Do you 'optimise' more than you'd like to think? Are you a regular 'utiliser'? Then it's time to kick the habit, says the late great Herschell Gordon Lewis.
Across Europe and across the world, the issue of data governance has come to the fore. The ripple effect of GDPR and its inevitable influence over global data protection regulations has forced organisations large and small to get a firmer grasp on their data.
Ultimately, that’s what data governance is all about: improving your ability to manage data and ensure you’re not falling foul of regulations. But there’s even more to it than that…
In this guide, we explain:
- Exactly what data governance is
- How it helps companies comply with regulations
- The challenges of achieving good data governance
- How to get started
What is data governance?
Data governance is a holistic approach to data privacy and security. There is no silver bullet or single set of tools which will ensure you’re abiding by regulations: it requires people, processes and technologies working seamlessly together.
So, data governance is essentially a set of management practices which ensure that personal data is used and protected, according to law and best practices. It is a process by which you:
- Understand and protect the data assets of the business and the interests of your customers, employees and the public
- Ensure compliance with data and privacy laws
- Identify existing and emerging data risks so they may be properly assessed and mitigated (where necessary)
- Support data strategy & innovation
Investing the time and resources to create a robust data governance programme ensures the right foundations are in place to empower the business to make the most of its personal data assets in a safe and secure way. For example, GDPR requires organisations to have in place disciplined, transparent and accountable procedures for processing personal data.
But it’s not all about legal compliance. Personal data is often one of the most valuable assets of a business. To make it work profitably, you need to understand how you’re using it and take responsibility for it.
Many organisations are striving to embed Privacy by Design and by Default across their data processing functions, to ensure compliant solutions are ‘baked in’. In effect, this future-proofs how a company uses data, thereby avoiding a ‘whack-a-mole’ approach which will be more costly, stressful and ineffective in the long-run.
Case study: data governance gone wrong
The first company to fall foul of GDPR in the UK was, in fact, a Canadian one. This demonstrates the challenges for companies operating across multiple territories: it doesn’t matter where you are, it matters where your data is coming from.
AggregateIQ had provided data services to organisations campaigning for the UK to leave the EU. In essence, AggregateIQ failed to gain permission from individual’s to use their data for the purposes of political campaigning. More widely, it was accused of misusing individuals’ personal data by processing it in a way that the subjects were not aware of, for purposes they would not have expected, and without a lawful basis for doing so.
There are 3 key lessons to learn from this:
- If a national regulator believes data has been improperly accessed or used from its citizens, it will seek to bring companies to account wherever they are in the world.
- Brands should ensure third-party providers of data services are legally compliant – or risk reputational damage.
- Personal data must be must be collected in a transparent way and for a specific and legitimate purpose.
This is just one example of data governance gone wrong. The challenge for organisations, is that there are many potential pitfalls when it comes to handling personal data. And for non-EU countries, GDPR cannot be ignored.
“Organisations will have tentacles out into all sorts of markets and they’ll have also partners and third parties operating in different markets. So understanding how your business runs from a data-driven perspective becomes key.”
Ian Evans, MD at privacy management software, OneTrust.
Find out what the latest regulatory changes mean to you. Join OneTrust’s free online PrivacyConnect events wherever you are in the world.
The challenges you need to overcome
- Understanding your data and how it is processed
- Many different departments process personal data.
- Information that can relate to customers, staff, business clients, contractors/agents and other parties.
- The first step is to assess the personal data being processed by the various business functions.
- Many organisations don’t have a recognisable data governance framework in place
- Distributed processing by many functions
- Outsourcing to third party processors – makes it hard to identify ALL of the processing
- Wider definition of personal data: more processing falls under scope of data protection laws
- Lots of processing may never have been assessed before to ensure its fair, lawful, transparent and secure
- Legacy systems may not meet Privacy by Design standards
- Handling information rights – such as subject access and erasure requests
- Inexperience in carrying out data protection impact assessments
Get to know your data and how it is processed
Many different departments process personal data. Information that can relate to customers, staff, business clients, contractors/agents and other parties.
The first step is to assess the personal data being processed by the various business functions. For example:
Start by assessing your data risks
Performing a risk assessment is the first step in developing – or improving – your data governance framework. The graphic below demonstrates the risk assessment cycle. In summary:
- Become more clued about your data: identify where it is, where it goes, who is accountable. This requires you to develop a data inventory.
- Make a risk assessment: identify where the personal data is and document any potential risks
- Create an action plan: identify what steps do you need to take in order to tackle risks and improve procedures
- Measure and monitor: have a system in place for regularly monitoring your data protection and legal compliance status.
While the kind of risk assessment you need to carry out may vary from territory-to-territory, the requirements laid out under GDPR are a good place to start – as it remains the strictest standard.
GDPR sets out that in certain circumstances a data protection impact assessment (DPIA) is required. Notably when there is a significant change to existing processing, or new processing which may give rise to high risks for data subjects. As part of your governance framework you will need to ensure you and your teams are able to identify when a DPIA is required, or when you may decide it would be appropriate to conduct one voluntarily.
Does your organisation need a DPO?
The GDPR introduces a duty for organisations to appoint a data protection officer (DPO) if they are a public authority or body, or if they carry out certain types of processing activities. DPOs assist an organisation to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding DPIAs and act as a contact point for data subjects and the supervisory authority (e.g. the ICO).
Some organisations fall under the mandatory requirement to appoint a DPO, others have chosen to voluntarily appoint one.
Train your people how to protect personal data
A core component of a data governance programme is ensuring your employees are provided with high quality data protection training. Your people don’t just need to know how to handle your data appropriately and to ensure individuals’ rights aren’t undermined, but also crucially need to know how to prevent a personal data breach.
Debbie McElhill, Associate at the Data Protection Network stresses the growing need to take data governance more seriously:
“Make data governance a key priority. Get it on the boardroom agenda as part of the customer strategy and keep educating your people. Be creative in how you do that.
“Looking after individuals’ personal data compliantly needs to be embedded as part of your company culture, it needs to be second nature for your people – just like great customer service should be.”
Be proactive and diligent
The job of compliance is never done, so the need to keep abreast of legislative changes and update training and processes where appropriate will continue.
Those who wish to create a customer-focused culture, which places the needs of consumers and individuals first, will want to protect their customer data from harm and therefore will be better able to adjust to legislative changes as and when they occur.
This article features excerpts from a GMA report produced in collaboration with the Data Protection Network and OneTrust. Access it here: Data Governance in a post-GDPR World
Kickstart the conversation in the comments below.
Please register below to unlock this article.
An email will be sent to you with your membership details.