The Convergence of Data Governance and Data Protection

Digital transformation, and with it the focus on big data analytics, technologies like IoT and cloud computing, and the adoption artificial intelligence (AI), is making every business a data business. Data governance was arguably born out of the collapse of public companies like Enron in the US in the early 2000s.  Although more commonly referred to as corporate governance, data governance as a concept became central to a management team’s ability to satisfy the requirements of the Sarbanes-Oxley Act[1] (SOX) that followed. Global versions, like E-SOX, or 8th Company Law Directive of the European Union, in response to cases like Parmalat, and later J-SOX, after the conduct of Japanese companies like Kokudo, followed.

 Data governance has however evolved very quickly. Today all businesses need accurate and complete information to help their governing bodies with strategic decision-making.  Compliance with standards like SOX may have driven initial behavior, but more recently, a succession of high-profile public data breaches and the subsequent series of updated privacy regulations, like the European Union’s GDPR and the California Consumer Privacy Act (CCPA), are compelling boardrooms to take more accountability for compliance with data protection regulations, and I would argue, data governance.  

 Historically data protection was very much about safeguarding who had access to corporate data and making sure you protected it against access by unauthorized bad actors. Data governance, on the other hand, was more about managing data and improving the quality of that data; and considered a separate exercise. The lines between these two fields are however converging. A relevant example is how privacy or data protection regulations hold organizations responsible for data accuracy and data location. If an organization has a mature data governance program in place, which would include policies and processes, roles and responsibilities, and appropriate monitoring practices, it would be very well positioned to comply with these new data protection regulations. In this sense, a data governance program compliments any efforts to enhance data protection, helping to improve your organization’s privacy and cybersecurity postures, while mitigating some of the high-profile risks that tend to keep governing bodies awake at night.  

 The Data Governance Institute[2] (DGI) defines data governance as “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” A slightly more palatable definition[3] describes data governance as “the overall management of the availability, usability, integrity, and security of the data employed in an enterprise.”

 Data Governance and IT Governance

 An obvious question is what the difference is between data governance and IT governance. The DGI uses a very useful plumbing analogy.  IT relates to the pipes and pumps and storage tanks. The water flowing through those pipes – that is the data. To expand on the analogy; if you were to have a problem with your water quality, you would not call a plumber.  Organizations are therefore increasingly in need of a data governance specialist as a subject matter expert in a digital transformation era in which the confidentiality, integrity and availability of data is now more important than ever. These terms - confidentiality, integrity and availability of data - are typically used to describe the objectives of data protection, confirming the growing overlap.

 The DGI recommends[4] the following life cycle steps for any successful data governance program:

The first 3 steps are crucial as you seek to achieve internal support and traction with your leadership teams and other key stakeholders. The value you hope to deliver, the roadmap you prepare for stakeholders, and then knowing what those stakeholders will want to know and need to understand before they decide to support the initiative are critical to your success. Aligning with your company culture and company context is important to ensure your proposal resonates with your stakeholders. Your data governance program will be influenced strongly by your unique data governance focus areas. These could be strategy, policy, compliance, security, privacy, data quality, or a combination of them.  Only then should you start to build committees and begin to design a program. Soft skills and good communication are really important from the outset.  

The Governing Body’s Use of Standards:

The international standard for corporate governance of information technology (IT) is ISO/IEC 38500[5].  It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and offers a framework for the governance of IT. Guidance on the actual implementation of effective governance of IT if offered in ISO/IEC/TS 38501[6]. But this is IT governance i.e. the pipes and pumps. If you are looking for guidance on data governance itself - the water - then ISO/IEC 38505-1 offers direction to governing bodies on the use and protection of data. This standard proposes a set of principles and practices which if correctly implemented can offer internal stakeholders and external stakeholders, like auditors, assurances about the organization's governance of data. It caters specifically for governing bodies and presents a principles-based approach to data governance with the intention of helping a governing body to a) increase the value created by this new flood of data while b) also mitigating some of the risks created by the increased collection, storage and usage of this data. ISO/IEC TR 38505-2[7], as Part 2, then provides guidance to the governing body (and executives) on the implications of ISO/IEC 38505-1 for data management, helping them to identify the information needed to create appropriate strategies and policies for a data-driven business and to monitor the performance of data and its uses.

Conclusion:

Data protection is currently top of mind for governing bodies, executives and legal and compliance communities. GDPR is just one reason. Data governance strongly supports data protection. It also offers several other benefits, like efficiencies, cost reductions, accurate financial reporting, compliance, risk management and the protection of the company’s reputation. Governing bodies and executive stakeholders now need to move beyond treating data protection and data governance as compliance “tick-box” activities. That might have been the case in the early 2000s, but with digital transformation and technologies like AI promising amazing differentiation and value-creation opportunities for organizations, data needs to be viewed and treated as a strategic asset, and data protection and data governance as strategic initiatives requiring strong leadership support. Customers and consumers have also changed how they think about privacy.  Effective data protection and data governance programs offer a real opportunity to build or deepen customer trust, a key element and competitive advantage for continued organizational success.

Written by Dale Waterman

 [1] https://legcounsel.house.gov/Comps/Sarbanes-oxley%20Act%20Of%202002.pdf

[2] https://www.datagovernance.com/

[3] https://searchdatamanagement.techtarget.com/definition/data-governance

[4] https://www.datagovernance.com/wp-content/uploads/2014/11/dgi_framework.pdf

[5] https://www.iso.org/standard/62816.html

[6] https://www.iso.org/standard/56639.html

[7] https://www.iso.org/standard/70911.html