Data governance isn't about making the right decisions. It's about making decisions the right way.
As a practice, data governance has grown over the years from relatively simple policies for data security and privacy to a broad enterprise-wide initiative covering not only access to data, but also the application of data in business intelligence, analytics and machine learning plus the purpose of data for marketing, sales, research and so on.
While a better process typically leads to better outcomes, there's a risk if the systems of oversight for a data governance policy get tangled up with financial or productivity goals. Shortcuts are tempting, but they can compromise regulatory compliance, business reputation and operational effectiveness.
Why effective data governance is important
The rise in governance awareness has coincided with the rapid growth in data privacy and protection legislation and regulations that primarily are being driven by public concerns over the misuse of personal and private information.
Good data governance is a useful policy in and of itself. Yet any governance program needs broad organizational support to be effective. If, for example, a data governance program is motivated to be on the right side of regulations, then compliance will likely be a company's first concern. Compliance should then address key issues, including what it will take to meet a regulation's requirements and whether the source of the regulation is a government, a professional body or an internal code of practice.
An ineffective data governance policy can lead to broken processes. But even a well-governed organization may not be fully compliant if it overlooks or misunderstands part of the regulation or doesn't keep up with rules changes.
Just as governance and compliance are related but separate processes, so too are privacy and security. For example, a home without the window blinds drawn may lack privacy but might be relatively secure if the doors are locked. On the other hand, a home with the blinds drawn and doors unlocked may feel more private but less secure.
Therefore, even though data security policies within a governance program can make data privacy efforts easier, data privacy policies must include provisions for security protection.
Data governance best practices to help you succeed
It's important not to overcomplicate data governance. At the same, data governance can't stand alone as a strategy within the enterprise. To develop and maintain a successful governance program and cope with the corporate anxiety associated with compliance, security and privacy issues, following are seven best practices that will help organizations play defense and still use data to achieve their financial and productivity goals without resorting to shortcuts.
1. Measure the success of your governance program
Data governance is about the process of making decisions, not the outcome of those decisions. It's also true that common business measures of success are not directly applicable. Metrics that can help track the success of a governance program and demonstrate that the organization is better informed, resilient and accountable include the following:
- the amount of people who are covered by the program -- those assigned specific tasks, trained in processes or made aware of policies;
- the number of data sources that have a related governance policy defined and applied to make operational, tactical or strategic decisions; and
- noted improvements in the quality and reuse of data.
2. Create a virtual compliance team with data practitioners
Many of us work in highly regulated sectors, including public service, healthcare and finance. Even though compliance can't be guaranteed, it's important to achieve consistency and confidence. A virtual team can stay on top of compliance issues with a specific eye on data policy.
The team should be comprised of data practitioners such as database architects, software developers and business analysts who work directly with the governance program's data sources but don't report to a more formal compliance department. The team should continuously reevaluate legislation that relates to the governance program, identify where to improve or add new coverage to the program's policies and monitor the program for incidents, issues and progress.
Good governance policies clear the pathway to compliance without creating obstacles to business operations. Taking compliance seriously as part of a governance program helps take some of the burden and anxiety off other employees. A hospital's database administrator, for example, would have a heavy responsibility to keep the company's systems running and stay abreast of new healthcare data-handling legislation.
3. Secure your data close to the source
Security today is a specialized field. Threats are growing in sophistication. Protecting enterprise systems from external harm is a full-time job. Staying on top of access rules and permissions in a large, constantly changing business presents a real challenge.
Collaboration is essential between the security and data governance teams. The governance team should ensure that policies about data access are applied as close to the source data as possible. Customer data, for example, can be created and maintained in a transactional system's database but analyzed and reported on from a data warehouse. The data is regularly extracted from the transactional system and loaded into the warehouse. If security and privacy rules are applied on the source system, unnecessary data is eliminated from the data warehouse and governance of the data in it is greatly simplified.
Don't rely on client tools like business intelligence or data visualization platforms to apply security rules. By the time a BI user sees the data, it could have already passed through easily accessible, unsecured channels. Security for BI is a useful feature but should not be regarded as mission-critical.
4. Don't take data privacy protections on trust
Consumers worldwide are increasingly concerned about data privacy and, for good reason, they don't believe enterprises have their best interests at heart. A data governance program can improve customer confidence in the company's way of doing business.
- Put policies in place at every level of the enterprise that enforce preferences as rules. Some rules can be applied in code or technical procedures. For example, avoid extracting demographic data from a customer record and storing it in a data warehouse without the customer's permission. Other rules may be more like policies, such as "Don't use these customer records for product research."
5. Look for the secondary benefits of good data governance
A well-governed system improves access to data and encourages efficient reuse of analytics and reports that have already been created. Policies define in advance what data is relevant and permissible to a role and can be provisioned with confidence. Poorly governed systems tend to create a stream of ad hoc requests for data access that are disruptive for IT and prone to error, including the compliance risk of over-provisioning permissions just to get the job done.
Although better decisions aren't the direct goal of data governance, a decision grounded in well-governed data is likely to be more collaborative, better understood and more widely supported. Confidence in the process breeds confidence in the decision, especially if the policies have been crafted as a partnership among teams rather than assembled along departmental lines.
A well-governed organization also improves collaboration among groups. Many CIOs complain about data silos in their company or data hoarding by departments and individuals. These problems are often caused by data owners being unsure if users outside their span of control will handle data responsibly. With the right governance policies in place, data owners should feel more comfortable sharing data.
6. Commit to openness, awareness, communication and training
Several of these practices build on a shared understanding of the data governance process across the organization. Data governance can't be effective if data users don't know about the program.
- Be open about the program, its goals and its measures of success. Publish the governance strategy, describe the processes and share the metrics.
- Awareness of the program should be part of all employee onboarding policies. If compliance training exists for subjects like harassment issues, work with those teams and HR to get data governance onto a similar track.
- In all technical training related to data, such as the deployment of BI tools, include relevant elements of the governance strategy and how it pertains to the tools and platforms under review.
- Training also needs to cover the importance of data quality, the policies associated with it and how to discover and reuse sanctioned data sources. Data analysts and report authors in particular shouldn't feel like they're being asked to trade agility for policy. Instead, they should see governed data as a resource that opens up possibilities for working confidently within the guidelines.
- Implementing a "governance assured" stamp of approval can be added to dashboards, reports and other artifacts to show that the data has been governed properly.
7. Review your data governance policy regularly
An effective data governance program requires a continuous effort. New roles will emerge. Regulations will change. Determine what's needed to keep pace and adopt the necessary technologies and platforms.
Repeatedly evaluate governance policies. An annual assessment makes sense at a minimum because a lot can change in one year. Other reviews will be ad hoc, for example, when a merger or acquisition brings new data, new people and new tools on board. Some sectors, such as financial services, may see frequent changes not only to data legislation, but also to rules concerning money laundering, sanctions, liquidity, credit and so on.
A well-conceived and consistent review process can be an eye-opening exercise.
Governing your governance program
Important questions need to be raised, especially in large enterprises: Where does governance fit into the overall hierarchy? Does the governance team report to the CTO or CIO or perhaps to a CSO or chief compliance officer (CCO)?
There can be many different configurations in a reporting hierarchy. Some haven't worked because the individuals didn't fit very well into their roles. Others worked because everyone was committed to the program's success. Since security and compliance are related to governance, a CSO or CCO may well end up managing a governance team. If not, then a data governance program should be managed by a CIO or CTO. Data governance is not a technology problem requiring a technical solution. Rather, it's more about people, processes and technologies working together, perhaps making the CIO the best fit.
Data governance isn't an easy process, especially when you first get started. But business units, IT, customers and business partners will all benefit from a well-governed data infrastructure that adheres to these seven best practices.