Documentation of procedure in information governance
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There is a saying in information governance “what you don’t know might be what will hurt you”. In other words, without a good documentation culture of procedures or information lifecycle, companies can’t spot pain points within their business processes. Yet, most businesses fail to create a documentation culture.
Strong internal documentation will lead to findings of existing gaps within a company’s information governance structure. That’s why, one would find out that the first step in, for example, a data privacy program is the data mapping exercise. The data mapping like I have mentioned in the past, gives a broad scope of where the company privacy risks exist and helps privacy professionals understand the privacy maturity model of an organisation.
What exactly are the benefits of documenting procedures in information governance? The first thing is that it allows the organisation tease out the responsibilities and tasks of various personnel handling those information assets and more importantly, helps the organisation know the necessary training these individuals require to carry out their day-to-day job functions.
A good documentation culture will also allow the company to know the right policies to be written. I have witnessed stakeholders throwing policies around without knowing what the policies do and thereby, having implementing policies without teeth.
When it comes to making sure that the company is taking the right steps towards ensuring compliance and the right procedures are implemented, there is the need for authorisation and approvals. By documentation of procedures, company can understand who can authorise, for example, an acquisition of a software tool. Without documentation, the company would find it hard to hold individuals accountable of various action steps.
Documentation also provides internal and external auditors with the reasons for decisions per time. If for example, a company decides to shut down servers within a particular period, they can show reasons.
Another area where documentation would help in information governance would be in the reporting area of things. This provides an effective method of verifying accuracy of any implementation and informing stakeholders on the best way to close gaps. If there are other things that needs to be done to make implementation of new controls smooth, it will be revealed. A business, for example, receives about six hundred data subject access requests in a month. In the next reporting window, the data protection officer, presented the case to the board about the need to automate the process and reduce administrative burden.
One key area that documentation contributes positively to information governance is in data integrity. When documentation is done effectively the company can tell when data is accurate. For example, a customer contact centre documents the address of a recurring customer as X, but when they sent out the product to the address, the customer doesn’t reside in that address again. Immediately, the customer contact centre documents that error and updates the data base and goes ahead to trigger an accuracy exercise for customer database.
A good refresher of existing document is necessary which entails that companies consistently check if their document carry current information assets and processes. It is good practise to document things in information governance, it not only creates an audit trail but can go a long way in saving the company some funds.