Information Governance Manager | Mid-Level

Role Purpose & Context

Role Summary

The Information Governance Manager is here to make sure we're managing our critical compliance, quality, health, and safety data properly, from when we create it right up until we delete it. You'll be the one who takes our legal and regulatory requirements and turns them into practical, everyday processes that people can actually follow. This role sits right at the heart of our risk management efforts, working closely with IT, Legal, and our various business units to keep our information safe and compliant. When you do this well, we avoid hefty fines, protect sensitive company information, and make sure we can always find what we need during an audit or investigation. Get it wrong, and we could face serious legal repercussions, reputational damage, or even operational shutdowns. The tricky part is often getting everyone on board with new ways of working, especially when it feels like 'more paperwork'. But the reward? Knowing you've built a robust system that genuinely protects the company and its people, making us more efficient and secure in the long run. Honestly, it's about making sure we're doing the right thing, even when no one's looking.

Reporting Structure

Reports to: Senior Information Governance Manager
Direct reports:
Matrix relationships: Information Governance Analyst, Records Management Specialist, Data Protection Coordinator,

Key Stakeholders

Internal:

Senior Information Governance Manager (your direct boss, for guidance and escalation)
IT Security Team (for technical implementation of controls)
Legal Counsel (for interpreting regulations and legal holds)
Compliance & Audit Teams (for ensuring our processes meet standards)
Health & Safety Managers (for understanding their data needs and risks)
HR (for employee data governance)

External:

External Auditors (demonstrating compliance during reviews)
Software Vendors (for understanding platform capabilities)

Organisational Impact

Scope: Your work directly influences our ability to meet regulatory obligations, reduce legal risk, and manage data efficiently across the Compliance, Quality, Health, and Safety functions. You'll be improving how we handle everything from incident reports to audit findings, making sure we're defensible if questions ever arise. Essentially, you're helping us build a solid foundation for trustworthy information.

Performance Metrics

Quantitative Metrics

Metric: Legal Hold Response Time
Desc: The average time it takes to identify, preserve, and confirm data under a new legal hold.
Target: 95% of legal holds applied within 48 hours of notification
Freq: Monthly
Example: A legal hold was issued on 1st March; all relevant data was identified and preserved by 2nd March, meeting the 48-hour target.
Metric: DSAR Completion Rate & Timeliness
Desc: Percentage of Data Subject Access Requests (DSARs) completed accurately and within statutory deadlines (e.g., 30 days under GDPR).
Target: 100% of DSARs completed accurately and on time
Freq: Quarterly
Example: Out of 15 DSARs received in Q2, all 15 were fulfilled correctly and within the 30-day window, achieving 100%.
Metric: ROT Data Identification & Remediation
Desc: The volume (in GB or number of files) of Redundant, Obsolete, or Trivial (ROT) data identified and approved for disposition in specific systems.
Target: Identify and prepare 500GB of ROT data for disposition quarterly
Freq: Quarterly
Example: In Q1, you identified 620GB of ROT data in the shared network drives, exceeding the 500GB target.
Metric: Policy Adherence Rate (Training)
Desc: Score from internal audits or surveys showing user understanding and adherence to key information governance policies (e.g., data classification, records declaration).
Target: Achieve an average score of 85% in policy adherence audits
Freq: Bi-annually
Example: The latest audit showed 88% of users correctly applying data classification labels, indicating good policy adherence.

Qualitative Metrics

Metric: Process Improvement & Documentation Quality
Desc: How well you refine existing IG processes and create clear, user-friendly documentation for new ones.
Evidence: Positive feedback from users on new process guides; reduction in common user errors; processes are clearly mapped and regularly reviewed; new joiners can follow your documentation easily without constant questions.
Metric: Cross-Functional Collaboration
Desc: Your ability to work effectively with other teams (like IT, Legal, and business units) to implement governance controls and resolve issues.
Evidence: Being seen as a helpful resource, not just 'the compliance person'; successful implementation of shared projects; positive feedback in 360-degree reviews from peers and managers in other departments; proactively reaching out to resolve potential conflicts before they become problems.
Metric: Issue Identification & Resolution
Desc: Your knack for spotting potential information governance issues early and proposing practical solutions before they escalate.
Evidence: Bringing forward potential risks that others missed; successfully resolving user queries or minor policy breaches without escalation; well-reasoned proposals for addressing identified gaps; proactively flagging areas where we could be doing better.

Primary Traits

Trait: Meticulous (Detail-Oriented)
Manifestation: You're the sort of person who spots a single incorrect date format in a 10,000-line retention schedule. You'll cross-reference a new policy against three overlapping regulations before it goes live, just to be sure. When you're discussing the scope of a legal hold, you never use 'approximately'—it's always precise. You'll catch the typo in an email before hitting send, especially if it's going to Legal.
Benefit: Honestly, an error in a retention period for environmental monitoring data could lead to millions in fines or even a serious incident. A misplaced decimal in a data breach report isn't just a small mistake; it's a huge problem. Precision isn't just a nice-to-have here; it's absolutely critical to avoiding legal and financial headaches. We need people who instinctively double-check everything.
Trait: Diplomatic (Influential)
Manifestation: You're good at getting people on board, even when they're not thrilled about a new rule. You might persuade the Head of Engineering to adopt a new records process by showing them how it reduces their team's risk, rather than just saying 'it's a compliance mandate'. You can navigate those tricky conversations where Legal, IT, and a business unit all want different things for the same piece of data, finding a solution that works for everyone.
Benefit: Let's be real, this role doesn't have direct authority over most business units. You can't just tell people what to do. Your success relies entirely on your ability to influence behaviour, build consensus, and gently guide people towards doing the right thing, even when it feels inconvenient for them. Without this, policies just become ignored documents.
Trait: Pragmatic (Process-Minded)
Manifestation: You're not about building theoretically perfect systems that no one will use. Instead, you'll design a data classification system with, say, four simple labels that people can actually understand and apply, rather than a super-detailed 20-label system that just gets ignored. You'd create a one-page guide for legal holds that's easy to follow, not a 50-page manual. You're always thinking, 'how can we make this work in the real world?'
Benefit: Perfect governance on paper is completely useless if it's too complex or cumbersome for our teams to actually implement. Your job is to translate really complex legal and regulatory requirements into simple, repeatable processes that the entire organisation can adopt. It's about practical solutions that stick, not just academic exercises.

Supporting Traits

Trait: Resilient
Desc: You'll need to bounce back quickly when a senior leader dismisses a key policy recommendation or when a project hits an unexpected roadblock. It's not always smooth sailing, and you'll often face resistance.
Trait: Patient
Desc: Expect to explain the concept of a 'legal hold' for the tenth time to the same project team without showing an ounce of frustration. You'll be doing a lot of user education, and not everyone grasps it first time.
Trait: Articulate
Desc: You'll need to clearly explain the business risks of 'data hoarding' to non-technical executives or simplify complex legal terms for a frontline manager. Getting your point across effectively is crucial.
Trait: Systematic
Desc: When faced with a massive, unstructured shared drive cleanup, you'll approach it with a clear, phased methodology, breaking it down into manageable steps. You like order and logic.

Primary Motivators

Motivator: Solving Complex Puzzles
Daily: You get a real buzz from taking a messy, unregulated data problem and figuring out a clear, compliant process for it. It's like untangling a really knotted piece of string.
Motivator: Protecting the Organisation
Daily: You feel a genuine sense of purpose knowing your work directly helps the company avoid legal trouble, data breaches, and reputational damage. You're a guardian.
Motivator: Bringing Order to Chaos
Daily: You thrive on taking unstructured, 'wild west' data environments and bringing structure, clarity, and control to them. You like making things neat and tidy.

Potential Demotivators

Honestly, if you need constant praise for doing the 'right thing' or expect every single policy you propose to be adopted without question, you might find this role tough. It's often a battle against inertia and the 'we've always done it this way' mindset. You'll spend a fair bit of time educating people who might not immediately see the value in what you're doing, and sometimes, you'll feel like you're the 'Department of No'.

Common Frustrations

Constantly being viewed as the 'Department of No' or a business prevention unit, rather than a strategic risk mitigator.
The political battle against data hoarders—business leaders who insist on keeping everything 'just in case,' creating massive legal and storage costs.
Discovering a critical business unit is running on 'Shadow IT' (e.g., using a personal Smartsheet to track safety incidents), creating a huge, ungoverned risk.
Fighting for budget for governance initiatives that don't directly generate revenue, even though they prevent multi-million pound fines.
Explaining to a senior executive why their team can't use a new, unvetted cloud tool, and sometimes being overruled only to have to clean up the mess later.

What Role Doesn't Offer

A clear, linear path where every project you start gets completed exactly as planned and deployed without issue.
A role where you're always popular for the changes you're implementing; sometimes you'll be seen as a blocker.
A 'set it and forget it' environment; information governance is an ongoing, evolving challenge.
A role with direct reports or significant team leadership at this level (though you'll informally guide others).

ADHD Positives

The varied nature of tasks, from policy review to user training to system configuration, can keep things interesting and prevent boredom.
The need to quickly switch between different compliance issues or data types can suit a fast-thinking, hyper-focused mind.
Problem-solving aspects, especially untangling complex data flows or identifying risks, can be highly engaging.

ADHD Challenges and Accommodations

The meticulous nature of documentation and policy writing might require extra focus; we can offer tools like Grammarly and structured templates.
Managing multiple ongoing legal holds or DSARs simultaneously requires strong organisational skills; we use project management software and offer regular check-ins to help prioritise.
Long periods of deep work on a single policy document could be challenging; we encourage regular breaks and offer flexible working patterns to manage energy levels.

Dyslexia Positives

Strong conceptual thinking and ability to see the 'big picture' of data flows and risks can be a huge asset in designing governance frameworks.
Excellent verbal communication skills often found in dyslexic individuals are invaluable for explaining complex policies to diverse audiences.
Problem-solving through non-linear approaches can lead to innovative and pragmatic solutions for data management.

Dyslexia Challenges and Accommodations

Reading and writing extensive policy documents or detailed reports can be tiring; we provide screen readers, dictation software, and encourage verbal communication where appropriate.
Proofreading for accuracy is critical; we use robust grammar and spelling checkers and encourage peer review for important documents.
Processing large volumes of text-based information (like regulatory updates) might take longer; we can offer tools that summarise text or allow for audio input.

Autism Positives

A strong adherence to rules and processes is a significant advantage in a compliance-focused role like this.
Exceptional attention to detail, especially in identifying discrepancies in data or policy wording, is highly valued.
The ability to focus deeply on specific tasks, like configuring a records management system or analysing data lineage, can lead to high-quality outputs.
Direct, clear communication is appreciated and often preferred in our team.

Autism Challenges and Accommodations

Navigating complex social dynamics, especially when influencing reluctant stakeholders, might be challenging; your manager can provide coaching and support in these situations.
Unexpected changes to priorities or project scope can be unsettling; we strive for clear communication about changes and provide as much advance notice as possible.
Sensory input in an open-plan office could be overwhelming; we offer noise-cancelling headphones, quiet zones, and the flexibility to work from home a few days a week.

Sensory Considerations

Our main office is typically a modern, open-plan environment, which can sometimes be a bit noisy with conversations and keyboards. However, we also have quiet zones, meeting rooms, and offer high-quality noise-cancelling headphones. Visually, it's a standard office setup with bright lighting. Socially, while collaboration is key, we also respect individual working styles and offer options for focused, independent work. We're pretty flexible when it comes to creating a comfortable working space.

Flexibility Notes

We genuinely believe in flexibility. We offer hybrid working, usually 2-3 days in the office, with the rest from home. We're also open to discussing adjusted hours or other arrangements that help you do your best work. Just talk to us.

Key Responsibilities

Experience Levels Responsibilities

Level: Mid-Level Professional
Responsibilities: Take ownership of the end-to-end legal hold process for specific business units, making sure all relevant data (emails, documents, chat logs) is preserved accurately and on time when a legal matter arises. Get this wrong, and we're in serious trouble.
Conduct 'ROT Analysis' (Redundant, Obsolete, Trivial data) on designated systems and shared drives, identifying content that can be safely disposed of. You'll work with data owners to get approval and then manage the defensible disposition process.
Respond independently to Data Subject Access Requests (DSARs) from individuals, gathering their personal data from various systems and preparing it for release within strict regulatory deadlines (e.g., 30 days).
Help design and then implement practical data classification schemes for new or existing information assets, working with teams to make sure they understand and apply the correct sensitivity labels.
Provide training and guidance to employees on information governance policies and procedures. This means explaining complex topics like 'records retention' in a way that makes sense to everyone, from the shop floor to the executive suite.
Use our GRC and records management platforms (like OneTrust or OpenText) to configure retention schedules, manage file plans, and troubleshoot common user issues. You'll be the go-to person for how these systems actually work day-to-day.
Assist in maintaining our 'Information Asset Register' (IAR), making sure it's up-to-date with accurate details on where our critical CQHS data lives, who owns it, and how it's classified. This is foundational work, even if it's not always glamorous.
Supervision: You'll have weekly check-ins with your Senior Manager to discuss priorities, roadblocks, and any tricky issues. For routine tasks and established processes, you'll work independently, but for anything new or complex, you'll be expected to bring it up for guidance before making big decisions.
Decision: You'll make routine operational decisions within established guidelines, such as applying a specific retention schedule to a new data set or determining the scope of a standard legal hold. Any decisions involving significant financial impact (say, over £5K), changes to core policies, or novel legal interpretations will need to be escalated to your Senior Manager or Legal Counsel. You're empowered to act, but know when to ask for help.
Success: Your success will be measured by the accuracy and timeliness of your legal hold and DSAR responses, the volume of ROT data you help us clear out, and the positive feedback you get from teams you've trained or supported. Essentially, we want to see you taking ownership of these processes and making a measurable difference to our compliance posture.

Decision-Making Authority

Type: Applying a standard retention schedule to a new data set
Entry: Escalate to supervisor for review and approval.
Mid: Independent decision within established guidelines; inform supervisor.
Senior: Independent decision; may define new guidelines.
Type: Responding to a routine Data Subject Access Request (DSAR)
Entry: Prepare initial draft, supervisor reviews and approves all communications.
Mid: Independently manage the entire DSAR process, escalating complex legal questions to Legal Counsel.
Senior: Oversee multiple DSARs, handle complex or high-profile cases, provide guidance to junior staff.
Type: Initiating a new legal hold for a straightforward matter
Entry: Assist in data identification and preservation under direct supervision.
Mid: Independently initiate and manage the legal hold process for assigned business units, consulting Legal on scope.
Senior: Design and refine the legal hold process, manage complex or multi-jurisdictional holds.
Type: Proposing changes to an existing information governance policy
Entry: Identify potential issues, propose minor wording changes to supervisor.
Mid: Draft proposed policy changes with supporting rationale, consult Legal and Senior IG Manager before submission.
Senior: Lead policy review, draft and champion significant policy revisions through approval.

Save 15-25 hours weekly with AI-powered Information Governance

Imagine cutting down on the tedious, manual parts of information governance. That's exactly what AI is starting to do for us. It's not about replacing your expertise, but supercharging it, letting you focus on the really important, strategic stuff.

ID:

Tool: Automated Data Classification

Benefit: Use AI/ML tools (like those in Microsoft Purview or Varonis) to automatically scan, understand, and apply sensitivity and retention labels to millions of files and emails based on their content. This means less manual tagging and more consistent application of our rules, especially for identifying PII in incident reports or audit findings.

ID:

Tool: Insightful Risk Detection

Benefit: Use AI to analyse data access patterns and content to proactively identify high-risk behaviour. Think of it as an early warning system: it could flag if a user suddenly accesses thousands of confidential safety audit files, or if sensitive data is being stored in an unsanctioned cloud location. This shifts your focus from reactive investigation to proactive risk mitigation.

ID: ⚖️

Tool: Regulatory Research & Summarisation

Benefit: Use AI assistants to monitor and summarise new or updated CQHS regulations (from OSHA, EPA, FDA, etc.) and legal precedents. It can highlight changes that directly impact our current information governance policies, saving you hours of sifting through legal jargon and making sure we're always up-to-date.

ID: ✍️

Tool: Policy & Communication Drafting

Benefit: Use generative AI to create the first draft of new governance policies, standard operating procedures (SOPs), and user-friendly training communications. You'll then refine and validate the content, but it helps overcome that 'blank page' syndrome and speeds up the entire documentation process significantly.

15-25 hours weekly Weekly time savings potential

Starting with £20-100/month for basic tools, scaling up as needed Typical tool investment

Explore AI Productivity for Information Governance Manager →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

Beyond the technical stuff, you'll need a solid set of 'human' skills to really thrive here. This isn't a role where you just sit behind a screen; you'll be interacting with people, solving problems, and constantly learning.

Category: Communication & Collaboration
Skills: Clear Written Communication: You'll need to write policies and guides that are easy for anyone to understand, without legal jargon. Think plain English.
Verbal Explanations: The ability to explain complex governance concepts (like 'defensible disposition') to non-technical teams or senior leaders, patiently and clearly.
Active Listening: Genuinely hearing what business units need and what their concerns are, rather than just waiting for your turn to speak.
Cross-Functional Teamwork: Working effectively with Legal, IT, HR, and various business units to get things done, even when priorities might clash.
Category: Problem-Solving & Critical Thinking
Skills: Root Cause Analysis: When a governance issue pops up, you'll need to dig in and figure out *why* it happened, not just fix the symptom.
Process Optimisation: Always looking for ways to make our governance processes more efficient, simpler, and more effective for everyone.
Risk Identification: Spotting potential information governance risks before they become real problems, especially in new systems or projects.
Practical Solutioning: Coming up with realistic, workable solutions that balance compliance needs with business realities, not just textbook answers.
Category: Adaptability & Learning Agility
Skills: Navigating Ambiguity: Sometimes the rules aren't perfectly clear, or a new regulation comes out. You'll need to figure things out and adapt.
Continuous Learning: The regulatory landscape and technology are always changing. You'll need to be keen to keep up and learn new things.
Prioritisation: Juggling multiple requests and projects, knowing what needs to be done first and what can wait, especially when urgent requests pop up.
Feedback Incorporation: Being open to feedback on your policies, processes, or training, and using it to improve.

Functional Skills (Role-Specific Technical)

These are the specific skills and tools you'll be using day-to-day. We're looking for someone who can hit the ground running with these, or at least pick them up quickly.

Technical Competencies

Skill: Information Lifecycle Management (ILM)
Desc: Understanding and applying the principles of managing CQHS data from its creation, through active use, to archival and final disposition. This means knowing what to keep, for how long, and when to get rid of it.
Level: Intermediate
Skill: Records Retention Scheduling
Desc: Working with established retention schedules to classify and manage various types of information, ensuring compliance with regulations like OSHA, EPA, FDA, and HIPAA. You'll know how to apply these schedules in practice.
Level: Intermediate
Skill: Data Mapping & Lineage
Desc: Contributing to and maintaining an inventory of our critical CQHS data. This means understanding where data comes from, where it goes, and who is responsible for it, often tracking its flow through systems like an EHS platform.
Level: Intermediate
Skill: E-Discovery Reference Model (EDRM)
Desc: Applying the EDRM framework to manage the identification, preservation, collection, and production of electronically stored information (ESI) for legal holds, audits, or regulatory investigations. You'll be involved in the practical steps.
Level: Intermediate
Skill: Defensible Disposition
Desc: Executing systematic, legally sound processes for destroying information that has met its retention requirements. This is crucial for reducing storage costs and legal risk, and you'll be doing the actual work.
Level: Intermediate

Digital Tools

Tool: OneTrust / ServiceNow GRC
Level: Intermediate
Usage: Executing data mapping tasks, responding to DSARs, updating control evidence, and running pre-defined reports within the platform.
Tool: Microsoft Purview eDiscovery / Logikcull
Level: Intermediate
Usage: Running pre-defined search queries for legal holds, applying legal holds to mailboxes/sites, and exporting data sets under supervision for investigations.
Tool: Microsoft Purview Information Protection
Level: Intermediate
Usage: Manually applying sensitivity labels to documents, identifying and flagging mislabelled content, and helping users understand how to use these tools.
Tool: OpenText Content Suite / M-Files
Level: Intermediate
Usage: Declaring records based on established rules, performing disposition tasks on approved schedules, and assisting users with records management queries.
Tool: MS 365 (SharePoint/Teams)
Level: Intermediate
Usage: Managing permissions on specific sites, applying retention labels to content, and guiding users on proper storage locations for compliant information.
Tool: Power BI / Tableau
Level: Basic
Usage: Viewing and interacting with existing dashboards to monitor KPIs like ROT data or policy exceptions, and occasionally exporting data for simple reports.

Industry Knowledge

Area: Health & Safety Data Regulations
Desc: Understanding specific regulations around health and safety data (e.g., incident reports, risk assessments), including retention periods and privacy considerations.
Area: Environmental Compliance Data
Desc: Familiarity with the types of data generated for environmental compliance (e.g., emissions monitoring, waste disposal records) and their specific governance requirements.
Area: Quality Management System Data
Desc: Knowledge of information governance requirements for quality management systems, including audit trails, document control, and record keeping for certifications.

Regulatory Compliance Regulations

Reg: General Data Protection Regulation (GDPR)
Usage: Understanding core principles like lawful basis, data minimisation, and data subject rights, especially for DSARs and personal data retention.
Reg: Data Protection Act 2018 (UK)
Usage: Applying UK-specific data protection rules, particularly in conjunction with GDPR, for all personal data we hold.
Reg: OSHA (Occupational Safety and Health Administration) / HSE (Health and Safety Executive)
Usage: Awareness of record-keeping requirements for workplace safety incidents, training, and risk assessments, and how these impact retention.
Reg: EPA (Environmental Protection Agency) / EA (Environment Agency)
Usage: General understanding of record-keeping for environmental permits, waste management, and emissions data.
Reg: HIPAA (Health Insurance Portability and Accountability Act)
Usage: Awareness of protected health information (PHI) if our operations touch health data, particularly for privacy and security rules.

Essential Prerequisites

At least 2-3 years of hands-on experience in an information governance, records management, or data privacy role.
Demonstrable experience managing legal hold processes or responding to Data Subject Access Requests (DSARs).
Experience working with at least one GRC, records management, or eDiscovery platform (e.g., OneTrust, Microsoft Purview, OpenText).
A solid understanding of core data protection principles (like GDPR or DPA 2018) and how they apply in a business context.
Proven ability to translate complex legal or regulatory requirements into practical, actionable steps for business teams.
Strong organisational skills and a meticulous approach to documentation and data handling.

Career Pathway Context

We're looking for someone who has already dipped their toes into the world of information governance and is ready to take on more ownership. You won't be starting from scratch, but you'll be building on existing knowledge and experience, ready to tackle more complex challenges and drive specific processes independently.

Qualifications & Credentials

Emerging Foundation Skills

Skill: AI Ethics & Governance
Why: As we start using more AI tools for data classification, risk detection, and even policy drafting, understanding the ethical implications and how to govern AI's outputs becomes critical. Regulators are already looking closely at this.
Concepts: [{'concept_name': 'Bias in AI', 'description': 'Recognising how AI models can inadvertently perpetuate or amplify biases present in training data, especially in areas like HR or safety incident analysis.'}, {'concept_name': 'Explainability (XAI)', 'description': 'Understanding how AI makes decisions, so we can justify its outputs and ensure compliance, rather than just blindly trusting it.'}, {'concept_name': 'Data Provenance for AI', 'description': "Tracking the origin and lineage of data used to train AI models, ensuring it's compliant and appropriate."}, {'concept_name': 'AI Policy Development', 'description': 'Helping to draft internal policies for responsible AI use, data input, and output validation.'}]
Prepare: This quarter: Read up on the UK's approach to AI regulation and the EU AI Act.
Next quarter: Attend a webinar or online course on 'AI Ethics for Practitioners'.
Month 3-6: Start critically evaluating AI tools we use, asking 'how does this work?' and 'could this be biased?'
Month 6-9: Participate in internal discussions about our company's stance on AI governance.
QuickWin: Start reading articles and listening to podcasts on AI ethics today. It's a hot topic, and there's loads of free content out there to get you thinking.
Skill: Digital Empathy & User-Centric Design
Why: Governance often gets a bad rap for being complex and user-unfriendly. As we automate more, the human element shifts to designing policies and systems that people actually *want* to use, understanding their pain points.
Concepts: [{'concept_name': 'User Journey Mapping', 'description': 'Mapping how an employee interacts with data and governance processes to identify friction points.'}, {'concept_name': 'Simplified Language', 'description': 'Translating complex legal terms into plain, actionable language for policy and training materials.'}, {'concept_name': 'Feedback Loops', 'description': 'Establishing effective ways to gather and act on user feedback about governance tools and processes.'}, {'concept_name': 'Change Management Principles', 'description': 'Understanding how to introduce new processes and technologies in a way that minimises resistance and maximises adoption.'}]
Prepare: This month: Actively seek feedback from colleagues after delivering training or rolling out a new process.
Next quarter: Shadow a few users in different departments to see how they actually interact with information.
Month 3-6: Read a book or take a short course on 'Design Thinking' or 'User Experience (UX) Principles'.
Month 6-9: Propose one small, user-driven improvement to an existing IG process.
QuickWin: When you write your next policy or guide, ask a non-expert colleague to read it and tell you what they don't understand. It's an instant reality check.

Advancing Technical Skills

Skill: Advanced GRC Platform Configuration
Why: As our organisation grows and regulations evolve, we'll need to configure our GRC platforms (like OneTrust or ServiceNow) to handle more complex assessment workflows, integrate with more systems, and generate more sophisticated risk reports. You'll need to move beyond basic use.
Concepts: [{'concept_name': 'Workflow Automation', 'description': 'Designing and implementing automated workflows for assessments, approvals, and remediation tasks within GRC platforms.'}, {'concept_name': 'API Integration', 'description': 'Understanding how to connect GRC platforms with other enterprise systems (e.g., HR, IT ticketing) using APIs for data exchange.'}, {'concept_name': 'Custom Reporting & Dashboards', 'description': 'Building tailored reports and dashboards within the GRC platform to track specific KPIs and provide insights to leadership.'}, {'concept_name': 'Module Specialisation', 'description': 'Deep diving into specific modules like Policy & Compliance, Risk Management, or Data Mapping to become a subject matter expert.'}]
Prepare: This quarter: Seek out advanced training or certifications for our primary GRC platform (e.g., OneTrust Certified Professional).
Next quarter: Volunteer to lead the configuration for a new assessment type or policy workflow.
Month 3-6: Explore the platform's API documentation and discuss potential integrations with the IT team.
Month 6-9: Build a custom dashboard to track a new metric for your Senior Manager.
QuickWin: Spend an hour each week exploring advanced features in OneTrust or ServiceNow GRC that you haven't used before. There's usually a lot hidden in there.
Skill: Advanced Data Classification & DLP Rule Tuning
Why: With the sheer volume of data, manual classification isn't sustainable. You'll need to get really good at setting up and fine-tuning automated classification rules and Data Loss Prevention (DLP) policies to minimise false positives and ensure accurate protection.
Concepts: [{'concept_name': 'Regular Expressions (Regex)', 'description': 'Using advanced patterns to accurately identify specific types of sensitive data (e.g., specific document IDs, medical codes).'}, {'concept_name': 'Machine Learning Model Training (Basic)', 'description': 'Understanding how to provide feedback to AI-driven classification tools to improve their accuracy over time.'}, {'concept_name': 'DLP Policy Scoping', 'description': 'Designing DLP rules that are granular enough to protect specific data types without disrupting legitimate business operations.'}, {'concept_name': 'Incident Response for DLP', 'description': 'Developing and refining procedures for investigating and responding to DLP alerts effectively.'}]
Prepare: This quarter: Take an online course on Regular Expressions and practice with our data examples.
Next quarter: Work closely with IT Security to review and fine-tune existing DLP rules, analysing false positives.
Month 3-6: Propose and implement a new automated classification rule for a specific type of CQHS data.
Month 6-9: Lead the investigation of a complex DLP alert, documenting the root cause and remediation.
QuickWin: Start by reviewing the 'audit' logs of our current DLP system. See what it's catching and, more importantly, what it might be missing or flagging incorrectly.

Future Skills Closing Note

The reality is, the tools and techniques will always change. What won't change is the need for someone who understands the 'why' behind information governance and can adapt their technical skills to meet those evolving demands. Keep learning, keep asking questions, and you'll be fine.

Education Requirements

Level: Minimum
Req: A Bachelor's degree in a relevant field such as Law, Information Management, Computer Science, Business Administration, or a related discipline.
Alts: We're pragmatic here. If you don't have a degree, we'll consider significant, demonstrable professional experience (typically 5+ years) in a dedicated information governance or compliance role that shows equivalent knowledge and capabilities. Show us what you can do.
Level: Preferred
Req: A Master's degree in Information Governance, Data Protection, or a legal discipline.
Alts: Relevant professional certifications (like CIPP/E, CIPM, or AIIM) can often be just as valuable as a Master's, demonstrating a practical application of knowledge.

Experience Requirements

You'll need roughly 2-5 years of dedicated, hands-on experience in an information governance, records management, or data privacy role. This isn't your first rodeo; we expect you to have independently managed processes like legal holds, DSARs, or data classification projects. We're looking for someone who has actually 'done the doing' in this space, not just overseen it.

Preferred Certifications

Cert: Certified Information Privacy Professional/Europe (CIPP/E)
Prod: IAPP (International Association of Privacy Professionals)
Usage: Shows a deep understanding of European data protection laws, which is crucial for managing personal data within our organisation.
Cert: Certified Information Privacy Manager (CIPM)
Prod: IAPP (International Association of Privacy Professionals)
Usage: Demonstrates practical knowledge of how to operationalise a privacy programme, which aligns well with managing governance processes.
Cert: Certified Records Manager (CRM)
Prod: ARMA International
Usage: Validates expertise in records and information management principles, which is a core part of this role.
Cert: AIIM Certified Information Professional (CIP)
Prod: AIIM (Association for Intelligent Information Management)
Usage: Covers a broad range of information management topics, including content management, process automation, and governance.

Recommended Activities

Regularly attend industry webinars and conferences focused on data protection, records management, and compliance in the CQHS sector.
Join professional associations like IAPP or ARMA International to network and stay current with best practices.
Actively participate in internal training programmes on new systems or regulatory updates.
Seek out opportunities to mentor junior colleagues or new starters, as teaching often solidifies your own understanding.

Career Progression Pathways

Entry Paths to This Role

Path: Information Governance Associate / Junior Analyst
Time: 2-3 years
Path: Compliance Analyst / Data Protection Officer Assistant
Time: 3-4 years
Path: Records Management Coordinator
Time: 2-4 years

Career Progression From This Role

Pathway: Senior Information Governance Manager
Time: 3-5 years

Long Term Vision Potential Roles

Title: Information Governance Director
Time: 8-12 years
Title: Chief Data Governance Officer (CDGO)
Time: 12-15+ years
Title: Principal Information Governance Architect
Time: 8-12 years

Sector Mobility

The skills you'll build here are highly transferable. Information governance is critical in almost every industry, from finance and healthcare to government and tech. You could easily move into a similar role in another sector, taking your expertise with you.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths