Policies & Rules Are Not Created Equal

In my role, I spend much of my time educating both business and technical users in developing information governance programs. Part of the methodology we use at Syniti consists of documenting an organization’s policies, and developing enforcement mechanisms via rules. But developing business rules isn’t always as cut and dry as it may seem. Working with today’s large scale enterprises, I’m almost always asked; What’s the difference between a policy and a rule?

While Policies are typically guidelines that are directional or informative, Rules are standards intended to assert control on some aspect of the business. Policies may contain rules, although this is not always necessary. To understand the relationship between policies and rules, consider the following policy example:

“Personal data shall be processed in a manner that ensures appropriate security of the personal data. (GDPR Art. 5-1f)

Definition: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').”

Any organization could choose a number of ways to enforce this policy, and so rules communicate the organization's chosen enforcement. An example rule might be:

“Personal Data Must Be Encrypted In Transit and At Rest.

Implication: In the event of a data breach, personal data must be protected by appropriate technical and organizational measures, in particular those that render the personal data unintelligible to any person who is not authorized to access it.”

Syniti's Knowledge Tier serves as a centralized location to document these policies and rules, and the relationships between them. Machine learning + AI (Deep Guidance™) take this a step further by inferring relationships where an existing rule may enforce a new policy.

The rule record also contains an Enforcement Profile, which allows users to understand how a rule is “actualized” in the business. Some rules may be strictly and automatically enforced via some enforcement technology (e.g., DSP), while others will be enforced via employee behaviors, and others may not be enforced at all. The important thing to note here is that rules should be system agnostic, which I’ll discuss in a future blog post.

Useful Links
Set Up Policies
Set Up Rules
Deep Guidance™ Inferred Relationships


Final Thoughts

Information Governance can be complicated to implement, but yields important benefits. At Syniti, each cloud customer is assigned a designated Customer Success Manager who can help guide you and provide further expertise on implementations. To learn more about the customer success program, please contact customersuccess@syniti.com.