People crossing a bridge in melbourne at sunrise

Why information governance is more important than ever for privacy

EY teams have seven principles that can serve as the foundation of an integrated IG and privacy program for any organization.

In brief

  • Organizations without effective data management will find themselves with unmanaged data that requires significant resources to maintain and clean up.
  • This will likely require a combination of personnel and funding to remediate the issues.
  • Technology investments and tactical moves to improve data and privacy protection are likely to be disappointing without fundamental IG principles.

The year 2020 brought important new privacy laws that left some organizations scrambling. We also saw several major enforcement actions and fines for violations of the General Data Protection Regulation (GDPR). And we faced unprecedented impacts of the COVID-19 pandemic that changed the way we as a society lived and worked, nearly overnight, bringing with it a whole host of privacy challenges that companies are still grappling with. Without a comprehensive US federal privacy law in sight, the privacy community continues to be challenged with a wave of potential state data privacy laws proposed in 2021.

But as we continue to face these evolving regulatory challenges, the essential foundation for protecting consumers’ privacy remains the same — a sound information governance (IG) program. Adhering to established IG principles is essential to building a privacy program that supports an organization’s legal, regulatory and business requirements, minimizes breaches and privacy incidents, and establishes brand recognition for protecting consumer data.

We have developed seven principles that can serve as the foundation of an integrated IG and privacy program for any organization. In addition to reducing privacy risks, good information governance can cut costs, make processes more efficient, and enable faster and more informed decision-making.


Principle #1

Know your information

The most important step is understanding what data your organization creates, receives and collects.

Companies must understand what data they have; only by doing so will they be able to determine the legal and regulatory requirements with which they must comply. Privacy compliance in particular is impossible without knowing the types of personal data that are being collected and from whom.

As a starting point, organizations should consider creating a data inventory that identifies the types of data that are most critical to the organization, require special handling or protection, or are required by law or regulation. Inventories can then be used by companies to develop classification frameworks to identify these key data types across the enterprise.

Organizations are increasingly using advanced text analytics and various artificial intelligence (AI) technologies to inventory and classify data. Search criteria and predictive analytics are established to explicitly identify types of data and where the data is stored.


Principle #2

Know where you have it

Knowing what data your organization has is of little use unless you also know where it is.

Organizations that can’t efficiently locate personal data will be hard-pressed to demonstrate compliance with privacy regulations, including responding to data subject access requests (DSARs) within prescribed timelines, implementing proper controls for protecting personal data in systems and repositories, and implementing appropriate transfer tools and safeguards when transferring data across jurisdictions and to third parties.

Organizations should leverage their data inventories to build a data map, which links data to systems or repositories, both within and outside the organization. Data maps are an essential tool for managing data and complying with privacy regulations, since they can be used to track data throughout its life cycle and as it moves across jurisdictions, allowing the organization to identify relevant global privacy and protection requirements.

While data discovery and mapping technology can certainly accelerate the development of a data map, a rich and comprehensive data map can be developed only with substantial engagement of the organization’s business and IT stakeholders. Where technologies may prove most useful is in the ongoing maintenance of the data map, where ongoing reviews and updates to the data map can be streamlined through automation.


Principle #3

Know how it’s being used

Organizations should invest time into understanding the business purpose of their data.

From a privacy perspective, understanding the business purpose of data aids in data minimization, a principle of both the GDPR and California Privacy Rights and Enforcement Act (CPRA) requiring organizations to limit the collection, storage and use of personal data to only what is relevant and absolutely necessary for carrying out the purpose for which the data is processed.

Data minimization is equally important to an organization’s IG program, as it allows organizations to focus their resources on managing and protecting their most valuable information.

Organizations subject to GDPR must document the purpose for which different categories of personal data are processed in Records of Processing Activities (ROPAs), as required by Article 30. This information can often be captured and updated as part of broader data mapping activities undertaken by the organization.

Organizations should consider implementing additional controls and processes to flag new processing activities, including changes to how data is being used internally or by third parties, to which data subjects may not have consented and may need to be evaluated as part of a privacy impact assessment (PIA).


Principle #4

Know how it is protected

Data is the lifeblood of most organizations, and its protection is a pillar of a robust IG program.

Compromised or stolen data can be exploited by criminals and shared publicly. The reputational damage from a major breach can impact a company’s revenues for years. Protecting the privacy of customer and employee data is impossible without appropriate technical and organizational security measures. All personal data must be safeguarded from unauthorized access, processing, destruction and damage.

Many organizations are striving to embed privacy directly into their business, technology and culture by embracing privacy by design. PIAs are tools an organization uses to assess and identify how data protection and privacy are being addressed in both product- and service-based solutions before the product, service or technology is implemented or deployed.

Under the GDPR, a data protection impact assessment (DPIA) is required for any type of processing that poses a high degree of privacy risk — in particular, the use of new technologies. Both of these assessments help organizations identify risks and mitigation controls for products, processes, systems or initiatives that involve collecting, processing and transferring personal data.


Principle #5

Know how to respond to external events

IG principles enable a company to understand how external factors and events impact data management.

Before the new breed of data privacy regulations, strong IG programs enabled organizations to respond to complex, time-sensitive, and resource-intensive requests for data stemming from regulatory examinations, litigation and M&A transactions. Similarly, a sound IG program facilitates an organization’s ability to pivot and efficiently respond to data privacy events as well, such as DSARs, privacy incidents and data breaches.

An essential component to an IG program is to leverage knowledge from resources like data maps, and align technology to create efficiencies in identifying, collecting, reviewing and providing relevant data to the requesting party. At a minimum, standardized efficient workflows should be developed for DSAR processing.

New technologies should be considered to support compliance with privacy requirements as more people around the globe gain access rights. When considering technologies to support DSARs, for example, organizations should think holistically of the external events they may face about how existing or new tools can be leveraged to support the organization across all areas of exposure. 


Principle #6

Keep it only as long as you need

Many companies are revisiting their policies to realign business needs with public expectations.

Just as companies work to restrict gathering personal data, they need to limit the retention of information beyond what is necessary for business purposes. While companies historically have worked with third-party providers and law firms to develop retention schedules that identify both state and federal recordkeeping requirements, along with any industry-specific requirements, many have lacked the funding, resources and internal support to keep those schedules current with the rapidly evolving privacy regulations.

Companies should leverage privacy initiatives to draw attention to outdated retention schedules and procedures to create a more holistic approach to managing retention. Privacy-related retention limitations should be mapped so that companies have a comprehensive view of the information they need to retain, including for how long and why.

Records management systems and advanced technologies, such as AI-enhanced automation using predefined business rules, can also help organizations manage records throughout their life cycles, in accordance with relevant regulations. Systems can be configured to retain records in accordance with the schedule or defined retention requirement, while also suspending disposition in the event of a legal or regulatory matter, ultimately reducing the burden typically placed on individual employees.


Principle #7

Dispose of everything else

Disposition frameworks remove data that no longer has value to the company and need not be preserved.

Removing data allows a business to reduce privacy risks while helping control legal and business costs. Organizations must determine how to best dispose of different types of data, with some information requiring a combination of methods. A sound IG strategy is pre-emptively disposing of data before it exceeds retention requirements and propagates across systems.

Deletion requests from data subjects pose a growing privacy risk as they must be handled in compliance with relevant regulations, under strict deadlines. Under both the GDPR and CCPA, it is not enough for an organization to dispose of personal data upon request — its processors and service providers must delete that information as well.

Technology-enabled processes allow an organization to operationalize disposition and improve efficiencies, using advanced analytics, AI and automation. The goal is routine disposition of routine, outdated and trivial information, embedded into the organizations’ broader data management activities. The disposition process must be both defensible and auditable, and many organizations work with outside counsel and third-party providers to consider the legal and operational aspects of a disposition framework. Disposition methods include deletion, de-identification and aggregation.


As new and evolving privacy regulations make compliance more challenging, a sound IG program has become more important than ever before. An organization that reduces its data footprint can focus its resources on managing the essential information it needs for business, legal or regulatory reasons. Organizations that embed these principles successfully can reduce their privacy risks, control costs, increase efficiencies, improve data-driven decision-making and foster public trust.

About this article

Related Articles

How a robust whistleblowing framework can help create long-term value

Effective whistleblowing programs not only make legal and ethical sense, they also help companies emerge stronger than their competitors. Find out more.

16 Feb 2021 Andrew Gordon

How to comply with data subject access requests

The pandemic and shift to a remote workforce make a clear compliance strategy and workflows for fulfilling DSARs more important than ever. Read more.

15 Dec 2020 Meribeth Banaschik