Data Governance vs. Data Management: What’s the Difference?
I’m often asked if there is a difference between data governance and data management. The answer is yes—but they are related.
Data governance is the definition of organizational structures, data owners, policies, rules, process, business terms, and metrics for the end-to-end lifecycle of data (collection, storage, use, protection, archiving, and deletion). Data management is the technical implementation of data governance.
Data governance without implementation is just documentation. Enterprise data management enables the execution and enforcement of policies and processes.
Here’s how I described the difference to my father, who worked in the construction industry for more than 50 years: data governance is the blueprint for a building, and data management is the physical construction of the building. Without data management, there is no physical building. And while you can construct a building without a blueprint (data governance), it will be a less efficient and less effective activity, with a greater likelihood of problems down the line.
What is Data Governance?
Let’s take a closer look at some aspects of data governance.
- People: People are critical to data governance because they are the ones who create and handle the data, and ultimately benefit from well-governed data. Examples include the subject matter experts in the business who can determine both standardized business terms for the organization, along with the levels and types of quality thresholds required for different business processes. Data stewards are responsible for remediating data quality issues. IT people are responsible for the architecture and management of databases, applications, and business processes. Legal and security people are responsible for data privacy and protection. And cross-functional leaders, who comprise the governance board or council responsible for resolving disputes between different functions within an organization.
- Policies and rules: If policies define what, rules define how. Organizations use a wide range of policies and rules across processes and procedures; common categories include consent, quality, retention, and security. For example, you might have a policy that states consent for processing must be obtained before personal information can be used. One rule might define the consent options (like billing, marketing, and third-party sharing) that people must select when personal data is being collected. And another rule might define that marketing consent must be confirmed before sending a promotional offer to a customer.
- Metrics: What gets measured gets managed. Common technical metrics include things like the number of duplicate records in an application, the accuracy and completeness of data, and how many personal data elements are encrypted or masked. While these types of metrics help in the technical management of data, leading organizations are also looking to define how these technical metrics impact business outcome metrics.
For example, days sales outstanding (DSO) is a common business metric used by financial analysts and lenders to analyze the financial health of a company. If customer address data is incomplete or inaccurate, it will increase the billing cycle time and consequently increase DSO. If DSO is greater than the industry average, analysts and lenders might see that as a sign of risk and downgrade the company’s outlook or increase the cost of capital.
What is data management?
Now let’s take a closer look at some tools and techniques for data management.
- Cleansing and standardization help implement and enforce data quality policies. Profiling helps you compare the validity, accuracy, and completeness of data against the data quality metrics you set. You can then fix problems such as non-valid values, incorrect spellings, and missing values. You can also embed cleansing rules into data entry processes to enforce data quality at the point of entry. Profiling also helps you identify similarities, differences, and relationships between data sources so you can remove duplicate records and enforce consistency across sources. You can enrich internal data with external data like DUNS numbers, demographics, and geographic data. And many organizations create a centralized hub to help maintain semantic consistency of master data across data sources.
- Masking and encryption help you implement and enforce privacy and protection policies. Data discovery and classification tools and techniques help you identify sensitive and personal data and tag it as requiring protection based on internal requirements and external regulations such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the Brazil General Data Protection Law (LGPD). These tags can then be used to apply appropriate protection controls. For example, depending on classification and access policies, some users may be authorized to access the raw data, while the data may need to be dynamically masked at query for other users. Data flow modeling helps you understand how data is collected, processed, stored, and distributed both internally and externally. You can then determine appropriate protection controls based on classification and privacy policies. For example, data masking may be fine for access that occurs inside your firewall, but data must be encrypted before sharing it with third parties outside your organization.
- Archiving and deletion help implement and enforce retention policies. Data is archived when it is no longer actively required for day-to-day operations but is still needed to meet regulatory requirements like tax reporting or long-term storage. Data archiving tools also track how long the data should be retained, index the data for easier retrieval for activities like legal discovery, and enforce appropriate access and data masking/encryption controls. At the end of the designated retention period, data is then permanently deleted. While this may seem straightforward on the surface, in practice it is a complex task to balance retention requirements of industry regulations (such as BCBS 239 and CCAR) against erasure requirements of governmental and regional regulations (like GDPR and CCPA).
Data governance and data management: Building a solid data foundation
Notice that while data governance and data management are different entities, their goals are the same: create a solid, trustworthy data foundation to empower the smartest people in your enterprise to do their best work. Learn more about data governance and its relationship with data management in our eBook, “Reimagine Data Governance.”