Information Governance Analyst

Information Governance Analysts are the people responsible for making sure that an organization's information — from paper personnel files to email archives to cloud-stored contracts — is created, kept, protected, and destroyed in a defensible, compliant, and efficient way. The role exists because organizations accumulate enormous amounts of information that carries legal, regulatory, and operational obligations, and failing to manage it systematically creates real exposure: spoliation sanctions in litigation, HIPAA breach penalties, GDPR enforcement actions, and storage costs that compound year over year.

The work is part policy, part audit, part project management, and part stakeholder diplomacy. A typical week might involve reviewing a department's SharePoint site to identify records that have aged past their retention date, meeting with the legal team to discuss a new litigation hold on a product liability matter, attending a vendor demo for an AI-powered auto-classification tool, and drafting a policy update triggered by a new state privacy law that takes effect in 90 days.

The retention schedule is the spine of any governance program. It maps every record type the organization creates — purchase orders, HR files, medical records, financial statements, board minutes — to a specific retention period derived from regulatory requirements and business need. Keeping that schedule current requires tracking dozens of regulatory changes each year and understanding how they interact with the organization's existing record types. A financial services firm might have 400 line items on its retention schedule; a large hospital system might have 700.

Litigation support is another major demand on governance analysts' time. When a lawsuit or regulatory investigation arrives, the first task is identifying which custodians hold relevant data and placing a legal hold to suspend normal disposal for those records. Doing this correctly — documenting the hold, confirming receipt from custodians, tracking its duration — is the difference between a defensible preservation process and an adverse inference instruction from a judge.

Governance programs are increasingly assessed against maturity models. ARMA's Information Governance Maturity Model and IGI's program frameworks give organizations benchmarks for where they stand. Analysts are often the internal advocates who use those frameworks to push for resources, headcount, and technology investment. The role requires comfort with ambiguity — governance programs are never fully done — and the ability to make progress on multiple regulatory and operational fronts simultaneously.

Education:

• Bachelor's degree in information management, library science, business administration, or a related field
• Master's degree in information science or library and information studies for leadership-track roles
• Paralegal or law-related background valued in organizations where governance sits within the legal department

Certifications:

• Information Governance Professional (IGP) — ARMA International's flagship credential; signals program design competency
• Certified Records Manager (CRM) — ICRM credential; focused on records lifecycle and physical/digital archive management
• Certified Information Privacy Professional (CIPP/US or CIPP/E) — IAPP; required or strongly preferred in healthcare and multinationals
• Registered Health Information Administrator (RHIA) or RHIT — AHIMA credentials for healthcare-specific roles
• Certified Information Professional (CIP) — AIIM; emphasizes content and document management systems

Technical skills:

• Enterprise content management platforms: Microsoft SharePoint, OpenText Content Suite, Laserfiche, Alfresco
• Email archiving and eDiscovery tools: Veritas Enterprise Vault, Relativity, Nuix, ZL Technologies
• Records management software: HP Records Manager (now Content Manager), Gimmal, Iron Mountain InSight
• Data classification tools: Microsoft Purview, Varonis, BigID
• Familiarity with cloud storage governance: AWS S3 lifecycle policies, Azure Information Protection labels, Google Workspace Vault

Regulatory knowledge:

• HIPAA minimum necessary standard, PHI retention, and breach notification timelines
• SEC Rule 17a-4, FINRA 4511, and broker-dealer books-and-records requirements
• GDPR Article 30 records of processing and data subject rights management
• CCPA and emerging state privacy laws (Virginia CDPA, Colorado CPA, Texas TDPSA)
• Federal Records Act and NARA guidance for government contractors

Soft skills:

• Ability to translate dense regulatory requirements into plain-language policies that non-legal staff can follow
• Diplomatic persistence — governance requires buy-in from departments that often see compliance as a burden
• Organized enough to manage dozens of open projects with different regulatory deadlines simultaneously

Demand for Information Governance Analysts is growing at a pace that consistently outstrips the available talent pool, driven by three converging forces: regulatory expansion, data volume growth, and heightened enforcement.

On the regulatory side, the U.S. state privacy law landscape has become markedly more complex since California's CPRA amendments took effect. More than 15 states now have comprehensive privacy statutes on the books or moving through legislative process, each with its own data subject rights, retention requirements, and vendor assessment obligations. Multinational organizations managing GDPR alongside a patchwork of U.S. state laws need governance analysts who can map requirements, identify conflicts, and build programs that satisfy multiple jurisdictions simultaneously. That skill set is genuinely scarce.

Data volume is a compounding problem. Enterprise storage grows at 20–40% annually at most large organizations, and a meaningful fraction of that growth is records with regulatory retention obligations. Without active governance, organizations accumulate years of data that they are legally required to dispose of but haven't, creating both storage cost waste and litigation risk — over-retained data that should have been destroyed is discoverable. Governance analysts who can drive defensible disposal programs at scale are in demand specifically because the problem grows every year that it isn't addressed.

Enforcement has sharpened. HIPAA settlements regularly reach seven figures, and European data protection authorities have issued GDPR fines exceeding €1 billion against major technology companies. In-house governance functions that can demonstrate active program management are materially better positioned in regulatory investigations than organizations that scramble to reconstruct their practices after a complaint arrives.

Career paths from this role branch in several directions. Senior analysts move into Director of Information Governance, Chief Privacy Officer, or Records Management Director positions. Those with strong technical skills often transition toward data governance or data stewardship roles aligned with analytics and data engineering. Governance consulting is another common path — firms like Iron Mountain, Huron, and Deloitte's regulatory practices hire experienced analysts as consultants who can sell and deliver program assessments.

The Bureau of Labor Statistics does not track this title in isolation, but the combination of data management and compliance roles grows at approximately 8–11% annually, and anecdotal employer feedback consistently describes a candidate shortage at the mid-senior level. Analysts who hold IGP, CIPP, and CRM simultaneously — and can speak fluently to both legal requirements and the technical systems that implement them — have leverage in salary negotiations that the headline compensation ranges don't fully capture.

Dear Hiring Manager,

I'm applying for the Information Governance Analyst position at [Organization]. I've spent four years building and operating the records and information governance program at [Current Employer], a regional healthcare system with approximately 8,000 employees and records subject to HIPAA, state medical records statutes, and CMS Conditions of Participation.

The work I'm most proud of is a two-year project to rebuild our retention schedule from scratch. When I arrived, the schedule had 180 line items, hadn't been reviewed since 2018, and didn't reflect either our current record types or several regulatory changes. I worked with 14 department heads, two outside counsel, and the health information management team to produce a 560-item schedule that was validated by legal, approved by the compliance committee, and implemented in SharePoint with auto-applied retention labels. We've since disposed of 4.2 TB of over-retained records that had been flagged as low-value in three consecutive audits.

I also manage our litigation hold program. Last year we had 11 active holds at peak, spanning HR, revenue cycle, and clinical records. I built a tracking database that flags custodians who haven't confirmed receipt, triggers 90-day check-ins, and produces a release log when holds close. It's not complicated technology, but it closed a documentation gap that our outside counsel had flagged as a spoliation risk.

I hold IGP and CIPP/US certifications and I'm familiar with Microsoft Purview for sensitivity labeling and data lifecycle policies. I'm drawn to [Organization] because your governance program is expanding into cloud infrastructure and third-party risk management — exactly the areas where I've been building competency over the past 18 months.

Thank you for considering my application.

[Your Name]