Continuing the annual tradition, it’s time to review the valuable information governance (IG) lessons of the past year. The successes and failures of 2018 can guide us in the year ahead. Here are the main things we learned:
Cybersecurity Remains a High Priority
Malware keeps getting more sophisticated, but the focus has moved to targeting network hardware and mobile devices for ransomware and destructive attacks. The organizations that successfully fend off these attacks aggressively maintain, upgrade and monitor the targeted systems as part of their IG programs.
Information Governance Compliance Was a Critical Need
Even with plenty of advance notice, organizations were scrambling to comply with new regulations before GDPR took effect. Many organizations requested more time to fully implement their remediation plans.
The successful organizations met this challenge with these basic steps:
- Putting a central figure or group in charge of the IG program to monitor compliance
- Documenting the GDPR compliance training program to prove that everyone who handles client data has been appropriately equipped
- Maintaining a comprehensive ESI Data Map to understand where all personally identifiable information (PII) is stored
- Securely storing PII and fully removing it from all systems when no longer needed (involving complete data access logs, end-to-end encryption and documented expungement procedures and logs)
- In the event of a breach, notifying everyone affected via a documented procedure within the required 30-day time frame
The Digital Transformation Trend Continues
In 2018, more organizations integrated third-party SaaS applications into their infrastructure, spelling a major shift in IG more broadly. This shift poses additional risk as the organizations’ information assets move farther beyond the direct control of in-house staff.
The successful organizations met this challenge with more scrutiny of managing agreements with the third-party vendors. Data should be managed according to the purchasing organization’s own policies, rather than the vendor’s procedures. These organizations verified that outside systems were fully documented so that data would not get lost in the shuffle.