Defining data governance and implementing policy

Data is power. For maximum power, you're going to need to govern your data.
3 March 2023

What data do you hold, where is it, and how easily can you acess it when needed?

Before you can implement policies on your data, you have to define some terms. What is data governance? What must it do? Only when you can answer those questions can you begin to define the best ways of delivering data governance by implementing the correct policies.

So – what is data governance?

Data governance is the process by which any enterprise manages its data – its availability, its usability, its integrity and its security. To do that effectively, you need standards and policies that define what can happen to the data you hold – who can access it, for how long, and for what purposes? How and where do you store it? How do you make sure the data is consistent, accurate, available to those with the right permissions, and unavailable to everybody else?

All of this might sound intuitive – even child’s play. But it’s becoming increasingly important, and increasingly complex to manage, as the level and types of data increase, and laws around the world dictate what you need to keep and how, for how long, and how it should be accessible on demand by national or international organizations. Quite apart from all of which, if your data governance is not up to speed, you might well find yourself falling behind competitor businesses who have all the necessary data at their fingertips – particularly when it comes to navigating through what are euphemistically called “uncertain economic circumstances.”

In the event that you’re thinking managing and setting policies for your data is a one-person job, you’re going to want to think again. Certainly in enterprise-level businesses, you’re looking at the work of a full team, as well as probably a higher-level steering committee, to get the job done with the required level of competence.

You’re going to need sound procedures – and you’re going to need to know they’re sound procedures, meaning you can’t just make them up on the spot – they have to meet at least national criteria on responsible data governance, otherwise they’re not worth the pixels they’re painted with. You’re going to need executive buy-in, the voice of the business operations team needs to be heard – otherwise, you might be governing your data against your business’ best interests – and you’re definitely going to need people from the IT and data management teams involved too.

We mention all this just to drive home the notion that what seemed like it might be child’s play is firstly a) not play, but significantly hard work, and b) work that involves several people it would be distinctly unwise to mistake for children. Data governance is becoming increasingly fundamental to an organization’s operation in the 21st century – it’s accounting, with a lot more zeroes and ones. But remember, you can’t govern your data simply as a workflow for its own sake. The point of data governance is to run better businesses, as well as to run businesses better. So your data governance needs to enable as well as restrict, to advance the business’ operations, not just to record them.

Implementing data governance policies.

First, catch your policies.

Before you can implement data governance policies, you need to understand what policies you need, and how they will work not only to ensure your data governance works within its own terms, but also that it works to enhance your business’ operation.

Generally, there are three goals you need to meet with your data governance policies.

  1. Know what data assets you have, and the rules of use that apply to those assets.
  2. Enhance the data literacy of all those who are likely to need access to your data assets.
  3. Define the parameters of success by which your data governance can be measured.

These goals engender policy priorities in your data governance framework. For instance, setting the rules that apply to particular data assets sets you on the road to creating an access tree, identifying who is allowed to access what data, when, why, and how.

Likewise, attempting to enhance data literacy means defining your data governance along lines of instinctive access paths, so your data assets are intuitively available to those who need them (and who have the appropriate permission to access them). Data governance should lead to both a greater security of your assets and a greater ease in finding and using them for the company’s ultimate benefit.

And without parameters of success, you’re governing data in the dark. What is a realistic and measurable metric to use to define the success of your data governance? Better, easier, faster access to the right data for the right users? A measurable increase in speed or thoroughness of the work of those who need to access your data? Choose an attainable parameter that can be simply measured – after all, measurement of the process is how you convince both managers, the C-suite, and any external assessors that your data governance is being accomplished effectively.

Policies at the heart of successful data governance usually tie back to those initial goal sets, but go into significantly more detail. Once you’ve delineated your policies though, they should make the business of sorting your data for ease of governance on ongoing maintenance significantly more straightforward. In fact, that’s a clue – if your policies don’t make data governance faster and easier, you’ve delineated them wrongly, and you should take a look at what’s not working in the structure you’ve developed.

You should develop policies for at least a minimum of the following:

Data mapping and classification.

Tying into goal 1, you need a competent and coherent data classification and mapping system, to identify what each item of data is, probably measured against several metrics, so each item of data has a set of searchable metadata that will bring it forward in particular data searches. One of the metrics should absolutely be the security level required to access the data, so you can run dedicated access/denial protocols, to make sure that, for instance, personal information or business-critical data are not revealed to anyone who doesn’t hold the correct clearance.

You also need an accurate data mapping policy, so that search results a) make sense, and b) are consistent, so data assets can be traced logically, time after time.

Data cataloguing.

You need a policy on data cataloguing, which involves collecting the metadata of your data assets, so you can create an inventory of your data, complete with its lineage. Ideally, you can also build data about your data governance policies into this catalog. Having a catalog means you make it easier for any data to be located in a linear fashion as well as through intelligent searching, helping to meet goal 2 of increasing your organization’s data literacy.

Data governance rarely exists in a corporate vacuum. You may well find that you need to implement additional policies, dealing with issues like data stewardship (who is responsible for which sections of an organization’s data, and what that responsibility entails, eg adequate security, granting additional access permissions, etc), and data quality (the updating and accuracy of data as the business moves forward, to ensure that the organization’s data governance is vital and useful on an ongoing basis, rather than leaping forward as a snapshot of whenever the process is repeated.

Ideally, data governance will be folded into a larger data management process within the organization, subject to a C-Suite level data strategy, and ongoing monitoring and updating, to ensure it is kept both objectively relevant, and subjectively useful to help the business grow and thrive, making use of all its available data at the right time and in the right way.