CIO.com

data governance policy

By Mary K. Pratt

What is a data governance policy?

A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly. Such guidelines typically include individual policies for data quality, access, security, privacy and usage, and they specify different roles and responsibilities for implementing those policies and monitoring compliance with them.

A well-crafted policy is the foundation of an organization's data governance program. The data governance policy should articulate the principles, practices and standards that senior business and IT leaders have determined are necessary to ensure that the organization has high-quality data and that its data assets are protected against both internal misuse and external threats.

Ideally, the policy-forming group, called a data governance committee or data governance council, is primarily made up of business executives and other data owners. The policy document this group creates, in a process coordinated by data governance managers, clearly defines the organization's data governance structure and a set of governance rules and procedures for the executive team, business managers, data analysts and operational workers to follow.

For example, a data governance policy formally outlines how data processing and data management should be carried out to make sure that data is accurate, consistent and accessible throughout an organization's systems. The policy also establishes who is responsible for data under various circumstances. In addition, it can incorporate risk management and data ethics principles to reduce potential business problems from the improper use of data.

A data governance policy is a living document: It must be flexible, and an organization should be ready to quickly modify it in response to changing business or data needs. Furthermore, an effective policy requires a cross-discipline approach to data governance, with input from senior management, the legal department and other business stakeholders, as well as the IT department.

Why is an effective data governance policy important?

The importance of a data governance policy is tied directly to the benefits of a strong data governance program and the value of data itself. Starting in the 20th century and accelerating in the last few decades, data became one of the most valuable assets held by organizations, which increasingly use it to drive both tactical and strategic business decisions.

It also now powers automation, machine learning and artificial intelligence initiatives that can streamline and improve business processes. In addition, data enables the creation of new products and services. For example, manufacturers found that they could use their product data to analyze performance and predict when scheduled maintenance will be needed at customer sites.

However, data is only a valuable asset if it meets an organization's needs and is accurate and used consistently throughout the organization. That creates a strategic imperative to govern data and the need for a comprehensive policy to underpin the governance program.

Such a policy helps establish a data governance framework that provides the following:

• the appropriate level of oversight of the organization's data assets based on their potential business value and the business risks associated with them;
• consistent, efficient and effective management of data throughout the organization on an ongoing basis; and
• suitable security, privacy and access control levels for different categories of data.

A successful policy also helps ensure that the enterprise data governance structure supports the organization's strategic vision for its data management and analytics programs, whether the main goal is using data to drive new revenue, develop new products and services, fuel broader digital transformation initiatives or achieve another business objective.

To aid in meeting such goals, data governance policies include a data stewardship function that's responsible for overseeing data sets and ensuring that governance rules and procedures are implemented. Governance policies can also be aligned with ones for other corporate management processes, such as business process management and enterprise risk management.

Types of data governance rules that a policy should include

As mentioned above, a data governance policy sets various types of data-related rules. In that sense, it can be seen as a collection of policies that cover different parts of the governance process. The common aspects of a governance policy include the following:

• Data quality and integrity. Data quality improvement is commonly a top goal of data governance programs, and clean and accurate data sets are perhaps the most visible sign of effective governance. The data governance policy should include procedures for managing data quality and integrity to prevent data errors, inconsistencies and other issues and to find and fix problems that do occur. It should also detail data quality metrics that will be used as part of measuring the governance program's success.
• Data access. Policies governing this are designed to ensure that business and analytics users have appropriate access to data. That means they can access the data they need to do their jobs but not other data, especially sensitive or proprietary information. The governance policy may include role-based access controls with different accessibility privileges for separate groups of users. It may also spell out the potential consequences that users could face for accessing data without authorization.
• Data usage. Similarly, a data governance policy sets rules on appropriate and ethical uses of data. They're intended to ensure that data is used properly and that an organization complies with applicable data privacy laws and doesn't offend customers by using their personal data in questionable ways. The policy often also lists steps that could be taken against users who violate the rules, ranging from loss of data access to disciplinary measures, termination and even legal action.
• Data integration. This involves rules designed to create common data definitions and avoid or eliminate data silos that are isolated from the rest of an organization's systems. Doing so has twin goals: to make relevant data available to users across an organization and to ensure that workers in different departments aren't using inconsistent data sets.
• Data security. A data governance policy typically also addresses data security and privacy protections, including end-user responsibilities for helping to keep data secure. It may describe those in detail or point to the organization's overall IT security policy. The policy commonly also incorporates internal data classification standards for categorizing data to govern security, as well as access and usage. For example, data sets might be classified as public, confidential or sensitive information.

How to develop a data governance policy

Beyond the business representatives on the data governance committee, the policy-making process should include legal, compliance and risk management executives, plus IT and security leaders and the chief data officer -- or, if an organization doesn't have a CDO, the executive charged with overseeing enterprise data.

They should help determine who is responsible for different data assets, the business risks associated with those assets and what regulatory requirements apply to the organization's data, as well as what the requirements entail for compliance efforts. Once those assessments are done, the data governance committee should use the information in developing the data governance policy's rules and procedures.

The following are some specific steps typically taken by data governance proponents and then the committee and members of a data governance team as part of creating a governance policy:

1. Create an inventory of data assets, and do an assessment of data usage, data quality and existing data management practices to identify issues that a governance program could address.
2. Use that information to develop a business case for data governance to get executive support and funding for the program.
3. Name a data governance manager, and create a governance team to support the program.
4. Form the data governance committee, which should include top executives or other representatives from all departments and business units.
5. Within the committee, define the scope and overall goals of the data governance program to help guide the policy process.
6. Develop a formal structure for the program that fully delineates different governance roles and responsibilities in the organization.
7. Work to create common data standards and definitions that will be incorporated into the policy.
8. Define the metrics that will be used to track the program's performance, such as data quality improvements and increased data literacy.
9. Write an initial draft of the governance policy, and distribute it to senior executives, the legal department and other parties for review.
10. Revise the policy as needed, and create communication and training plans for releasing the finalized document to the entire organization and launching the governance program.

Once the data governance policy is in place, it should be reviewed on a regular basis and updated when necessary to ensure that it continues to meet business needs and doesn't become outdated.

Data governance policy structure and components

Data governance policies often are structured differently from organization to organization. Their length and level of detail can also vary. In general, though, a policy typically includes the following components:

• a statement of purpose that describes the organization's vision and overall goals for the data governance program;
• a scope statement that outlines who the policy applies to and what kinds of data it covers;
• a set of specific objectives for improving data access, usage and management;
• a list of the positions and entities that will oversee different parts of the governance program, with details about their responsibilities;
• the various principles and rules that make up the heart of the governance policy;
• definitions of terms used in the policy for reference purposes; and
• references and links to related internal policies and relevant government regulations.

Data governance policy templates

Many organizations have posted their data governance policies online. Most of them are government agencies or academic institutions, but their policies may be able to serve as models for a governance policy in a business. Templates for creating a data governance framework that are available from educational and professional organizations, such as the Data Governance Institute and DAMA International, may also be able to help guide policy development. Some data governance software vendors also offer templates and methodologies for creating a governance framework.

Although such templates can help organizations plan their approach to creating a data governance policy, some consultants have cautioned against relying on them -- at least exclusively -- because a strong, well-crafted governance policy must meet the individual needs of each organization.