Compliance is a minefield, is your Information Governance Framework fit for purpose?

If you’re a DPO, CIO, IT Director or involved in compliance of any kind, you’ll know that managing information is getting harder, expectations around accuracy have never been higher and the consequences of mistakes are now potentially crippling.

To add to the difficulty, different regions impose different laws and new AI tools generate forms of data you may not even realize you have.

If you already have an Information Governance Framework (IGF), then ask another question: Does it reflect the significant changes that have occurred over the past five or ten years?

What does an IGF do?

An Information Governance Framework (IGF) is essentially your organisation’s playbook for managing information responsibly and consistently. It isn’t meant to be a policy document that sits on a shelf; when used properly, it’s a practical guide that helps teams understand what information exists, where it’s held, how long it should be retained, and, importantly, how to demonstrate that these processes are actually followed in practice.

Whether it’s physical storage, cloud platforms, legacy archives, or communication channels, the IGF provides the framework that ties everything together.

Crucially: An IGF is how you prove all of the above exists in practice when regulators, auditors, clients or really anyone else asks!

What types of “information” do we mean?

When we talk about “information,” we really do mean everything your organisation records, stores, processes, or interacts with, whether physical or digital, structured or unstructured, day‑to‑day or archival. This includes any data containing personally identifiable information (PII) as well as your operational records.

To give a sense of the scope involved, an IGF must account for:

• HR files.
• Customer on-boarding documents and files.
• CCTV footage.
• Teams/Slack chats.
• ID cards.
• Legacy archives.
• Vendor contracts.

And this scope isn’t static. New systems are added, business applications evolve, teams adopt new communication channels and, as mentioned, AI generated content introduces entirely new data categories. Your IGF needs to be adaptable to account for all of this.

Understandably, creating something that is both literal enough to be understood and adaptive enough to be future proof can feel a little tricky. That’s where our own experts can help.

So why do I need one/need to update my existing one?

We mentioned in the introduction that the regulatory landscape has changed significantly in recent years. One really important example of this is that regulators have shifted from assessing an organization’s intent to comply, to requiring evidence that compliance has actually taken place. This is the most significant change in the post-GDPR landscape.

This is embedded in the U.K.’s Data Use and Access Act (2025) with the requirement now being that organisations must prove that certain things (e.g. deletion of data past retention) have occurred, rather than mere “statements of intent” (the requirement under GDPR). Essentially the regulatory environment is now:

“Show me the log. Show me the deletion record. Show me the access trail. Show me the decision.”

GDPR and similar legislation have an increasingly sharp focus on what is called “over retention”. The EU Data Act also introduces new obligations around data access and portability.

This is a global expectation too. U.S. state regulators are now using state-level legislation to issue fines for opt‑out failures (among other infractions), Honda and Todd Snyder were both penalised in 2025. Concurrently, EU and UK regulators continue to tighten expectations around retention, transparency, and data access. The rules don’t align, but your governance has to

In Asia, regulators are tightening cross‑border transfer rules. Finally, and as mentioned, the emerging AI governance landscape, from the EU AI Act to the U.S.’s NIST’s (National Institute of Science and Technology) frameworks, segue in with this trend in that they demand proof of inputs (the data that it has been trained on).

What’s the lesson here? Enforcement isn’t slowing down, and how you manage your information could be a huge liability. Regulators issued over €1.2 billion in GDPR fines in 2024 alone, with total penalties surpassing €6 billion by late 2025. If your IGF can’t show what you did and why, you’re exposed.

What makes a “good” Information Governance Framework?

In a nutshell: It balances clarity with breadth. Simple enough that teams can understand and apply it, yet comprehensive enough to cover the full lifecycle of your organization’s information.

Most effective frameworks work on these five key components:

1. Data Governance

The rules and ownership structures that keep your data accurate, consistent, and usable. Without this, nothing else in the framework works.

2. Information Security Governance

How you protect sensitive information, not just from breaches, but from inappropriate access, uncontrolled sharing, and shadow IT.

3. Risk Management

Your method for identifying, assessing, and reducing threats to your information. This is where you decide what matters most and what you can’t afford to get wrong.

4. Compliance

Your alignment with legal and regulatory requirements, GDPR, UK GDPR, state privacy laws, sector‑specific rules, cross‑border transfer obligations. This is where you prove you’re doing what the law expects.

5. Information Lifecycle Management

How information moves through your organisation, creation, use, storage, retention, and disposal. This is the part regulators increasingly focus on, because it shows whether your policies actually work in practice.

What can you expect to see?

Completely understandably, much of this must seem like bureaucratic busywork. Like creating a dense reference book. There are, however, advantages. Some expressly direct, not just ancillary. Here we go through a few of what we’ve seen from clients that we’ve worked with over the years.

1. Faster decision making because you’re not worried about compliance in an environment where it’s already protected as a matter of course. In the words of one of our clients, a major energy firm: “There’s more peace of mind given that the rules of best practice are written and in place.”
2. Improved operational efficiency by streamlining information management processes and reducing duplication of efforts.
3. Mitigation of risks associated with data breaches, non-compliance, and reputational damage.
4. A more innovation approach given the availability of large datasets which are now
5. Lastly, it fosters transparency and accountability within the organisation, which is crucial for maintaining stakeholder trust and meeting regulatory requirements.

Where do we come in?

You can create a framework internally. Nobody is more knowledgeable about your own practices than you and your staff. However, an IGF requires comprehensive compliance with complex regulations. So that means not just deep regulatory knowledge, but the ability to be able to implement it at scale.

Suppose your IGF includes a framework for destroying employee PII (Personally Identifiable Information). All well and good. How do you actually do that? Do you have a working relationship with a service provider capable of providing the sort of secure destruction certificates for documents that legal authorities require? Do they in turn have a relationship with a records management firm who can both track and destroy any documents associated with that employee?

We can help. We’ve been managing information for firms, both hard copy and digital, for over 40 years now. Our services are built around a holistic approach to information, not a one-size-fits-all model.

If you’d like to get started, or even just have a chat about what your requirements might be, then get in touch today.