At this year’s annual ARMA Live! Conference in Anaheim, we conducted an informal survey of the 300+ visitors to our booth, asking a single question: “What is your greatest information governance challenge today?” We received a variety of responses including:
- Lack of sufficient resources / funding
- Outdated retention schedules
- Lack of Office 365 governance expertise
- Inability to work effectively with IT
- GDPR compliance
- Growing threat of privacy breach and lack of preparedness
- “Keep everything forever” mentality
The most frequent response by far, however, was: “We don’t know where all of our data is or what we even have.” This response is disturbing because if an organization does not have a good handle on the nature and location of its data, it is nearly impossible to apply the governance rules and controls that help manage and protect the data from lack of compliance, potential cyberattack and general information management inefficiencies.
How to start addressing this challenge was the topic of HBR’s conference session, “The Evolution of the Data Map and Why Your Organization Needs One.” Data maps first became popular in 2006, when the Federal Rules of Civil Procedure were revised to make clear that electronically stored information was discoverable and, if responsive, had to be produced. many organizations created data maps in response. Looking back, however, those original data maps often were never maintained and seem to have since disappeared into oblivion.
Now, years later, with growing concerns of privacy breach and cyberattack, there is renewed interest in data mapping and data flows to better identify personally identifiable information (PII). Our session focused on a very practical approach to creating a three-dimensional view of the organization’s data in order to provide a holistic and dynamic understanding of the organization's data footprint. This approach serves multiple parties within an organization who are interested in where data resides and how it is managed, including litigation, information technology, privacy, information security, compliance and information governance professionals.
Additional topics we addressed included:
- How to establish a multi-functional team to ensure the data map is comprehensive to all interests within the organization, leveraging existing tools to streamline the development process.
- The definition of the data map requirements, building the framework, identifying the data map fields and populating the data map. We also described vendor software solutions that can facilitate the process.
- The “critical success factor” of identifying ownership and responsibilities up front to ensure the data map is kept evergreen, as well as documenting of processes and procedures for the use and maintenance of the information map.
- Opportunities to work with IT and other areas to develop “triggers” that identify when new systems come online or when new privacy-related information collection processes are adopted.