What Is Data Governance and GDPR?

Data governance is an essential tactic in the modern enterprise because of digital transformation and the increasingly critical value of resulting business data. If a business’s data is poor in quality, inconsistent, unavailable or compromised in some way, the business loses its ability to make accurate business decisions with confidence. Without insights generated from data analytics, the decisions that various business units make may in fact be severely misguided or completely detrimental to the organization, potentially resulting in negative business outcomes.

As an example — consider a business in the financial industry — in which data is the absolute lifeblood of the organization. As investments and money flow into and out of accounts, the business must track the resulting data with extreme precision and create a data catalog to know the location and value of its assets. If market conditions change and the company believes its investments are worth more or less than they actually are, it’s likely that management could make the wrong decision about whether to hold or sell those assets. Poor data governance could also cause a firm to issue inaccurate financial reports, make poor business decisions and even cause it to run afoul of government regulations.

The role of data governance is ultimately to make certain that data is consistent, accurate and up to date (e.g., that the price of a product is the same at Store #1 as it is at Store #2, that a customer’s address is the same in Database #1 and Database #2, etc.) and that this information is always current. As an enterprise grows (especially through acquisitions of other companies operating on different platforms), this endeavor becomes increasingly complex but also increasingly vital. In addition, emerging data privacy and regulatory compliance legislation, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), is making effective data governance an essential business process, not only for workflows but also for compliance.

While data governance is built around policies and processes involving big data and metadata, data management and metadata management take those policies and processes and put them into effect. The two disciplines are naturally closely tied together, but while data governance is one of many inputs into data management, it’s not the only one.

More specifically, data management comprises a large number of processes and tools, including:

• Determining how and where to store data, including how to back it up or mirror it. This includes enforcing usability standards and policies about the length of time to retain data before permanently archiving it.
• Enforcing data security and privacy protocols such as encryption, anonymization and other systems designed to protect data from being compromised — especially sensitive customer information. Following the many restrictions outlined by GDPR, CCPA and other emerging regulations is a major part of today’s data management activities.
• Cleansing and enforcing data quality policies so information is accurate, up to date and free of redundancies. Data governance may set policies establishing data owners and data quality, including data lineage and quantitative metrics; it’s the function of good data management to always meet these metrics.
• The ability to master data management from one system to another, which is especially imperative in enterprises that have accumulated a variety of incompatible data storage systems via acquisition. This involves managing data pipelines that transfer and convert data from one system to another, preserving the integrity of the data along the way.

By contrast, data governance seeks to answer questions around the broader policies that define the rules by which data management should operate. Data governance also outlines the guidelines for data transfer to another server or a backup device, while data management enforces them.

A data governance framework is a set of specific policies and guidance by which your data governance strategy should operate. This framework ensures that policies are consistent and appropriate given your organization’s needs, and it allows the business to establish roles and responsibilities around how to treat data.

A data governance framework includes information about the policies and standards on the following issues:

• The overall objectives of data governance in the organization, including any special concerns around security and privacy
• How the enterprise creates data, including approved methods and technologies
• Authorized technologies for managing data and acceptable data structures for it
• Acceptable methodologies for managing, transferring and removing data from the enterprise
• Metrics for monitoring how successful all of the above activities progress over time

The overarching goal of a data governance framework is to give an organization’s data stewards business intelligence and other tools to understand the value of its data and data assets while establishing the rules to manage that data. Adhering to this framework will help your organization improve the overall quality of its data and, over time, improve your business’s ability to make strategic decisions.

Every business has different needs and goals when it comes to data governance, but here are some of the most common guidelines for developing and establishing best practices.

• Understand data governance as an iterative, long-term process: There’s no need to start building a data governance framework with a detailed plan governing data architecture. Instead, start with a subset of the business — one department’s data warehouse or even a single database — then build from there. An iterative process lets you determine what data governance tools, tactics and staff members are best equipped to help you build out your broader data governance framework over time.
• Get top-level buy-in: Build a case for why data governance is important in your organization by clearly demonstrating the benefits to the company. Early metrics around data flows can be beneficial in setting expectations and helping you to make your argument as strong as possible.
• Establish metrics: Data quality is important, but how do you measure it? What metrics are most critical? It's important to establish these metrics from the start and track them over time in order to measure consistent improvement as well as the business value of your data governance program.;
• Plan for checks and balances and complete transparency: Data governance will only succeed if there is strong accountability for the platform, making checks and balances critical between those who create and use data and those who manage data.
• Document everything: Data governance often means creating even more data, usually due to framework documentation. Carefully document your data definitions and frameworks, data domains, policies and processes, as well as who has decision rights and responsibilities for all of the above. A strong data governance program will leave no room for confusion about any facet of the project.

The European Union’s General Data Protection Regulation (GDPR), created to control how businesses use customers' and employees’ personal data, became enforceable in 2018. It also continues to cause headaches for businesses working to maintain compliance.

GDPR holds businesses accountable for their data, especially if it’s compromised in data breaches, with extremely and rigorous guidelines. Thus, organizations that do any level of business with EU citizens need to be well versed in GDPR mandates — which include developing a strong data governance program to affirm compliance. As part of their data governance program, organizations will need to understand various types of information they collect about customers, including where they store that information, who the data owners are and appropriate levels of data access, how data is secured and what processes are in place to delete it when necessary.

The GDPR’s “right to be forgotten” rules also require an organization to delete any personal information about end users when they request it. Without a strong data governance program in place, complying with this type of legislation can be extremely challenging.

Recent events such as the COVID-19 pandemic and the passage of GDPR and other data privacy legislation have hastened the need for strong data governance. The following are some of the broader data governance trends that are emerging.

• Unstructured data is on the rise: The explosion of unstructured data — information held in random documents, images and videos across the enterprise — is one of the biggest challenges facing businesses today. And content sprawl is expected to get worse, increasing risk and expenses.
• Remote work is creating islands of sensitive data: Legions of employees suddenly working from home are creating more security issues, largely attributed to employees using personal devices on home networks.
• Artificial intelligence (AI) is coming to data management: Emerging AI and machine learning tools can be used to identify documents that contain sensitive data — often where it is not supposed to be. These tools can then use automation technologies to redact or encrypt the information in those documents, helping to secure enterprise data without manual oversight, often in real time.
• Data quality is increasingly considered at the source: Why clean up data after you receive it when instead you can be sure that it’s high in quality from the start? Numerous recent strategies aim to let businesses work more closely with their partners to keep customer data accurate and synchronized across various channels.

Cloud computing impacts data governance in much the same way that it impacts the entire IT environment. It also impacts data governance in the following ways:

• The cloud creates the potential for data duplication and inconsistencies. Risks increase when data is stored both in on-premises systems as well as in the cloud, which compounds with multiple cloud systems.
• The cloud changes the way the enterprise must think about security and data policies. While today’s cloud services are largely considered as safe or safer than on-premises storage systems, organizations should conduct a comprehensive risk analysis of all potential providers before entrusting them with enterprise data.
• The cloud complicates regional data requirements. Certain legislation like GDPR sets security and other policies around where data can be stored. When data moves to the cloud, governing the location of your data naturally becomes more complex.

Of course, it’s important to note that the cloud offers many benefits to enterprise data, including better data access, often much better performance and the ability to leverage cloud-based tools like RPA and AI services to process that data. Once an organization overcomes the challenges of migrating to a cloud environment, it can more easily realize these benefits.

When many organizations set out to create a data governance program, they’re surprised to find that they already have a semblance of one. If you have data policies about records retention, a mandate to encrypt customer data, or restrictions against keeping corporate information on home computers and mobile devices, you’re already on your way to building a data governance framework.

When you’re ready to launch a formal data governance program, the first step is to consider where your preliminary data governance policies have fallen short and to begin working to remedy them. Your data governance team should choose projects that have the highest value — a sensitive customer database that needs securing, for example — as well as ones can be completed fairly quickly. With a few small projects under your belt, you can move on to broader concerns in the organization.

Each data governance project, small or large, will need to be built around protecting the accuracy, integrity and security of the data. Consider the appropriate platforms for each data source and set rules around how to access them and why.

Each governance project will also need to account for the risk of data loss or breach, which often means inviting various stakeholders into the governance discussion. For example, IT should not be setting governance rules around a finance database without closely involving that department.

Finally, remember that data governance is not a one-and-done activity, and any data governance program will require long-term attention as it is tested and refined.

The risks of poor data governance are abundant, ranging from embarrassing missteps with customers to financial losses due to breaches to regulatory violations that carry legal penalties. Data governance may sound like a daunting topic, but it needn’t be. Even if you’re starting from scratch, following a few simple steps will make it relatively easy to put a framework in place that provides improved security, easier compliance and overall better quality of your data.

Your organization’s data is one of its most critical assets. Data governance is the key to giving your enterprise the tools it needs to treat it as such.