Blog  |  December 14, 2021

Data Privacy is Helping Put Information Governance on the (Data) Map

Data Privacy is Helping Put Information Governance on the (Data) Map 

So far, we’ve discussed the current state of data privacy legislation in Europe and the U.S. and we’ve discussed how data privacy is driving changes to eDiscovery workflows and even creating new workflows. The increased focus on data privacy has even arguably put information governance on the map for organizations that previously didn’t place an emphasis on managing their data. In turn, information governance has become vital to organizations, in part because of the data privacy compliance obligations that organizations have today. 

Information Governance Reference Model (IGRM) and Data Privacy 

Hard to believe, but the very first information governance model didn’t even consider privacy stakeholders. When EDRM’s Information Governance Reference Model (IGRM) was first created in 2010, it was originally designed to support four stakeholder groups within an organization: legal, records information management (RIM), information technology (IT) and business (i.e., other business units). There was no inclusion of stakeholder requirements for privacy and security in the first two iterations of the IGRM. 

However, it didn’t take very long for privacy and security to be added to IGRM. In 2012, EDRM announced v3.0 of IGRM including privacy & security as a stakeholder group, along with the original four groups, stating in their announcement that “[w]ith respect to privacy and personal information, companies must be cognizant of laws and ‘best practices’ governing transparency and classification at the point of creation, must understand how the data may be collected, used/processed, and where the data may flow (i.e., cross-border data transfers).” Since then, the link between information governance and data privacy has been unmistakable as understanding your data is the first step to protecting it. 

Data Mapping and Data Privacy 

Speaking of understanding your data, the motivation to do so increased significantly with the passing of the General Data Protection Regulation (GDPR) and other privacy laws. Specifically, Article 30 of the GDPR requires controllers and processors to maintain a record of data processing activities, such as the purpose of processing, legal basis, consent status, cross-border transfers, data protection impact assessment (DPIA) status and more. 

Potential fine levels up to 4 percent of annual revenue or 20 million Euro have motivated organizations to “map” the data within their organization so that they understand where sensitive data exists to comply with GDPR and other data privacy laws. As defined by EDRM’s Data Mapping Project, data mapping is the process of identifying an organization’s data sources; and understanding: 

  • how those data sources are stored, structured, managed and accessed; 
  • how those data sources and the data are used within the organization; 
  • who is responsible for managing those data sources; and 
  • the applicable retention and back-up practices and policies for the data sources. 

While data mapping has existed as a practice for years, data privacy laws like GDPR have accentuated the importance of having a sound data mapping program in your organization – it’s dictated by GDPR as part of protecting sensitive data. 

PII Analytics 

In these days of big data and data doubling within organizations every 1.2 years, data mapping and best practices only goes so far in addressing an organization’s information governance challenges. Technology bridges the gap and the ability to scan millions of documents quickly to identify potential personally identifiable information (PII) within an organization’s corpus of data is becoming vitally important for organizations to mitigate risk today. Just as is the case with litigation and eDiscovery, the ability to identify and highlight PII quickly and then take steps to protect individuals’ PII is a requirement of any sound information governance program today. 

Minimizing ROT and Dark Data to Minimize Risk 

According to a recent report, 85 percent of stored data is either redundant, obsolete and trivial (ROT) data or “dark” (data which is acquired or created but not used to derive insights or for decision making) data. Hidden within that ROT and dark data is often PII that could be potentially exposed and at risk. 

It’s imperative for an organization to keep ROT and dark data minimized as well as to identify it quickly. Combining the best practices of data mapping with the use of technology to eliminate ROT and dark data (making it easier to identify and protect PII data) enables an organization to support data privacy compliance requirements through an effective information governance program. 


Until the passing of GDPR and other privacy laws to increase organizational focus on data privacy, information governance was an afterthought for many organizations. Data privacy drove the need for information governance and helped put it on the (data) map; now, effective information governance drives effective data privacy compliance. Funny how that works! Next time, we will dive into some of the impacts that data privacy is driving for cybersecurity. Stay tuned! 

For more regarding Cimplifi support for data reduction & analytics, click here.