A data governance policy is a documented set of guidelines for ensuring that an organization's data and information assets are managed consistently and used properly. Such guidelines typically include individual policies for data quality, access, security, privacy and usage, as well as roles and responsibilities for implementing those policies and monitoring compliance with them.
A data governance policy should articulate the principles, practices and standards that organizational leaders have determined necessary to ensure the organization has high-quality data and that its data assets are protected. The policy-forming group, called a data governance committee or data governance council, is primarily made up of business executives and other data owners.
The policy document this group creates clearly defines the data governance structure for the executive team, managers and line workers to follow in their daily operations.
A data governance policy formally outlines how data processing and management should be carried out to ensure organizational data is accurate, accessible, consistent and protected. The policy also establishes who is responsible for information under various circumstances and specifies what procedures should be used to manage it. In addition, it can incorporate risk management and data ethics principles to reduce potential business problems from the use of data.
A data governance policy is a living document, which means it is flexible and can be quickly changed in response to changing needs. An effective data governance policy requires a cross-discipline approach to information management and input from executive leadership, finance, information technology (IT) and other data stewards within the organization.
Importance of a data governance policy
The importance of a data governance policy is tied directly to the importance of a strong data governance program and the value of data itself.
Starting in the 20th century and accelerating in the 21st century, data became one of the most valuable assets held by most, if not all, organizations.
Data during this time started to fuel both tactical and strategic decisions.
It also powered automation, machine learning and artificial intelligence initiatives, with data being fed to these technologies to instruct them how to properly perform processes and operations.
Data also has enabled the creation of new products and services. For example, manufacturers found that they could use their data assets to analyze the performance of their products and predict when they'll need scheduled maintenance based on customer-use patterns, thereby enabling them to sell predictive and prescriptive analytic services as well as preventative maintenance services based on data analysis.
In fact, the "2019 State of Data Management report" found that data governance was among the top five strategic initiatives for global organizations in 2019.
However, data is only a valuable asset if it's relevant to the organization's needs and objectives and if it's accurate and available consistently over time and throughout the organization.
As such, organizations recognized the need to govern their data. So they created the aforementioned data governance committees or governance teams to establish comprehensive policies for their enterprise data programs that detail how data will be collected, stored, used and protected.
Those who should be part of the policy-making process include legal, compliance and risk executives, security and IT leaders, business unit heads and the chief data officer or, if no CDO is in place, the manager or executive charged with overseeing enterprise data.
These committees should determine who has responsibility for the data, its security, its integrity and its use.
The committees also should identify what regulatory requirements apply to the organization's data and data program as well as what those requirements entail for enterprise compliance.
And the committees should identify the risks associated with their organizations' data assets and data programs, such as whether poor data quality could disrupt business processes or whether exposure of sensitive data would constitute a regulatory violation.
Developing a data governance policy
Once those assessments are done, the data governance committee should use its determinations to develop the policy guidelines and procedures that, if followed, ensure the enterprise has the data program envisioned by the committee.
A well-crafted policy creates a governance framework that ensures the following:
- the appropriate level of oversight of the organization's data assets based on their value and risk as determined by the data governance committee;
- consistent, efficient and effective management of the data assets throughout the organization and over time; and
- the appropriate protection and security levels for different categories of data as established by the governance team.
A well-articulated policy also helps ensure that the enterprise data governance structure supports the organization's strategic vision for its data program, whether the goal is leveraging data to glean insights that drive new revenue or to use data to provide new services or to fuel digital transformation more broadly.
Many governance committees select one of the available data governance policy frameworks to identify the elements they need to address and determine the standards and guidelines that will work for their organization's needs. Generally, as part of crafting and finalizing a data governance policy, data governance councils will also need to identify the roles responsible for managing and enforcing the guidelines laid out in the policy.
Data governance policy structure
Although each policy should be tailored to the unique needs of the enterprise, it typically should include the following:
- the inventory of the data sources within the organization;
- the goals of the organization's data governance program and metrics for determining success;
- the positions within the organization that will oversee elements of the governance program;
- expectations around data quality and data lifecycle management as well as expectations around data integrity and data integration;
- parameters to establish which roles can access which data elements -- in other words, information around data access;
- details around acceptable data usage;
- different categories of data based on whether it's sensitive, confidential or publicly available, along with the levels of security and protection required at the different levels; and
- the laws and regulations that must be followed and what compliance means for the organization's data program.
The policy, once developed, should be supported by a data stewardship program and a master data management program. It also can be aligned with other corporate management processes, such as business process management (BPM) and enterprise risk management (ERM).
Data governance policy templates
Although policy templates are available to help organizations organize their approach to creating their own data governance policy, some advisers have cautioned against relying on them -- or relying on them exclusively -- because a strong, well-crafted policy should be unique to each organization, addressing:
- the organization's vision for its data governance program;
- the program's structure, including roles and responsibilities;
- data standards and guidelines, along with the procedures and programs to enforce them, to deliver on the organization's data governance objectives; and
- how adherence to the policy will be monitored, measured and remedied as well as when the policy should be reviewed and how it should be updated.