Companies in every industry are subject to laws, statutes, regulations, rules, standards and policies set by governments...
and industry consortia. Complying with these directives requires significant corporate effort and investment, with noncompliance carrying the risk of fines, censure or other undesirable consequences. Other challenges that typically plague compliance efforts include the following:
Strict time frames. External bodies establish deadlines and compliance deliverable schedules, limiting the organization's ability to control and manage project schedules.
Drained productivity. When staff and resources are dedicated to compliance projects, business tasks are put on the back burner.
Intrinsic risk. There may be severe repercussions from the inability to demonstrate compliance with externally mandated rules in a timely manner, including financial penalties or even incarceration.
Verification. Demonstrating compliance often goes hand-in-hand with auditability of internal processes to show the soundness of the processes involved.
Most regulations and policies are dependent on the use of information, forcing the organization to create repeatable processes for monitoring and controlling data governance. This kind of data governance policy and processes provide a scalable means for continuously supporting compliance initiatives. They also help provide the necessary scrutiny needed to improve data quality assurance and stay compliant with externally mandated business rules.
What is data governance?
Data governance incorporates policies for data quality assurance and ensures that information is usable. Key traits of these data policies include:
- Processes for acquiring or creating data, ingesting that data into systems, and any subsequent transformations, storage, and uses of that data observe collective requirements for all downstream data consumers
- Transparency and auditability of those processes to demonstrate compliance with business regulations
A data governance policy provides the framework for ensuring the fidelity of data when it is used for any business process that relies on information, including internal directives and externally defined regulations or industry standards.
This includes the policies, directives and operational procedures for controlling every aspect of the data lifecycle. Governance covers every practical aspect of data architecture and includes data modeling, metadata management, data storage, data integration, protection, data quality assurance, retention and, ultimately, disposition.
Regulations drive data governance policy updates
All laws, standards and regulations rely on information to demonstrate that the organization observes defined policies. For example, consider the HIPAA Breach Notification Rule 45 CFR §§ 164.400-414, which "requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information."
In other words, if a health care organization's breach exposes the protected personal information impacting of more than 500 people, the U.S. Department of Health and Human Services (DHHS) must be provided with very specific data. This includes the number of individuals affected by the breach, the exact date it was reported, the type of breach and the location of the breached information. Organizations must also provide a detailed description of how the breach occurred. Compliance depends on producing this specific information when reporting to DHHS.
Data governance practices that benefit GRC
If implemented correctly, there are several aspects of data governance that are particularly valuable to compliance initiatives. Data classification and predetermined information management rules inherent to governance practices will prove useful when developing compliance policies. There are also several other data management strategies that will benefit compliance processes when they are tied together through a mutually beneficial data governance policy:
Identify dependencies. There are two types of data dependencies inherent to the text of a policy: The data elements, which refer to the concepts that are subject to measurement and, consequently, compliance (such as the data elements constituting "protected personal information), and the sources where the data elements are to be found.
Standardize business terms. The data elements may be found in different data sets with different names. It helps to establish a glossary to normalize business terms, data element names and their meanings.
Document information flow. Document how the dependent data sets are acquired, stored, managed and consumed to identify locations for instituting data controls.
Specify business rules for compliance. This requires inferring how the policy directs levels of acceptability of dependent data. Non-conformance with defined levels of data acceptability indicates potential compliance risk.
Data quality assurance. Examine how the source data sets "measure up" in comparison to the defined sets of dependent business rules and their acceptability thresholds.
Monitor and control acceptability. Institute control processes to continuously observe ingested data for conformance with defined business and data quality rules, as well as their acceptability thresholds.
Report and notify. Develop processes for devising audit reports for data conformance and generate alerts when the measurements indicate a risk of noncompliance.
Introducing these types of data governance practices enable repeatable processes for managing information necessary for regulatory compliance. Further steps involve developing the operational models for data policy management, execution and oversight to streamline and simplify how data governance supports the overall compliance framework.