Data Governance Policies Shape Organizational Behaviors

Continuing the tour of our Data Governance Framework, it’s time to discuss the corporate policies that must be documented to form the foundation of your data governance efforts. When defined, approved, evangelized and enforced appropriately, these policies have the power to accomplish a feat that grassroots data governance efforts fail at repeatedly: Evolving your corporate culture to one that actually does manage data as an asset.

When it comes to defining these policies, there are opportunities and challenges that must be understood.  Common challenges often include:

  • Analysis paralysis.  Policies, by definition, set parameters on how employees and other impacted stakeholders are expected to behave.  And people resist change – especially if they’re the ones impacted. So the political infighting often involved in defining a policy could stall efforts if not facilitated well to ensure only constructive debate – with an executive sponsor or steering committee holding the big stick to drive results.
  • Non-compliance. If you lack executive sponsorship to give policies teeth, who will bother to comply?  Don’t waste your time – or anyone else’s – defining policies that won’t be used until you have that top-down support to incent compliance.
  • Usability.  It’s one thing to have executive support to ensure compliance, it’s quite another to understand how to ensure compliance.  If the policy isn’t written in a way that can be clearly understand as requirements to be consumed by business process, application and data management stakeholders, how can they deliver the necessary process, system and rule changes necessary to comply? For example, every leader of any publicly-traded US company sponsors and demands organizational compliance with the Sarbanes-Oxley (SOX) Act.  But ten years after SOX was enacted, many organizations still struggle to understand what they need to do to comply with many poorly written and communicated sections of the regulation.

But there exists a great opportunity within many organizations – It’s likely other efforts within your firm already document business- or IT-driven policies that set parameters on how enterprise data should be managed and used, but may not currently label it a “data governance” policy. For example, IT governance, enterprise architecture (EA) standards and any number of IT-led competency centers or centers of excellence may define standards and policies on how best to capture, update and share relevant data and metadata across the organization.   And many business-driven data policies likely exist today coming from your organization’s Chief Risk and Chief Financial Officers.  These may include governance, risk and compliance policies, information security or data privacy policies, and of course any number of policies created to ensure compliance with external government and industry regulations.  So when your data governance effort is ready to scope and define what policies it must document and implement, start with the work that’s already been done and reconcile which policies should be owned by the data governance effort, which should simply be recognized and complied with, and which should be replaced.

Common policies that a data governance initiative will be responsible for documenting and maintaining include:

  • Data accountability and ownership. These policies spell out which senior business leaders, or combinations of business leaders (a la steering committee), are accountable for the quality and security of critical data.  The policy must outline what ownership actually means and define the rights and responsibilities of the owners.
  • Organizational roles and responsibilities.  These policies document and make clear the responsibilities of your business and IT data stewards, data governance driver, and other dependent stakeholders.  I outlined these specific roles and responsibilities in much more detail in my “By The People, For The People” post. 
  • Data capture & validation standards.  Question: How do you eliminate the most common data quality complaint of “Garbage in, garbage out”?  Answer: Stop the garbage in!  These policies define minimum required data capture standards, data validation rules, reference data rules, etc.  The goal is to ensure the people, processes and systems that capture, import, update, transform or purchase critical data do so in a consistent, standardized manner with a focus on quality and ensure fitness for enterprise use.
  • Data access and usage.   Data usage policies ensure appropriate use of data by appropriate stakeholders. Limiting access to sensitive or confidential information ensures compliance with edicts such as insider trading regulations and Payment Card Industry Data Security Standard (PCI-DSS).  But usage policies extend beyond regulatory compliance to also ensure optimal use of data assets. For example, contact management policies are used to coordinate, prioritize and minimize multi-channel customer communications across sales, marketing and service organizations.  This helps to reduce lower value contacts and avoid the risk of the customer feeling spammed – which may lead them to opt out of future communication.

In addition to the policies listed above, there are a number of policies laser-focused on information security and data privacy. As discussed above, it’s likely your organization has documented information security and data privacy policies based on existing corporate standards, contractual commitment to customers and partners, as well as externally regulated guidelines.  You must simply ensure that the risk, security, and compliance stakeholders that own and monitor compliance with these policies are active contributors in your data governance program.  Additional security and privacy policies include:

  • Customer communication privacy preferences.  These privacy policies ensure compliance with anti-spam legislation, “Do Not Call” registries, and customer marketing contact management best practices.  These policies are meant to be transparent, customer-facing documents that should clarify whether your organization has adopted an opt-in policy (will never send marketing communications unless customer expressly permits) or opt-out policy (will always send marketing communications unless customer expressly requests a stop).  These policies can go as granular as you feel is necessary and can request opt-in/opt-out at the marketing communication channel level (e.g., phone, mail, email, text, social) and even ask customers to set preferences by which of your products and/or services they are interested in learning more about.
  • Data masking. These data privacy policies define and classify sensitive data, identify where it resides, and clarify when it needs to be encrypted appropriately and consistently across multiple applications and database instances.   Data masking policies are critical to ensure compliance with mandated data protection rules and standards such as PCI-DSS, PHI (Personal Health Information), and PII (Personally Identifiable Information).  Organizations demand the same data security policies for archiving as they do for their testing and even production environments, so the data governance effort must include all of these instances in its scope when managing data privacy.
  • Data archiving and subsetting.  Organizations focus on these policies to dramatically reduce the inactive data in production and legacy environments to cut down on storage costs.  These policies, when effectively implemented, should also reduce data storage costs in your development and test environments.
  • Data retention. Retention policies must balance the desire to archive and purge unused data to reduce storage costs and business risk with business and legal discovery retention management requirements. These policies will clarify what data needs to be stored for how long, in what format, applying what rules, with what level of masking or encryption, and with what access guidelines.  

Am I missing any core data governance policy objectives that you’ve tackled? If so, please share!

This entry was posted in Data Governance and tagged , , , , , , , . Bookmark the permalink.

5 Responses to Data Governance Policies Shape Organizational Behaviors

  1. Kimmo Kontra says:

    Good post, Rob! Comprehensive analysis on Data Governance policies.

    I’d say one key policy level topic is “Communication”. And I am not referring to Customer Communications – that you listed – but communication policies within the organization itself about Data Governance.

    It is far too often that Data Governance initiatives do not reach their goals because Data Governance is not understood. Not having clear means of communicating about may be one of the underlying factors.

    A solidly defined (and well enforced) policy defining how&when&via what channels Data Governance responsible part of the organization keeps everyone informed and involved is a key for success.

  2. Rob Karel says:

    Hi Kimmo, fantastic addition – I couldn’t agree more. Calling out the development and documentation of the internal data governance communication strategy as a distinct effort will reinforce this often implied/overlooked critical success factor.
    Thanks for your contribution

  3. Nic Jefferis says:


    Thanks for the blog and I like the list but of course we all know the devil is in the detail / data.

    This may not be a policy as such but the scope of the data involved needs to be clear. The need to cover capture, transformation and aggregation is important across operational, DWH and BI systems. The ownership and stewardship issues of course also become more complex with the full scope.

    The policies cannot be in isolation and need to be set in the context of an organisation’s existing hierarchy of procedures and standards and governance processes for other areas.

  4. Cyp says:

    Great post Rob. Does anyone in this blog have any templates of the policies discussed above ? Can you share ?. Thanks.

  5. Here is an example of some templates and policies I have used in client engagements. This specific example aligns with a data retention program based on Information Lifecycle Management (ILM) strategies.

    SAMPLE Program Business Requirements (Requirements Phase)
    The primary requirements for an enterprise-wide ILM-focused data governance program include all the necessary processes, steps, tools, and dependencies in order for the organization to execute on an ILM strategy that is sustainable and maintainable.

    The following requirements are necessary for the organization to run a successful ILM program.

    • Introduction of a New ILM Policy
    • Introduction of a Data Governance Committee
    • Update to processes and procedures to include:
    o Records Management schedules to include auditing policies and procedures
    o Introduction of an electronic data destruction policy and procedure
    o SDLC
    o Capacity planning
    o Introduction of an approach for management and code development of ILM business logic
    o Introduction of an approach on recording changes and publishing those changes to data architects for review
    • Updates to or Creation of Tools
    o Update to IT Service Catalog and Best Practices & Guidelines
    o Improvements to current infrastructure reporting systems (enhanced to more automatically correlate server, storage, volumes to applications and databases)
    o Introduction of a new metadata repository for ILM data classification
    Requirements Details
    Introduce a New ILM Policy
    A policy addressing ILM does not exist, and there are currently no supporting polices or standards that adequately address the future needs of ILM at the organization.

    Requirement # Description of Requirement
    1 Develop an ILM Policy. The organization needs a set of documents that describe the enterprise-wide Information Lifecycle Management policy. The new ILM standards should be defined in a manner that ensures a streamlined business operating environment, promotes data quality/effectiveness and minimizes risk.

    Introduce a Data Governance Committee
    After an ILM Policy has been defined, the organization should create an oversight committee to ensure that the organization is adhering to set ILM policies.

    Requirement # Description of Requirement
    2 Establish a Data Governance Committee. This committee should be a cross-organizational team representing all stake holders in the ILM program who are responsible for auditing the organization’s effectiveness in meeting the original ILM program goals. The committee will also serve as the governing body for any data management-related policies.

    The Data Governance Committee will be responsible for:

     Reviewing existing policies related to data governance (i.e., retention, destruction, and compliance)
     Reviewing any changes or additions to these policies
     Meeting on a regular basis (annually or semi-annually) to measure the impact of the ILM program to the organization, as compared to the original goals of the program, such as the reduction of storage requirements.

    Update Processes/ Procedures to Incorporate ILM Philosophies
    The ILM program is not intended to introduce new processes; rather, its goal is to amend processes to incorporate ILM philosophies and Best Practices. The idea is to keep this program as simple as possible, and to avoid introducing unnecessary burden on the organization’s employees. The ILM program requires that updates to the following processes be made:

    • SDLC
    • Electronic data destruction
    • Auditing
    • Capacity planning
    • Change Management

    Requirement # Description of Requirement
    3 Update the SDLC process. Update the SDLC process to include ILM hooks in order for ILM to be integrated into an application during its creation, not as an afterthought
    4 Create/implement policies re: electronic data destruction. Create electronic data destruction standards, guidelines, and processes that address the destruction of eligible data stored in the organization’s database systems. This requirement is a dependency for execution at the project and system level.

    5 Update internal auditing processes. Update internal auditing processes to include data retention policy compliance. Specifically, audit policies and procedures relating to the organization’s compliance to record management schedules need to be updated.

    6 Enhance the capacity planning process. Enhance the current capacity planning processes to include automated reporting for storage allocation, storage usage at the tier, server, database, and application levels.

    Automated reporting on storage allocation, storage usage by tier, by server, by database and by application is required to determine the organization’s ILM program effectiveness.
    7 Create an approach for recording database changes. Introduce an approach for the management of changes made to databases and publishing those changes to data architects for review to insure proposed database changes do not hinder Information Lifecycle management.

    Update/Create Supporting ILM Tools
    The ILM program requires that, at a minimum, tools be developed and implemented to streamline and simplify the maintenance of ILM processes. Specifically, focus should be placed on:

     Updating the IT Service Catalog and Best Practices & Guidelines
     Improving current infrastructure reporting systems (enhanced to automatically correlate server, storage, volumes to applications and databases)
     Introducing a new metadata repository for ILM data classification.

    Requirement # Description of Requirement
    8 Update the IT Service Catalog. Update the current IT Service Catalog to include additional business related requirements, also to include best practices and guidelines
    9 Improve the infrastructure reporting systems. Make improvements to the current infrastructure reporting systems. The enhancements must correlate storage, server, database and applications (allocated versus used).
    10 Create a metadata repository for ILM data classification. Create a centrally-managed repository for storing and maintaining the metadata needed in support of the ILM program.
    11 Create standards/processes to address the Records Management schedules. Develop, document, and implement standards/processes, policies and procedures to address Records Management Schedules.

    12 Ensure that the Organization retains data for the periods of time specified in Protocols.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>