Enterprise data management leaders have a lot on their plates when it comes to implementing data governance best practices. Please tell us:
1) Why is data governance having a resurgence? One theory we have here at Integris Software is that enterprises are looking to data governance teams to help operationalize sensitive data management, which is urgent given CCPA and GDPR.
2) What is one data governance best practice or piece of advice that organizations need to know for 2020 and beyond?
1) Data governance is of paramount concern to the general public and, increasingly, to organizations. People want to know who is collecting what data about them and how it is being used. At the same time, continued technological innovation requires that governments promote access to data and foster incentives for data sharing. A good data governance strategy should balance the need to protect data while making it more available for innovative uses. For example, data has an immense potential to train and develop artificial intelligence applications. Having more data for AI applications increases the need for a robust data governance framework.
2) Organizations should manage information assets so that key considerations for ethical data management and use go beyond legal requirements. This ethical path cultivates innovation, trust, and inclusion. A strong data governance program also should be centralized within an organization rather than being spread among individual business units. A centralized, standardized program for data governance is key to ensuring that data is protected and handled consistently throughout the organization.
1) Regulations may be the “stick” in the motivational paradigm for data governance, but increased business productivity is ultimately the “carrot.” Both are needed for a robust, sustainable approach. Fear of regulatory enforcement is certainly helping drive a sense of urgency and a spike in budget for data governance and compliance technology, but progressive organizations are also beginning to look at the bigger picture of how governance can accelerate business value. Such benefits can include improved data quality, more efficient administration of data access permissions for self-service users, more accurate self-service insights, better reproducibility of data science efforts, minimization of bias in models, and potentially even increased consumer trust.
2) Three pieces of advice, actually: communicate, communicate, communicate. Data governance is a team sport, now more so than ever. It is simply not just an IT department or security team “problem,” as today line-of-business personas are becoming equal data consumers and stakeholders. This is reflected by how data is being used within the enterprise; decisions about new application/workload deployments within organizations are being made jointly by IT operations and line-of-business rather than by one or the other in over 70% of cases, according to 451 Research’s most recent survey data. Data decisions, today, are collaborative high-level business decisions, so thus too needs to be data governance. It’s easy to single out data silos as the antagonists of the data governance narrative, but we need to remember that technical silos frequently originate with organizational silos: the lack of communication between units often caused by politics or misaligned incentives. As critical business processes such as data privacy workflows become broader, more complex, and more encompassing of diverse job roles, stakeholders need to communicate their particular requirements and objectives so that individuals are not seeking out technology and methods that might undermine the data governance efforts of the organization as a whole. This includes involving the feedback of end-users within the organization that ultimately consume and access data; if governance and data privacy policies make life difficult for the “average” employee, maladaptive workaround behaviors will arise that ultimately destabilize governance efforts.
1) Urgent need for better trust in technology. Companies are laser-focused on how to apply Big Data and AI to benefit their business and hold the technology to do so. Employees want access to data and powerful analytics to generate insights. Data breaches, unfortunately, are common with significant risks for customers. Domestically, legislation aimed at improving protection of customer data is steadily being implemented per state. Competing technology needs, business priorities, and risk avoidance can seem overwhelming. Data governance is the framework for wrapping our arms around massive volumes of data, desire for self-service analytics, prioritization of customer needs but ultimately, solidifying trust in technology.
2) Seamlessly integrate data governance for employees with the same lens that we apply to digital products and services. Data Governance done well is not burdensome, it’s enabling. By automating policies and processes that make data governance work well and data use reasonable and safe, it is less likely business growth will be limited.
1) For decades, data management best practices were aimed at ensuring that no data got lost. The governance that went along with those best practices was to ensure companies knew what data was where so it could be effectively used. In today’s climate of greater awareness and sensitivity around how people’s personal data is used, data governance has become a critical tool in ensuring companies are staying in compliance with key laws like CCPA and GDPR. New data governance best practices, like data discovery and classification, allow companies to prove to customers, auditors and regulators that they are appropriately handling their customers’ sensitive data.
2) Not all anonymized data is anonymous. A factor many companies overlook is that with only a few key pieces of information, a customer can be re-identified from an anonymized dataset. For instance, 87% of the US population can be uniquely identified using nothing more than date-of-birth, gender, and zip code. Similarly, something like rare eye disease and zip code could also identify a person. That’s why new data governance best practices dictate companies should look for ways to find and protect personal information regardless of whether it’s tied to an identifier like name, email, customer ID, or phone number.
Senior VP and Fellow, Imperva
1) I wouldn’t say data governance is having a resurgence. Data privacy has been around for two decades through various industry regulations, but the consumer public is now demanding that companies protect all personal data. Previous industry-specific regulations didn’t go far enough to protect data that fell outside their bounds. For example, protecting someone’s financial and credit card data did nothing to protect their phone number. I see it as less of a resurgence and more of a gap analysis between the specific data sets companies were protecting and the much broader types of sensitive data they must now care about. This is an important change. Businesses must close the gap between only protecting the data they cared about and what they can’t ignore anymore.
2) You have got to start somewhere. The organizations that haven’t done anything with data governance will be fined the most under CCPA and GDPR. There are hundreds of GDPR fines in the works for organizations that haven’t done anything to protect sensitive data and CCPA regulators will happily do the same. Businesses need to know where their personal data is, who is accessing it and how they are using or sharing it. Those who can’t answer these simple questions will likely be found negligent and face the largest fines.
1) At the risk of offending, I’ll have to say that I disagree with the premise of the question. I do see instances at individual companies, where the commitment to data governance best practices ebbs and flows. But in aggregate, across a large number of organizations and industries, we’ve seen consistent growth in DG investments year-over-year for the past decade. I will absolutely however agree that executive-level interest increases significantly in response to specific regulatory and compliance requirements, and we’re definitely seeing that at the moment with CCPA. GDPR was important of course, but US-based organizations seem to be paying a lot more attention to CCPA.
2) We hear it over and over, but it’s worth repeating…Data Governance is not a “project.” It’s a discipline and practice that requires ongoing business commitment. I make the analogy to financial governance…does anyone on your Board suggest that your organization should do without finance controls and auditors, year over year, just because you’ve installed a new accounting system? Of course not…and data requires consistent management and governance in the same way.
Director of Business Intelligence and Enterprise Information Management, Fortune 500 Food and Beverage Company
1) Privacy Compliance is certainly one aspect driving the resurgence of data governance and foundational data management initiatives. This issue is further compounded by the fact that our privacy regulatory landscape will be highly variable with ever-increasing regulatory requirements over the next 3 to 5 years. Additionally, I believe companies have now realized the challenges resulting from ungoverned data lakes – including issues with access control, lineage and basic data definitions. I believe organizations are also realizing that the mantra of “data is a corporate asset” is a fantastic slogan but much easier said than done. This issue is driving organizations to turn to master data management and data governance best practices to help realize their vision of “data is an asset”. Also, organizations continue to invest in data-intensive projects like AI and ML only to realize the underlying data quality is inadequate to support the business teams’ expectations. This, in turn, leads to failed projects and under-performing project ROIs.
2) Data governance is not a technical problem – it is a process, policy, and organizational change management cultural challenge.
Publisher of The Data Administration Newsletter and President/Principal for KIK Consulting
1) Data Governance is having a resurgence because organizations recognize that data and information are some of their most (if not the most) valuable assets that they own and manage. Another reason is that the auditability of the protection of sensitive data and compliance to regulatory controls have become increasingly vital to the organization’s success and risk mitigation. If you want to include a third reason, it is because organizations have become enamored by their investments in shiny objects such as analytical platforms and self-service business intelligence (all demonstrating value based on people’s confidence in the data). These are the same reasons that the Chief Data Officer (CDO) role has been introduced and is growing in acceptance.
2) My first piece of advice is to start and stay non-invasive in your approach to data governance. By non-invasive I mean taking a formal approach that leverages existing levels of accountability first (every organization governs their data – some more formally and intentionally than others) before projecting that data governance is complex, difficult and over and beyond people’s existing workload. People will believe (for the most part) what you tell them. Tell them you are taking (and take) a non-invasive approach to data governance. Another piece of advice is that data and metadata will not govern themselves. Therefore it is virtually impossible to formally govern your data without the appropriate level of senior management support, sponsorship and understanding resulting in the appropriate levels of resources associated with administering formal data governance. I recommend focusing early on senior leadership’s support, sponsorship, and understanding. Your program will be at risk without it.
1) Companies are increasingly investing in ways to enable their broader teams (not just the data “elite”) to find and use data to make decisions with clarity, accuracy, and speed. Agile governance is an important part of this process because it allows them to put in place guardrails that let them move faster in terms of finding, understanding, and using key operational data in ways that comply with legal, ethical, and regulatory requirements.
2) Look at data governance as a process of enabling your teams, not restricting them.
1) The pressure is on. Data management professionals are being asked to leverage data in order to help drive the three most important business drivers behind data governance: drive new revenue, improve efficiency and assure compliance with international and local regulations. It’s these business drivers that have driven a resurgence, but it’s the ever-growing hunger for more revenue that is the chief driver. At the same time, new innovations in our modern world present challenges. Data is no longer a fixed size delivering fixed monthly reports. Companies want to improve revenue, efficiency and compliance using natural language texts, audio and video, for example. In order to deal with that, new analytics technologies come into play. Data governance plays a huge role in deciding which data sources and technologies will come together to support our most important business drivers.
2) I would advise organizations to think outside the box when it comes to the data they leverage and the solutions they use. To leverage new data sources, be open to new analytical engines. There are amazing and unique new ways to perform analytics that don’t involve a data warehouse. For example, graph databases are great for harmonizing diverse data sets, creating a common understanding and using industry-standard data definitions (ontologies) in order to analyze and share data across silos. Natural language processing engines can deliver new insights on unstructured data. The world is full of great new ways to drive our business initiatives.
President & COO, Integris Software
1) Data governance is certainly not a new topic. But there’s nothing like regulation to get everyone focused on it again. The EU’s GDPR gave U.S. companies a head-start to prepare for CCPA. GPDR provided the basis for corporate legal teams to define CCPA privacy policies and practices. This has enabled US companies to quickly advance into a technology-enabled privacy and data governance maturity phase. For example, US companies are already looking to automate and scale previously manual best-effort data governance workflows with discovery tools to inventory and control sensitive data – and respond to data subject requests (DSRs) in the thousands.
2) Data governance best practices? Don’t boil the ocean. Unlike PCI where credit card information could be contained in a limited area, CCPA regulated personal information (PI) is everywhere. The initial reaction is to go after everything. Data Governance is typically a centralized function, however, the app/data teams control access to the databases, data lakes, and cloud systems. Individual data owner buy-in is critical to show quick early wins and build momentum for a successful data governance program. They hold the keys to make a data governance program successful, including access to perform data discovery scans, help interpret findings, and remediate risk issues uncovered. Finding a motivated data owner to pilot the program is a great place to start. Execute an end-to-end process, learn lessons, and make a hero out of your data owner partner. By first proving the program’s value with the pilot team, you can expand that out across the organization.
1) I believe it is a combination of an increasingly complex data/privacy regulatory environment, alongside competitive threats in most industries. Companies know all too well that they have data issues, but they are finally seeing enough consequences to put real effort into improving their data capabilities. The solve-it-all promises of various tools over the years have fallen flat—and despite data governance’s long history of failed implementations, organizations realize that the ostrich-like approach of ignoring it altogether is an even worse path.
2) To have any value, data must drive real business improvements that can be measured in terms revenue, cost, or risk management. Every organization can use data to get better at what they do—and if they don’t, their competitors will. Data governance supports these efforts, but data governance is simply a means to an end. Thinking that data governance matters on its own is largely why so many data governance efforts fail.
1) Your theory is correct but there is also the push for understanding how to manage Big Data in a way that it can yield Business Value. IT pushes IT to shift from a ‘Cost Center’ to a ‘Value Driver’. My experience lies in solving business problems. That is at the end of the day, what businesses need is ‘to get value out of their data assets’. Our practice specializes in that. The value could be revenue or avoidance of regulatory fines as in the case of CCPA and GDPR. The resurgence in Data Governance across 95 companies I’ve consulted with over the last two years has come from the need to solve true business problems, one being driven by a shift in the focus of a business from seeing IT as a back-office support group to a new role in the value it can bring through the data they manage to create competitive advantage and also lower regulatory risk. It is important to focus on creating a Data Governance Program that addresses the needs of the business. Any business that does not protect and manage its data as a currency is creating risk debt to itself to not only from Regulatory Exposure. Data Breaches in some states will bring fines and reputational damage but also limits its ability to create new business models with the injection of new technologies such as machine learning and AI. One must know that while there is a promise of ML and AI, a successful implementation requires ‘clean and complete’ data that can be sourced to the ML models in near real-time. This is a challenge without maturity in the Data Governance landscape of a firm. Governance Risk and Compliance groups are being created to protect firms from fines such as GDPR, CCPA, SOX. These create a shift in how internal teams can comply with such regulatory needs. Knowing your data, its purpose, its location, and meeting CCPA requirements, as an example, will broaden the role scope of Second Line of defense Compliance teams who will have to work hand in hand with Data Governance roles. I’ve clearly seen this happen at a top 3 Telco business. It is a natural gravitation of roles re-morphing as an enterprise integrates privacy by design principles into its core IT operations.
2) Change Management is key to a successful data governance program. It’s like a code of ethics. Everyone must know the rules and their roles and have accountability for their data not any different than one manages personal bank accounts. Business data is currency. Data Governance is at the inception of maturity. Applying principles of Quality and Culture Change management will go a long way to breaking data silos and building an end to end understanding of how data supports business processes. Data discovery is a key capability that can be used to drive collaboration across teams. It’s like playing cards and showing them on a table for everyone to see how to play the game.