business improves.
attorney and technology law expert
This is fascinating, and to me it's not surprising. Federal agencies are taking an interest in assuring that the systems in which the information is being maintained and used to evaluate compliance are themselves secured, are trusted, are reliable. They are looking for governance, not just of the business, but of the information systems. In many instances, companies are not keeping up with the way they design and manage their information systems. They think of the old 20th century paper-oriented paradigm, and haven't been attentive to the demand of federal agencies that raises the bar on systems.
I think what's been proving challenging to companies is the inconsistency with which different nation states, and even different agencies within those states, are taking an interest in the information systems. Certainly in Europe there are much more detailed regulations about these types of concerns. Each agency, to varying degrees, is beginning to regulate the information systems, and those regulations of course influence the rules the company has to embrace and author in order to align with external rules.
That's kind of the challenge that compliance is presenting: Companies need to look at compliance rules that are authored by regulatory agencies, as well as major suppliers or customers, then orient internal rules so they can show alignment with how they manage their information compliance with the rules that have been articulated from outside the organization.
Can information governance processes be incorporated into other areas, especially from a regulatory compliance standpoint? If so, how do you express the benefits of doing so to the leaders of the company?
Ritter: Effective information governance accelerates the effectiveness of any business function. Information governance delivers accessibility; it delivers reliability; it delivers integrity. When we can find the information and then get the job done and make the decision with confidence, business accelerates. When business gains velocity, it usually makes more money.
If I'm running a sales department and have sales execs that aren't on the phone but are trying to find information, I'm losing money. If I can improve that with effective information governance, then they make more money because they are on the phone more, doing what they do well. If we can improve the accessibility, if we can improve reliability and the speed with which we can access and take action on information, then business improves. If all those things are in place, then I'm not aware of any regulatory requirement from external sources, such as nation-states or international organizations that would not be satisfied by a coherent, well-executed information governance process.
More on data governance and compliance
Data management best practices to remain PCI compliant
Taking control of records management and compliance strategy
The second major savings that can be offered to the other divisions is [that] the organization won't spend as much money trying to prove that it is doing the right thing in the way it runs the business. If we build that documentation strategy in so we know where we can find the information in the operating logs [and] system logs to show that we did the right thing, then we significantly reduce the compliance cost of the individual operations within the company. I've never found an executive at the operational level who is not interested in either reducing cost or increasing revenue, and those are the fundamental end results of information governance. I think if you talk about those across all of the departments, you'll get the c-suite's attention.
What is your advice for companies that are struggling to manage social media, especially from a legal and compliance standpoint?
Ritter: The first question is, "Who is in control of the information?" If it's information that's being generated within the scope of employment -- by an associate participating in Twitter, announcing new events, activities, promotions, products, sharing customer satisfaction stories -- all of that is information that is in control of the company, and the company has to make decisions as to how it's going to classify that.
The important question is, "What is the authority of the individual to generate that data, and to put it out onto the Internet?" That's where the control comes in -- not allowing access to certain websites or domains, blocking access. It's challenging, but that seems to be where a lot of companies are moving. In the late 1990s and the first decade of this century, we saw people allowing wide-open access to the Internet, but we're seeing those access controls become more limited. There's another part of this: Companies are sweeping and siphoning from the Internet other content that other people generate about their company [and] about their products. As that comes into the company, it is an information asset. It can be classified as competitive intelligence, and in that role have rules applied to it.
We have to decide whether the authorship of social media content is within the scope of employment, and if so, what we're going to do about it. If it's not in the scope of employment, put the controls in place.