Continuing the tour of our Data Governance Framework, it’s time to discuss the corporate policies that must be documented to form the foundation of your data governance efforts. When defined, approved, evangelized and enforced appropriately, these policies have the power to accomplish a feat that grassroots data governance efforts fail at repeatedly: Evolving your corporate culture to one that actually does manage data as an asset.
When it comes to defining these policies, there are opportunities and challenges that must be understood. Common challenges often include:
- Analysis paralysis. Policies, by definition, set parameters on how employees and other impacted stakeholders are expected to behave. And people resist change – especially if they’re the ones impacted. So the political infighting often involved in defining a policy could stall efforts if not facilitated well to ensure only constructive debate – with an executive sponsor or steering committee holding the big stick to drive results.
- Non-compliance. If you lack executive sponsorship to give policies teeth, who will bother to comply? Don’t waste your time – or anyone else’s – defining policies that won’t be used until you have that top-down support to incent compliance.
- Usability. It’s one thing to have executive support to ensure compliance, it’s quite another to understand how to ensure compliance. If the policy isn’t written in a way that can be clearly understand as requirements to be consumed by business process, application and data management stakeholders, how can they deliver the necessary process, system and rule changes necessary to comply? For example, every leader of any publicly-traded US company sponsors and demands organizational compliance with the Sarbanes-Oxley (SOX) Act. But ten years after SOX was enacted, many organizations still struggle to understand what they need to do to comply with many poorly written and communicated sections of the regulation.
But there exists a great opportunity within many organizations – It’s likely other efforts within your firm already document business- or IT-driven policies that set parameters on how enterprise data should be managed and used, but may not currently label it a “data governance” policy. For example, IT governance, enterprise architecture (EA) standards and any number of IT-led competency centers or centers of excellence may define standards and policies on how best to capture, update and share relevant data and metadata across the organization. And many business-driven data policies likely exist today coming from your organization’s Chief Risk and Chief Financial Officers. These may include governance, risk and compliance policies, information security or data privacy policies, and of course any number of policies created to ensure compliance with external government and industry regulations. So when your data governance effort is ready to scope and define what policies it must document and implement, start with the work that’s already been done and reconcile which policies should be owned by the data governance effort, which should simply be recognized and complied with, and which should be replaced.
Common policies that a data governance initiative will be responsible for documenting and maintaining include:
- Data accountability and ownership. These policies spell out which senior business leaders, or combinations of business leaders (a la steering committee), are accountable for the quality and security of critical data. The policy must outline what ownership actually means and define the rights and responsibilities of the owners.
- Organizational roles and responsibilities. These policies document and make clear the responsibilities of your business and IT data stewards, data governance driver, and other dependent stakeholders. I outlined these specific roles and responsibilities in much more detail in my “By The People, For The People” post.
- Data capture & validation standards. Question: How do you eliminate the most common data quality complaint of “Garbage in, garbage out”? Answer: Stop the garbage in! These policies define minimum required data capture standards, data validation rules, reference data rules, etc. The goal is to ensure the people, processes and systems that capture, import, update, transform or purchase critical data do so in a consistent, standardized manner with a focus on quality and ensure fitness for enterprise use.
- Data access and usage. Data usage policies ensure appropriate use of data by appropriate stakeholders. Limiting access to sensitive or confidential information ensures compliance with edicts such as insider trading regulations and Payment Card Industry Data Security Standard (PCI-DSS). But usage policies extend beyond regulatory compliance to also ensure optimal use of data assets. For example, contact management policies are used to coordinate, prioritize and minimize multi-channel customer communications across sales, marketing and service organizations. This helps to reduce lower value contacts and avoid the risk of the customer feeling spammed – which may lead them to opt out of future communication.
In addition to the policies listed above, there are a number of policies laser-focused on information security and data privacy. As discussed above, it’s likely your organization has documented information security and data privacy policies based on existing corporate standards, contractual commitment to customers and partners, as well as externally regulated guidelines. You must simply ensure that the risk, security, and compliance stakeholders that own and monitor compliance with these policies are active contributors in your data governance program. Additional security and privacy policies include:
- Customer communication privacy preferences. These privacy policies ensure compliance with anti-spam legislation, “Do Not Call” registries, and customer marketing contact management best practices. These policies are meant to be transparent, customer-facing documents that should clarify whether your organization has adopted an opt-in policy (will never send marketing communications unless customer expressly permits) or opt-out policy (will always send marketing communications unless customer expressly requests a stop). These policies can go as granular as you feel is necessary and can request opt-in/opt-out at the marketing communication channel level (e.g., phone, mail, email, text, social) and even ask customers to set preferences by which of your products and/or services they are interested in learning more about.
- Data masking. These data privacy policies define and classify sensitive data, identify where it resides, and clarify when it needs to be encrypted appropriately and consistently across multiple applications and database instances. Data masking policies are critical to ensure compliance with mandated data protection rules and standards such as PCI-DSS, PHI (Personal Health Information), and PII (Personally Identifiable Information). Organizations demand the same data security policies for archiving as they do for their testing and even production environments, so the data governance effort must include all of these instances in its scope when managing data privacy.
- Data archiving and subsetting. Organizations focus on these policies to dramatically reduce the inactive data in production and legacy environments to cut down on storage costs. These policies, when effectively implemented, should also reduce data storage costs in your development and test environments.
- Data retention. Retention policies must balance the desire to archive and purge unused data to reduce storage costs and business risk with business and legal discovery retention management requirements. These policies will clarify what data needs to be stored for how long, in what format, applying what rules, with what level of masking or encryption, and with what access guidelines.
Am I missing any core data governance policy objectives that you’ve tackled? If so, please share!