P2P

I L T A W H I T E P A P E R | I N F O R M A T I O N G O V E R N A N C E 69 Examining the organization's existing level of maturity to manage information is vital when seeking to create or revise an IG plan. Has the organization's data been subject to classification and cataloging, and if so, was the existing categorization based on: human input; automation; or a combination thereof? If an organization relies upon end-users to classify the types of documents they create, does the organization have a means in place to gauge the accuracy of those designations? Is there a comprehensive data map that indicates which systems the organization relies upon, what software or apps they are using and where the data stores are physically located? Are there existing taxonomies in place to store organizational information? When relying on technology to satisfy IG obligations, organization must provide access to internal experts capable of creating the retention schedules and applicable data privacy restrictions for each business record. If the organization lacks the internal expertise needed to craft an enforceable IG plan, outside assistance should be sought. Third-party consultative experts are potential resources which can be engaged to help craft an IG plan, providing guidance concerning systems the organization should incorporate as part of the plan's enforcement. Access to information may be impeded or restricted based on the rules set forth by any IG plan. Organizations must allow access to business information for properly credentialed personnel without undue delay. As organizations seek to broaden the scope of their IG practices, it is important to prevent unnecessary delay to the flow of information. Operational governance helps ensure that governance protocols are followed, while still providing the ability for employees to access important business information when required. Efficient data governance programs provide accurate and consistent information controls, returning required information in timely fashion. Classified information and other documents which may contain materials deemed sensitive should be specifically addressed by data governance plans. Comprehensive IG programs provide additional organizational benefits, such as reduced risk of compliance violations, and increased litigation readiness capabilities. Data residing beyond its records retention schedule, and not subject to legal hold, can be readily purged, reducing cost and risk. The IG plan should be carefully crafted, providing benefits to the organization without causing undue burden on the employee's day-to-day job functions. IG plans should also have clearly established time frames associated with their implementation. Any changes to the existing IG plan should also include a time frame for implementing revisions. Regularly scheduled audits should be included, at minimum annually, to determine the organization's level of compliance with its established plan, and to identify aspects of the plan which have room for improvement. Creating an IG Plan Enforcement Team The expanding amount of data in today's technology-rich environment requires that those working in such areas as governance, regulatory compliance, and litigation support efficiently organize and manage huge volumes of information, providing the ability to identify and understand its' relevance and content. When crafting a means to enforce an IG plan, since organization information reaches across many departments, impacting hose serving differing functions within vertical organizational silos, it is vital to include key stakeholders responsible for varied roles Identifying the key stakeholders to involve in making IG decisions can be a greater challenge for larger global organizations. Organizations with multiple internal departments face more complex decisions, so it is vital to include individuals whom understand the functions of their internal business units so that a complete organizational picture of the disparate data landscape is understood by IG team. A cross section of organizational roles should be represented when discussing enforcement of the IG plan. Roles to consider are information technology, legal/general counsel, records management, cybersecurity, privacy, risk management, knowledge management and human resources. Individuals serving different roles on an IG planning team will view the importance of the organization's information through different lenses. The legal viewpoint will be concerned with lowering risk, as well as having access to information when litigation arises,

• Cover