Happy Global Information Governance Day!! Today we celebrate information governance and raise awareness of how to manage data, balance risks and build a culture focused on good data hygiene.
Working with large and small companies around the world, we have observed that all organizations are managing more and more data. This data growth is exponential, with 100s of terabytes of data created daily and yearly output reaching 100s of zettabytes (only a million terabytes!). Moreover, the value or potential value of that data has never been more consequential. With the organizations investing into AI tools and programs, companies are quickly realizing how important it is to understand and organize their data – the better the data, the more effective the AI and the more valuable the output. Repeatedly our clients tell us that their organizations are hyper focused on how they can enhance the value of their data and increase profitability, and of course they want to be able to do so while reasonably minimizing their legal risks. Given this enhanced focus on maximizing the value of business data, we wanted to share our insights on why information governance matters more than ever.
Information Governance done right means an ever-evolving strategy addressing both business needs and data risks.
At its core, information governance (IG) is about ensuring that information is created, managed, protected, stored, and ultimately disposed of in a responsible and strategic way. It is a framework for managing information that complements and takes into consideration various data risks across cybersecurity, privacy, AI, record retention, and e-discovery. The framework defines who has decision‑making authority over information, how that information should be handled, and what accountability and responsibility looks like across the organization. While this may sound procedural, the implications are far‑reaching. In a world where information is both an asset and a liability, IG provides the structure needed to manage risk, support compliance, and unlock value.
But it is not enough to talk about your data strategy or have an information governance policy – good, effective information governance means investment of time and money, which could include: having a part-time or full-time employee or team dedicated to the creating and implementing the corporate IG strategy, processes related to the adoption of technology for business, security, and IG needs, adequate oversight and accountability to ensure employees understand and follow company policies that address data retention, security, handling, and more. The same holds true for third party vendor management, and we have written repeatedly about regulatory requirements to oversee vendors’ compliance with data security and retention. Effective and strategic management of third party compliance is a factor of any good information governance program.
At its best, information governance permeates the companies culture and processes and is embedded into not only its applications and systems, programmatically assisting with storage, organization and disposition, but into the business processes that drive success at the company.
AI growth goes hand-in-hand with data hygiene
At the same time, the rapid adoption of artificial intelligence has introduced new challenges. AI systems depend on high‑quality, well‑governed data to function effectively. Without proper oversight, organizations risk feeding stale, inaccurate, biased, or (inappropriately) sensitive information into their models, potentially leading to flawed outputs or running afoul of legal requirements. Information governance provides the guardrails that allow AI to be used responsibly, ensuring transparency, ethical use, and compliance with emerging standards.
More data, more (cyber) problems
The urgency behind IG has grown dramatically in recent years, largely because of the growth of enterprise data and the risks associated with unmanaged information have multiplied. Cyberattacks, for example, have become more frequent and more sophisticated. When organizations lack clear governance over their data—when information is scattered, unclassified, or stored indefinitely without purpose—the impact of a breach becomes significantly more severe.
Regulators are putting more pressure on companies to manage their data and imposing significant fines when they fail to take appropriate steps before a breach occurs. (Here and here). Strong IG practices help reduce this exposure by ensuring that sensitive information is identified, protected, and retained only as long as necessary.
Data is everything, everywhere, all at once
The shift to remote and hybrid work has also reshaped the information landscape. Employees now create and share data across a wide array of platforms—cloud services, messaging apps, personal devices, and collaborative tools. This decentralization has made it harder for organizations to maintain visibility and control over their information. IG helps reestablish that control by defining consistent policies and practices that apply regardless of where employees work or which tools they use.
We often see that the best information governance programs have clear leadership with clear authority and ownership to establish a culture of good information handling, and work with the business to nominate champions throughout the organization and in each business team who can spread the word within their team and elevate issues up the chain.
Privacy regulations, and regulators, are getting more sophisticated and focused on data retention and minimization
We are just a few months shy of a decade since the adoption of GDPR, and the privacy landscape has evolved considerably since. Laws such as GDPR, CCPA, HIPAA, and numerous industry‑specific mandates require organizations to know what data they hold, why they hold it, how it is protected, and when it should be deleted. We have repeatedly reported on regulators in the US and around the world fining companies who over-retain data and fail to implement appropriate governance practices. (Here and here.)
Without a strong governance framework that proactively addresses these issues, meeting these obligations is nearly impossible. IG provides the structure needed to demonstrate compliance, respond to audits, and manage data in a way that aligns with legal and ethical expectations.
####
Global Information Governance Day is a reminder that information is powerful — but only when governed well. As data volumes grow and risks multiply, organizations must adopt robust IG practices to stay secure, compliant, and competitive. To learn more about how Norton Rose Fulbright can assist with setting these policies, bookmark our Data Protection Report or consider our free CLE program.