Since July 2018, over €274M in fines have been enforced by the EU General Data Protection Regulation. The lion’s share of these (more than €228M) are for “insufficient legal basis for data processing” and “insufficient technical and organizational measures to ensure information security,” which implies that the majority of offending organizations lack critical policy and infrastructure components to make them compliant.
These penalties are part of the first wave of a new regulatory reality; a response to decades of Wild West practices that led to rampant misuse of personal data and data infrastructure designed to bring data in but not monitor how it was being used.
A quarter-billion euro in fines notwithstanding, the GDPR has been relatively gentle so far, generally targeting large organizations that won’t be financially crippled by the fines (which can be up to €10M or 2% of the organization’s global annual revenue). But signs show that the GDPR is just getting started. Between July and December 2018, only nine fines were imposed. This number shot up to 144 in 2019, and a whopping 326 in 2020. The grace period is coming to an end for organizations that haven’t seen the writing on the wall: data governance is a business requirement.
What is data governance?
This raises a problem for any organization that’s not sure what data governance actually is. There’s no universally applicable definition. To some, governance implies data security and privacy. To others, governance is about data management and quality.
In reality, data governance is both. The two types of GDPR fines mentioned above illustrate the layered nature of data governance as a concept. The first is imposed on organizations that haven’t established why they’re using data, the second on organizations that haven’t established how.
At its core, however, good data governance is a system that outlines the process, people, and platform needed to manage data, operationalize data-driven outcomes, and maintain data security. Data governance, done correctly, is a way for organizations to use more data more effectively, while creating stronger safeguards around who is using the data and what they’re using it for.
The business benefits of data governance
Establishing good data governance is not just about avoiding regulatory fines. The data economy is growing, and data-driven organizations will shape the business landscape. They are already.
Apple, Google, and Amazon are data-first organizations. They operate in different domains, but at their core they have figured out how to operationalize data effectively. Increased access to public and third party data, the rise of AI, and an increasingly distributed workforce have underlined the benefit that well-governed data can provide to organizations of all sizes, provided they can figure out how to use data properly.
The upshot is that any organization that uses data needs a data governance policy. The nature of that policy, however, is flexible. Data governance is not a rigid set of principles, but an adaptive framework that responds to the objectives of the organization implementing it. The way a public library uses data will be different from the way a Fortune 500 uses data, but there will be similarities. For any organization, figuring out a secure way to find new data, integrate it, and monitor it for changes over time is essential.
How to implement a data governance framework
The best thing an organization can do to begin implementing good data governance is to take stock of their operational objectives:
- What are your hurdles?
- Where are your data blind spots?
- What is the makeup of your data team and what do they spend the majority of their time doing?
A good data governance policy is one that takes into consideration both the prevailing regulatory requirements for data use and the specific needs of the end users in your organization. A policy designed with only security in mind will likely overlook the usability component, the end users who need access to the data. That could lead to workarounds that undermine the policy.
On the other hand, a policy that only considers operational objectives will not be compliant, and increases the risk of breaches or fines. Walking the tightrope of good data governance means balancing the goals of your organization against data privacy laws without compromising in either aspect. Exceptional data governance enhances operational outcomes while increasing compliance. Below is a broad framework to follow as you build and deploy a data governance policy:
As you begin implementing a data governance solution, there are questions to ask along the way to ensure it aligns with your overall strategy.
Some of these questions may be cultural – what kind of organization do we want to be? What approach do we want to take with regards to personally identifiable information? These are policy considerations, and are important to think through.
But frequently, organizations focus a lot of their energy on policy questions and neglect the process that will support this policy. It’s relatively easy to say your organization doesn’t handle PII – how you manage it technologically is a different question.
When it comes to creating good data governance there are actual nuts-and-bolts infrastructure questions that need to be taken into consideration. These questions may feel a bit “in the weeds” but they’re precisely the considerations that will trip up an otherwise strong data governance policy:
- How do we share data?
- Does my data environment gather data from multiple locations?
- How am I monitoring the use of data?
- How am I managing metadata?
- How am I ensuring the quality of the data?
The Data Governance Checklist
The following checklist provides an overview of data governance by breaking it into three primary components: Platform, People, and Process. The items on this list are designed to ensure that the data governance framework you put in place is robust, comprehensive, and scalable.
The business outcomes
Asking the hard questions first is a way to avoid having to rebuild and redesign the entire solution once you throw data at it.
The benefits are clear: besides becoming compliant in a world that increasingly values businesses built on ESG principles, there are real advantages to good data governance. Breaking down information silos, increasing business outcomes, accelerating AI and ML, better data quality, better data analysis – good data governance leads to better data outcomes.
Data governance is a policy decision supported by technological maturity. Understanding who in your organization is using data, why they’re using it, and their key operational objectives will help you design a data governance strategy that is built with your organization, and your people, in mind. Implementing that strategy requires an infrastructure that supports the secure dissemination of data, ensures data access is standardized, and gives data scientists and business professionals trust in the information they use to make better decisions.