5W – Data Governance

Thank you for reading! Please see “Why 5W?” for context, methodology and disclaimers.

Overview

Data Governance (DG) makes its way quickly into the ‘bad word pile’ with most organizations, especially as they gain visibility to the responsibilities that fall to them when managing user data. Note that more and more RFPs are asking DG questions as part of their compliance when considering vendors.

The scope of DG is massive, encompassing Personally-Identifiable Information (PII), Personal Credit Information (PCI), Personal Health Information (PHI), inferred combinations of the above, PLUS business-sensitive data for both the company and their customers. ‘At Work’ data is still considered PII by regulatory organizations (opinion by the N3 legal team when referencing GDPR requirements for the EU), so must also be considered for DG policies and practices.

Last, data is no longer tucked safely behind the firewall of a company data center. Companies must take an integrated / hybrid approach to discover, catalog and manage data from a wide variety of sources.

A wrinkle for companies who manage client data: A company must maintain a custodial posture, thus closing the loop to acquisition, enrichment and return of client-owned data. DG is critical to these hand-offs, and must be managed effectively through policies, audited practices and documented enforcement should breaches occur. Part of this wrinkle is ‘data ownership’: where an organization acts as a custodian of client data for a duration, making the organization beholden to provide client notification of breach and assurances of compliant handling of these data.

What is Data Governance?

As it turns out, there is an institute for DG, cleverly named The Data Governance Institute. They’ve been kind enough to define DG, thusly:

Here’s a short definition of Data Governance:

“Data Governance is the exercise of decision-making and authority for data-related matters.“

Here’s a bit longer definition:

“Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”

DG encompasses more than the data itself; it also (in context), refers to:

  • Organizational bodies
  • Rules (policies, standards, guidelines, business rules)
  • Decision rights (how we “decide how to decide”)
  • Accountabilities (and auditing)
  • Enforcement methods for people and information systems as they perform information-related processes.

Note that an IT department (as an identified organizational body) recognize DG as a necessity, but tend to view DG as a ‘lose-lose’ proposition for themselves. The first lose: no control, no oversight, no consequences .. IT just hopes for the best. The other lose: opening the hood and recognizing how data is currently protected, how transit is documented, encryption is enforced, access is audited, and that policies comply with regulations affecting these data. In the latter case, IT has to do something about it as knowledge equals disclosure (and management of same).

As a result, IT should not be in charge of DG policies, but should rather be governed by corporate-defined, enforced policies, practices and documentation for the handling of these data. IT needs to be involved: they can provide significant insights into data repositories, current practices and tribal knowledge of data acquisition history.

Data Governance Benefits

The news isn’t all bad .. there are two primary benefits of a solid DG program for a company:

  • Compliance
  • Business Intelligence / Insights

Let’s first recognize Compliance as a ‘need to do’ to safeguard a company against regulatory agency action for lacking established practices that demonstrate the intent to comply (legal citation needed .. But this advice won’t create happy moments .. this is not an easy bullet to dodge). First line of defense: documented intent to comply with the appropriate agencies .. second line of defense: documentation describing DG practices for compliant handing of data. The third, implementing and enforcing same.

With that said, it is always better to demonstrate corporate practices that ensure employees will comply with regulations than a ‘head-in-the-sand’ approach to DG. Think of this as an ‘80% Approach’, where a company has a defensible position (roughly) equal to manage 80% of the potential regulator impact. Note: Much of this is employee training and employee acceptance of policy (which can be delivered and captured via a few mouse clicks), but ultimately, violations will impact the corporation, based on procedure enforcement and not the errant employee. One last bit: Corporate policy regarding data handling must be documented and activities enforced.

Data Governance for Compliance

Discover, classify and manage information in ways that meet the obligations enforced by both regulatory and corporate mandates. Some use cases include:

  • Regulatory Agencies
  • Privacy & Protection
  • Records & Retention
  • e-Discovery
  • Audit Readiness
  • Archiving

The BI side of the equation could provide the business and revenue value that funds the compliance costs .. in a perfect world, of course, so let’s see where companies can benefit through surfacing their data BI value as Insights.

Data Governance for Insights

Provide safe access to trusted, high-quality, fit-for-purpose data while handling effective collaboration among team members through:

  • Data discovery and cataloging
  • Self-service access to data and analytics for business users
  • Managed trusted repositories

Think in terms of accessing CRM, ERP and Supply Chain systems programmatically, enabling Business Analysts to surface a 360-degree view of a customer interaction within a company.

Steps to Data Governance

Courtesy of Tealium and their Universal Data Layer product, here are five discrete steps to securing DG; each of these steps has a business and technical requirement:

Due Diligence: Audit Data Flows to know where and who has access to data:

  • Business Audience:
    • Identify vendors in use
    • Validate vendor access
    • Review current contracts
  • Technical Audience:
    • Audit vendor technology
    • Review vendor policies
    • Remove non-compliant or unused vendors

Perform a data inventory to understand data types, how data is processed and requirements:

  • Business Audience:
    • Agree on data sensitivity both from a legal and experience perspective (taxonomy)
    • Agree on the data needed to run marketing vs. operations
    • Document data requirements for running the business
  • Technical Audience
    • Audit vendor technology
    • Review vendor policies
    • Remove non-compliant or unused vendors

Build Controls: Develop procedures to provide clear and accurate notice of data usage both internally, with policy and process, and externally, through notification, terms and conditions:

  • Business Audience:
    • Verify proper contracts with vendors
    • Create governance policies and processes
    • Update external and internal communication
  • Technical Audience
    • Configure vendors for ‘least-access’
    • Create data audit guidelines and tests
    • Test and audit internally for compliance

Form a Data Governance Panel: Activate against internal processes for both business and technology teams to move forward.

  • Business Team Communicates with Technology team on:
    • Needs to drive marketing and customer experiences
    • Legal ramifications of non-compliance
    • Expectations of the business on technology
  • Technology Team Communicates with Business team on:
    • Best practices with access, transmission and storage of data
    • Protection of the data and the customer from ‘bad’ players (Internal, External, Partner)
    • Enablement of the business within reason

Provide Clear and Accurate Notice: Communicate your data policy across the organization, and to customers and vendors:

  • Business Team
    • Update Privacy Policy to reflect data usage (ex. cookie policy, IP usage)
    • Provide means for opt-out across all marketing
    • Communicate with Technology team on evolving data usage
  • Technology Team
    • Provide customers with Explicit Opt-In/Out
    • Ensure ‘Right to be Forgotten’ and general data deletion directives
    • Communicate to Business team and vendors of compliance changes or lack of compliance

Data Governance Providers

Lots of companies are more than happy to provide templates that ensure DG compliance (primarily; given the need to manage GDPR, most supporting companies are grabbing the low-hanging fruit).

Further analysis required if we choose to use a vendor to speed our way to Data Governance.

Conclusion

The path to Data Governance is not an ‘if’ decision for companies; the need to address DG as a ‘when’ and ‘how’ initiative, providing executive support to motions to satisfy clients and regulatory agencies. Note the number of RFPs that include DG questions is rapidly increasing, and the number of DG regulations out here, most immediately, the GDPR in the EU.

%d bloggers like this: