I recently had the pleasure of speaking at the International Association of Privacy Professionals (IAPP)’s Global Privacy Summit in Washington D.C. on May 2, 2019. I was joined by the FDIC’s Shannon Dahn and our customer, the PGA TOUR’s Carole LaRochelle. During our session we discussed why information lifecycle management (ILM) is more important than ever to address privacy concerns and some of the strategies and tools both organizations employ to enhance their information governance and data privacy compliance programs.
The PGA TOUR’s records journey began in 1968. However, 2018 was a major turning point for them when GDPR enforcement began. “I consider this the turning point… for records and information management,” Carole LaRochelle, MLIS/CIPM at the PGA TOUR said during the session. “Records and information management went from a ‘nice-to-have’ to a “need-to-have.”
The PGA TOUR faced three main challenges during their information management evolution:
- Culture: The organization had a “we need to keep everything” mentality.
- Unique records: The PGA TOUR has a variety of types of records; for example, records on players and golf courses.
- Accountability: The PGA TOUR has records at their headquarters, at their 12 owned and operated clubs, as well as globally with five international, licensed clubs. Having so many records residing in so many different places presents a challenge for them to manage.
LaRochelle said the first step was to identify and define what a record is and what it isn’t. She explained that a record is an information-bearing object regardless of physical format or location such as text messages, social media, blog posts, recorded electronic conversation, laptop, tablet, smartphone or even a golf club.
The next step, she said, was to take inventory of all the records the PGA TOUR has. During an initial inventory, 152 legacy golf clubs were found, including a handmade hickory turn-of-the-century golf club, as well as signed scorecards.
However, GDPR has created even more traction for records management initiatives and motivated the PGA TOUR to further cultivate a culture of privacy mindfulness in identifying, handling and storing personally identifiable information (PII) across the PGA TOUR organization.
The Importance of ILM
While regulations are prompting many organizations to review their information management procedures in order to remain compliant, organizations are also recognizing the importance of having an effective ILM program and retention schedule in place to mitigate risks and cyber threats.
To get the true value from your information, you need to manage the information lifecycle with strong governance rooted in policy. Policy and governance are the foundation to a strong ILM program.
To have an effective ILM program you need to know:
- what information you have
- where the information resides
- who controls the collection and processing of the information
- what rights the owners of this information have
Once you’ve identified what information you have, where it is, who owns it and the rights of the owners involved, then you’ll need to:
- apply retention, privacy and classification rules to the data
- securely store and control access to the information
- manage the information from creation to disposition
Increasing privacy concerns and regulations are elevating the need for privacy and retention to be managed together. It is beneficial to have a single unified view into how to manage personal data according to policy, as well as to act on retention policy by disposing of private information as soon as possible so that it is not unnecessarily exposed to breach. A well-executed retention program is the way to make sure all information, especially PII, is disposed of as soon as it is no longer needed for business, legal or regulatory purposes. By managing retention and privacy together, you can have a unified view of your personal data and related obligations.
How the PGA TOUR is Managing its Information
To better identify where information is located, how information is processed and who has access to the information, the PGA TOUR is currently in the process of implementing Iron Mountain’s Policy Center solution, a cloud-based retention policy management platform with legal research support.
This platform helps the PGA TOUR manage records retention and disposition in compliance with federal, state, and international laws and regulations. It also monitors and tracks changes to laws and regulations in more than 160 jurisdictions. Policy Center has feature-rich tools to document all data sources, data owners, data flows, and data processing activities thereby allowing the PGA TOUR to create auditable reports compliant with GDPR and other regulations.
So far, with the help of Policy Center, the PGA TOUR has:
- consolidated legacy record classes from 550 plus records classes to 147
- consolidated 25 separate retention schedules into one overarching schedule
- moved from an organizational approach to records categorization to a business function approach
- implemented privacy, compliance and protection across departments to avoid overlooking important data elements and processes
“Records and information management is essential to privacy,” LaRochelle said. “We want to be compliant across all fronts.”