Data Governance Series 01 — Structuring a Data Governance Program
Business leaders around the world recognize the value in becoming a data-driven organization, and are reinventing their data strategy and investing in data science and artificial intelligence technologies along with keeping the data secured and compliant to regulations. One of the core components in the strategy is Data Governance.
This post discusses on how a data governance program can be structured. Please note that the priorities and the path will depend on organizational priorities, return on investment and risk appetite. Additionally, my recommendation is to design to also partner with Corporate Information Security Office and Data Privacy Office to ensure data security and privacy regulations compliance.
The starting point would be to align and establish strategic objectives for a Data Governance program which would be mitigating information risk and enabling data value for data driven decisioning followed by well defined stewardship and operating model and its socialization.
On the scope, my recommendation is to invest in the enterprise data that matters the most and in the process make it lean as in line with the principles of data minimization to bring in operational efficiency.
There should also be clearly defined metrics that are consistent across the enterprise to measure compliance and common understanding of risk appetite along with strong risk assessment and management process.
Success of the program will be a measure of how secured and compliant the data is, turn around time in case of an event, maturity of data literacy and, trust and reliability of the data leading to a data driven organization culture.
Data Governance program components and their high level activities
Policies and Stewardship
- Define policies, standards and processes.
- Identify Enterprise Partners.
- Define Operating Model and Data Ownership.
- Define decisioning authority and accountability, and detailed R&R.
- Create DG awareness and readiness at leadership and operational levels.
Applications and Asset Inventory
- Inventory data assets and link them with IT assets along with tagging data/application/business ownership.
- Categorize and classify the data assets to drive prioritization and implementation of controls.
- Collect compliance metadata to identify policy gaps.
Data Discovery and Classification
- Discover and classify structured and unstructured data to get insights on data sensitivity spread. This will guide implementation of policies and standards around Acceptable Use, Data Access, Data Sharing, Information Handling and Protection etc.
Data Security and Protection
- Integrate risk assessment framework covering security, privacy, business continuity to identify gaps for remediation, implementation of security controls like data encryption at rest/in motion/in use, masking etc, implementation of data minimization to align with privacy regulations that may result in reclassification of the data assets, access controls and management and so on. Data Governance Office can play only a governance role as well based on how organization is structured.
Data Retention and Removal
- Govern the information lifecycle management in alignment with data retention policy and schedule for applicable record classes
Data Quality and Lineage
- Build data taxonomy
- Identify critical data elements
- Define business and technical lineage
- Implement data quality solution framework, improve data quality
Data Governance Audit and Compliance
To operationalize data governance along with remediation the focus also need to be on
- Implementing DG compliance by design as part of SDLC (DGC-SDLC — DG Compliant SDLC). It can be enforced through various gating processes and periodic audits along with liaising with internal audit team, information security group and privacy compliance teams.
- Procurement processes need to include assessment on ability of the solutions/products to comply with data governance policies and standards.
- Build a compliance monitoring platform to report and provide insights at application, function and enterprise level.
