Data governance regulations that executives should know

Important data governance regulations

Data governance is an umbrella term encompassing several important activities, including data lifecycle, stewardship, security, privacy, destruction, quality, retention, access, classification and management. Identifying the specific enterprise data governance requirements under each regulation is essential for leadership, especially as their business expands internationally.

The following are data governance regulations that affect governance planning, strategies and procedures. Most of these laws apply to any organization doing business in the country, regardless of origin.  

• EU GDPR – A pivotal piece of data protection legislation, GDPR protects EU residents' personal data. It specifies data management strategies that organizations must follow, including conducting a data protection impact assessment to identify and address any risks. Failure to comply may result in significant financial penalties -- up to €20 million ($23 million) or 4% of the firm's worldwide annual revenue.
• CCPA – Consumers have the right to know how organizations collect and process their data. CCPA ensures California residents have the right to delete or limit the personal information organizations collect, to opt out of the sale of their data and correct inaccurate information. Violators can range from $2,663 (unintentional) to $7,988 (intentional).
• UK GDPR and Data Protection Act – Enacted in 2018, this legislation transposes the GDPR into UK law. It requires strong data security, collection and processing practices. Penalties can range from £8.7 million ($11.5 million) to £17.5 million ($23.1 million), or 2% to 4% of the company's worldwide annual revenue -- whichever is higher.
• HIPAA – HIPAA Security and Privacy Rules apply specifically to the US healthcare system and govern rules on data access, security, use, and protected health information disclosures. It requires risk assessments and employee training. Violations are either civil or criminal, and penalties vary based on severity. Unknowing civil offenders face fines as low as $100 per violation, while willful offenders face fines up to $50,000 per violation. Criminal incidents can result in a fine of up to $250,000 and 10 years in prison.
• EU Data Governance Act – Launched in 2023, this legislation requires secure data sharing across the EU. It advocates data altruism, which examines how data can be used in the public interest. The act doesn't specify a blanket fine but offers criteria for determining penalties.
• Sarbanes-Oxley Act (SOX) – SOX legislation addresses issues in financial management and reporting as applicable to all publicly traded companies in the US. It has strict controls on the accuracy, integrity, validation and verification of financial data. It also mandates effectiveness assessments for internal controls and data governance practices. Violators face 10 to 20 years in prison and hefty fines.
• UK Network and Information Systems regulations – These regulations focus on cybersecurity and incident reporting for network and information services providers. Cybersecurity requirements include regular security assessments and continuous improvements. Penalties cost up to £17 million ($22.4 million).
• Gramm-Leach-Bliley Act (GLBA) – This US legislation mandates financial organizations establish information disclosure policies, implement security programs and perform regular risk assessments. Noncompliance can result in a $100,000 fine per violation.
• Personal Information Protection Law (PIPL) – China's data protection law is among the toughest globally, applying to all enterprises handling personal data within China's borders. It has strict consent and trans-border data flow requirements. Penalties for non-compliance include ¥50 million RBM ($7 million), 5% of annual revenue or shutting down enterprises.
• Digital Personal Data Protection Act (DPDPA) – India's 2023 act requires data fiduciaries to provide customers notices of their rights and inform them of the type of data they're collecting and why, with specific restrictions on cross-border data flows. The DPDPA mandates consent for any processing, with additional requirements regarding children's data. Penalties include up to ₹250 crore ($26.9 million).
• Personal Data Protection Act – Developed in Singapore, this legislation is widely recognized throughout the Asia-Pacific region. It is consent-driven, mandates breach alerts and has retention limitations. If a company exceeds S$10 million ($7.7 million) in annual turnover in Singapore, it faces financial penalties up to 10% of that annual turnover. Otherwise, fines cannot exceed S$1 million ($778,000).
• Personal Data Protection Law – The UAE law regulates personal data processing, requiring consent and security, as well as strict rules for trans-border data flows. It gives individuals the right to correct inaccuracies and stop processing upon request. Noncompliance results in fines up to AED 5 million ($1.36 million).
• Law 0908 on Personal Data Protection – Morocco's legislation is one of Africa's most comprehensive data protection statutes. It requires organizations to register with the national government. Penalties for noncompliance include fines up to MAD 600,000 ($64,343) and/or imprisonment from three months to four years.

Non-compliance risks for executives

While data governance is very much a technology-centered activity, it is also an executive accountability issue. If data governance initiatives result in regulatory violations, improper AI use or data-related incidents, the highest levels of enterprise leadership -- including the C-suite and the board -- are liable. Penalties include fines, litigation, reputational damage and competitive risks.

Compliance resources

Many organizations have created data governance frameworks that help enterprises establish data governance capabilities, including the following:

• Data Management Body of Knowledge (DAMA-DMBOK) – Considered the industry standard for data governance, DAMA-DMBOK addresses data quality, stewardship and metadata, among other issues.
• Control Objectives for Information and Related Technologies (COBIT) – Developed by ISACA, COBIT offers strong controls and audit guidelines that align IT governance with business risk management and strategy.
• NIST Cybersecurity & Privacy Frameworks – NIST has two data governance frameworks: the Cybersecurity Framework for reducing cybersecurity risks and the Privacy Framework to identify and manage privacy risks.
• ISO/IEC 38500 – Most recently updated in 2024, this standard is a key international standard for IT governance. It addresses legal, regulatory and ethical data use and provides vocabulary for IT governance.
• Data Management Capability Assessment Model (DCAM) – Developed by the EDM Council, this framework defines a maturity model addressing data governance, quality and architecture.

A variety of tools and resources can help demonstrate compliance, including master data management tools, data discovery and classification tools, data catalogs and IAM systems. Senior management support and budget funding are essential for establishing a mature data governance program.

Consider investing in AI tools, which can greatly improve performance, provide better data analytics, automate repetitive processes and identify potential compliance issues. Existing tools and resources might have upgraded versions with AI capabilities.

How to achieve compliance

The following are best practices for executives to achieve optimal data governance compliance outcomes.

Be accountable for and own data governance

Just as organizations should have data owners and stewards for different domains, they should also make an executive responsible for data governance and compliance activities. Responsibilities include defining and measuring KPIs, conducting periodic board-level governance briefings and establishing partnerships with other departments, such as legal, HR, risk management and operations.

Ensure that data governance is risk-based

Establish data governance as a primary risk area. Add governance to a corporate risk register and examine risk from financial and regulatory perspectives. Map governance controls to appropriate regulations and frameworks. Building scenarios to address specific risk events, such as trans-border data violations, will help if they ever occur.

Require auditable evidence on compliance activities

Demonstrating data governance compliance at any time is essential in case of unannounced audits. Evidence of compliance includes project reports, compliance testing results, access management issues, data quality measurements and retention/deletion rules. Schedule quarterly audits for relevant controls and create evidence trails for regulator inquiries.

Optimize data quality at the C-Level

Data quality and lineage must be primary goals. Establish strong controls addressing data quality, lineage and accuracy. Enforce data quality standards, launch quality checks and link metrics to business requirements. Establish beginning-to-end data lineage and ensure access to it.

Enforce data access controls

Senior leaders must ensure data access controls are consistently monitored, enforced and applied. Implement least privilege, role-based access controls, multi-factor authentication, segregation of duties and uninterrupted monitoring. Provide support for potential audits.

Culture of compliance

This starts with the C-suite and board. Mandate training for all employees on data-related activities and endorse data literacy throughout the enterprise. Regularly reiterate the importance of data governance at major company meetings. Support whistleblowing of any violations and note governance issues in performance reviews.

Linking all governance activities into a cohesive process also helps with compliance. Data silos can spell disaster. Greater information sharing, along with the integration of security and privacy capabilities across systems, helps avoid this.

Acquire technology that facilitates the compliance process

The right technology ensures that governance activities are scalable, adaptable and automated. Automate data governance activities by integrating AI tools with risk, privacy and security systems. However, be sure to provide AI governance oversight. When used correctly, it can facilitate the following data processes:

• Reduce the likelihood of human error.
• Improve performance.
• Automate repetitive tasks such as data collection and classification.
• Identify potential compliance issues.
• Deliver reports for auditors.
• Ensure cross-border flow adheres to regulations.

Ensure that knowledge of regulatory activities is current

Adapting to regulatory changes and maintaining compliance are essential for enterprises. Executives should consistently monitor the global regulatory landscape. Review and assess regulatory changes, keep policies current and train governance teams to do the same.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.