What Is Data Governance: Definition, Advantages and Process Flow

Gartner defines data governance as “the specification of decision rights and an accountability framework to ensure the appropriate behavior in the valuation, creation, consumption and control of data and analytics.” When developing your DG program, you should tailor the data governance definition to your company’s concerns and goals, so it is meaningful for you. We will talk about this process when we discuss the implementation process.

There are several other terms that help define data governance:

• Data governance program covers the technical, business and organizational factors required to provide a business with high-quality data. Data owners, data stewards and other stakeholders must collaborate to build a sound DG strategy and a clear policy that describes all procedures, methods and technologies to be used throughout the data lifecycle.
• Data Governance Office (DGO) is a strategic team responsible for measuring success and gathering metrics. The Data Governance Institute defines DGO as “a centralized organizational entity responsible for facilitating and coordinating Data Governance and/or Stewardship efforts for an organization. It supports a decision-making group, such as a Data Stewardship team.”
• Data stewardship is an operational concept that focuses on the implementation and coordination of policies and procedures. Data stewards are responsible for managing critical data assets, including making data-related decisions, issuing recommendations and developing policies.
• Data quality is a key objective of data governance. It includes the accuracy, integrity, accessibility, consistency, completeness, reliability and timeliness of data.
• Master data management (MDM) is a discipline used to define and manage master data assets — key data that critical to business operations and analytics, such as data about customers, finances, products and services, and organizational structure.

Why Data Governance Matters

Data governance initiatives are often driven by the need to comply with internal policies, regulatory mandates (such as SOX, GDPR and HIPAA), frameworks (like COBIT 5) or standards (such as ISO/IEC 38500). But the benefits of establishing clear rules and procedures for data-related activities go beyond compliance. Here are some of the other common business outcomes of a sound data governance program:

Data governance helps address the growing flood of information. Organizations are collecting and creating more data than ever. Storing information you don’t need increases storage costs and makes it harder to find valuable information.

Data governance helps with regulatory compliance. Many laws require the retention of certain types of records and dictate how long it must be kept. Data governance helps organizations comply with these mandates and avoid steep penalties and law suits.

Data governance is essential for strong data security. Every organization must protect its sensitive and confidential data assets, most notably its intellectual property, personally identifiable information (PII), and protected health information (PHI), both at rest and when it is being transferred. Data governance can help you prevent incidents of accidental and deliberate data modification or loss by enabling you to evaluate your information management strategies and strengthen your security posture. For example, you can protect sensitive data from being sent outside the organization or copied to a thumb drive, and ensure you have appropriate backup and recovery processes in place based on the value and sensitivity of the data.

Increased user productivity. How much time do your employees spend each day cleaning up inaccurate information? Think of how much more productive they could be if you had data stewards responsible for taking care of that work before it ever made its way to their level. When your employees aren’t free to work to their full potential, your company could be losing out on ideas that could take your business to the next level.

Data governance is a part of eDiscovery process and litigation support. An effective eDiscovery process is dependent on good information governance. DG helps making data searchable and secure, which is critical when data requested by a court as part of an eDiscovery order. Without DG, the costs and risks associated with eDiscovery increase because you have to overpay for the  review of irrelevant information, while under-collection can result in cases being lost because of spoliation or hiding evidence.

Implementation Process

Data governance initiatives can be very complex and expensive to implement. Here are the steps involved and the aspects that require special attention.

Step #1. Prepare a value statement and build a roadmap.

Your DG program starts with an assessment of the current state of data management, roles and responsibilities, and data-related problems. This assessment will help you define your goals and develop a roadmap that identifies areas for improvement and a plan for achieving results. Remember that broad organizational changes often meet with resistance, so develop a strong value statement and give the full picture of the initiatives required on both the business and technical sides. Also be sure to anticipate questions and concerns, such as which metrics will be used to evaluate the program’s success.

Step #2. Identify and engage the right people.

Next, get the right people to handle your data, and give them the authority to implement the most effective practices for your organization. To find your stakeholders, consider roles and responsibilities in your organization. Remember that data governance is not only an IT job. While IT teams are responsible for providing technologies necessary to manage your critical data, other team members are just as vital. For example, the DG program will need someone with decision-making authority and someone to define data quality standards.

Step #3. Perform data discovery and classification.

Data classification plays a huge role in data governance strategy. It helps with:

• Identifying data regulated by GDPR, HIPAA, CCPA, PCI, CMMC and other mandates
• Applying metadata tags that can be then used when setting up required controls and automating DG processes
• Handling eDiscovery processes by enabling legal hold, and archiving

For effective data governance, you need to identify which data you need and what value it has. However, it isn’t a trivial task. The process will look like this:

1. Discover all of the data stored by your organization.
2. Determine its value.
3. Classify and label (tag) the data based on its value and sensitivity level.
4. Map where it’s stored.

The data discovery process enables you to find, categorize and classify data, which in turn enables you to understand how valuable that data truly is — and how at risk it might be.

There are three main types of data classification:

• Content-based classification inspects and interprets files to identify sensitive information.
• Context-based classification looks at application, location, creator tags and other variables as indirect indicators of sensitive information.
• User-based classification depends on manual selection of each document by a person.

Some organizations rely on manual classification, requiring employees to specify which category their data falls into. That’s better than doing nothing, but there’s a risk of errors in tagging or failing to classify data at all. A more reliable way is deploying automated data discovery and classification solution, such as Netwrix Data Discovery and Classification. It helps eliminate the efforts and risk of errors inherent in manual processes, ensure data classification is complete and accurate, and simplify data management.

Step #4. Develop a data governance policy.

A data governance policy defines the guidelines for ensuring the proper governance of an organization’s data. A data governance policy often covers the following points:

• The scope, purpose and structure of the data governance program
• Definitions of the roles responsible for the creation and use of various sets of information
• Rules for ensuring compliance with applicable laws, regulations and standards
• Rules and principles of data ownership, access, protection, classification, usage, storage and deletion
• Requirements for data quality audits, including metrics for evaluating success
• Relationships with other policies, such as a data retention policy, risk management policy, data protection policy or privacy protection policy
• Supporting documents

Step #5. Implement the policy.

Implementing a data governance policy can take months, so it’s wise to start with the most important business processes. To prioritize, consider factors such as regulatory requirements, impact on business initiatives and business priorities.

Step #6. Continuously assess progress.

Successful data governance is not a one-time project but an ongoing process. As internal policies, government regulations and business requirements change, your DG program must adapt. Be sure to regularly assess whether your processes and technologies continue to support the program’s goals and make adjustments as needed.