Skip to main content

Information Governance in the Age of Cloud Computing – Inaction is not an Option


Watch it on demand by clicking here.

Making improvements to information governance is often seen as tomorrow’s project. There’s usually another more immediate problem into which time and energy can be diverted in the short term. Right now, that problem is likely to be COVID-19 and the myriad of impacts it is having across many organisations. But, before COVID, there would usually be some other reason such as a focus on driving sales, an obligation to respond to a regulatory investigation, or the need to modernise the IT infrastructure.

However, even today and certainly once COVID-19 is forced back into the shadows, organisations are likely to find a landscape populated by informed and militant regulators who will not accept, particularly in relation to personal data, that information and data governance should not be towards the top of any company’s “to do” list.

Information Governance in the Age of Cloud Computing – Inaction is not an Option

I recently moderated a Lighthouse webinar focused on why inaction is not an option in relation to information governance when data is in the Cloud. Speaking alongside me were panelists Alison North, a leading figure in records management and information governance, and John Collins, one of Lighthouse’s most experienced information governance consultants.

The discussion began by polling the audience to see how many of the GDPR principles they could name. Perhaps expectedly, no one was confident enough to say that they could name all 7, but it was good to see that the majority of respondents felt confident to name more than 1.

The discussion then moved quickly into explaining how the combination of (1) the accumulation of privacy regulations and / or increasingly militant regulators, (2) accessibility of data once it is in the cloud, and (3) availability of tools to interrogate, control, and organise the data in the Cloud are all major contributors to why there is a perfect storm brewing.

While laying out foundational considerations, panellists highlighted the important conceptual and practical differences between information governance and data governance and delved into Microsoft 365 in order to explain with practical examples the way in which email is governed through the creation of a framework and the details of specific retention policies that can, in particular, control the volume of personal data being retained.

The panel also looked at the impact of COVID-19, given the unprecedented growth in remote working and online collaboration tools, casting light on some of the interesting elements of a Teams’ rollout from an information governance perspective. The importance of agile delivery was stressed – building faith and confidence by delivering on a regular basis rather than waiting for one big delivery at the end. Additional thoughts were shared on how to control the proliferation of shadow IT (i.e. IT being used that is not company approved) and concluded that this was far from easy and needed significant investment in communication.

The session closed with a look at how data, in particular legacy data, can be deleted defensibly and a few key points to take away were summarised as follows:

  • GDPR regulators appear to be focusing more on the storage limitation principle – data should be retained for no longer than is necessary
  • Data in the cloud is both readily accessible and pre-formatted so that tools can be applied to make a rapid improvement in information governance
  • Getting to grips with email is a good starting point
  • Given the COVID-triggered proliferation of collaborative tools such as Teams, a tactical approach to information governance should include these tools
  • The defensible disposal of legacy data will be critical to reduce regulatory risk in relation to the storage limitation principle.

To discuss this topic further, please feel free to reach out to me at


About the Author

Executive Director, Advisory Sales EMEA | Damian is part of the EMEA Advisory team as an Executive Director working from the London office. In this role, he is responsible for building the EMEA advisory function with a particular focus on the UK. Damian is a practicing commercial barrister and prior to joining Lighthouse he was eDiscovery Counsel at UBS and responsible for EMEA and APAC eDiscovery.

Profile Photo of Damian Murphy