By: Marianna Shafir, corporate counsel and regulatory advisor at Smarsh, and contributor to the

What is good data governance? It is ensuring the quality, availability, security, and usability of data within an organization. The MDM Institute defines data governance as “the formal orchestration of people, processes, and technology, to enable an organization to leverage data as an enterprise asset.”

Regulations like the General Data Protection Regulations (GDPR), Markets in Financial Instruments Directive II (MiFID II), Sarbanes-Oxley Act, Basel III, Dodd-Frank Wall Street Reform and Consumer Protection Act, and others require that organizations monitor their business practices and comply with rules set forth.

How do you establish good data governance? It is critical to have a strategic approach to comply with the regulations and manage the risk.

For a brief overview of this complex subject, consider adopting these smart practices to achieve effective data governance:

Take a holistic approach

Getting the right stakeholders and information owners involved at your company will help you create the most effective governance policies. Start with the right players and get them involved. Also, people and culture play a critical role. Include team members from your compliance, marketing, legal, HR, and/or IT departments. Then move on to address data governance and as well as technology processes.

Capture your organization’s communication channels

As employees use more channels to communicate with clients and each other, compliance challenges grow as well. The technology vendor should support different communication channels with direct source capture, meaning it is captured in its native format, and in full conversational context, with message threading to show messages in their original context.

If your company’s rules include supervision and retention of email, but they overlook the fact that your employees prefer to reach out to customers via text messaging or social media, it can cause big problems. Consider what customers demand and what your company culture dictates when designing rules so nothing falls through the cracks. Ultimately, you’ll want to develop a system that can accommodate future methods of communication.

Create internal policies for security and compliance

Implement a framework to ensure strategic objectives and tactical goals. Gather feedback from your employees and peers who regularly use new technology. Your policies should reflect today’s evolving digital communications landscape.

Policies designed for email may need re-inspection to reflect specific ways these new channels can be used by employees. The technology solutions should be delivered with top-tier security, management, and operational controls.

All data should be encrypted in transit and at rest, with stringent access controls, and stored in an unalterable, compliant format to meet regulatory requirements. Engage employees since new channels frequently emerge, which means that training should also be ongoing to keep pace with the latest technology.

Meet content control needs

All organizations need to identify sensitive information that is not being properly managed. This can include proprietary data, trade secrets, material non-public information, or other content that could cause harm to the company if leaked externally.

They should take steps to insure against accidental loss, destruction, or damage. Technology allows organizations to leverage supervisory features to inspect content for potential policy violations and direct follow-up by compliance, security, or legal staff to remediate that information risk.

Organizations must be increasingly diligent in ensuring their technology is equipped to address privacy demands. Furthermore, they must evaluate which technology providers embrace privacy by design versus those that approach privacy as an afterthought.

Technology solutions should also come with real-time moderation and pre-review capabilities that can be added for specific channels. Clients can proactively monitor communications with control, including alerts, message blocking, ethical walls, and disclaimers to prevent compliance issues before they happen.

Manage the compliance and reputational risk

Risk is pervasive and ongoing. Focus on the most vulnerable and important areas of your business to implement effective information governance. For example, Tweets can contain non-public information violating SEC rules, and LinkedIn posts can violate data privacy laws. Partner with a technology vendor that can provide efficient and effective tools to monitor the risks and demonstrate compliance.

Governing content is critical, or you may face regulatory fines and reputational risk. To best handle this, technology supervision capabilities should include an advanced supervision workflow, multi-tier review queues and visual dashboards, action panels, roles reporting, escalation, customizable policies, and more to ensure you meet your compliance obligations. Policies and analytics tools surface your business risks and drive proactive decision-making.


Legal departments should take all possible steps to oversee their company’s data. In the current environment of social media, mobile, chat, and other electronic communication channels, that means being proactive and having a tactical strategy.

With the help of technology, organizations can efficiently strengthen their compliance, recordkeeping, and eDiscovery initiatives. Our records can be part of our best defense strategy, but they can also provide early warnings of potential violations.

Remember: Risk is pervasive and ongoing! Compliance should not be a burden, but an opportunity to achieve competitive advantage and good data governance practices.

Did you enjoy this article? Whether you are new to in-house or a seasoned veteran, ACC has the tools, connections, and information to help you make a greater impact on your organization. Subscribe to our mailing list today to access ACC’s career-enhancing resources for 30 days.