In May 2018, the General Data Protection Regulation (GDPR) came into effect in Europe. Even firms that prepared early for the changes agreed that it’s a work in progress to design a data governance plan. Business experts shared some of what they learned post-GDPR at a September 2018 conference in London:
- Spotify realized that the best quality check was through looking at its data governance plan from a data subject’s trust perspective.
- Adobe discovered that data subjects were more willing to provide data when the company was more respectful of how the data was used.
- Omnicom Media found that to design a data governance plan is a continuous evolution rather than a milestone.
- Dentsu Aegis Network determined that the data regulation landscape is ever-evolving as legislation and lawsuits set new legal precedents.
- LiveRamp UK commented that a privacy-by-design approach is a better universal standard.
The overall insight is that, to design a data governance plan, the data subject must be approached as the central focus — and that the plan should be agile to respond to changes.
Ask important questions about your data
Businesses can take advantage of these insights to design a data governance plan that doesn’t just focus on data value, but also values its data sources. The plan requires solid preparation; lay the groundwork by asking essential questions about your data.
Whose data do you have?
You may have data of European and California citizens. GDPR acknowledges that it’s the strictest privacy policy in the world. The California Consumer Privacy Act (CCPA) is right behind it. To make sure you’re in compliance, you have to sift through all of your data. You’ll want to know whose data you have and why you have it — which allows you to determine if you have quality data in the first place.
A study by MIT in 2017 estimated that companies lose 20% of their revenue because of data quality issues. Spring cleaning is mandatory to design a data governance plan that provides opportunity to prune away low-quality data.
Do you have a data subject-centric mindset?
The CCPA and GDPR are built to protect the data of the very stakeholders that drive business. Companies have ten days to respond to deletion and “right to know” requests by data-subjects under the draft rules of the CCPA. You’ll need to be able to quickly access all of the correct applicable data and respond to consumer requests. When you design a data governance plan, think data subject-centric rather than merely data-centric.
Where is your data?
It’s necessary to identify data that exists in multiple systems, platforms, or storage locations. This requires assessing current data flows as well as quantifying and mapping its management. Assess current data flows along your data supply chain through the collection, processing, distribution, integration, storage, and deletion of data.
Quantify and map present data management and governance — from customer-facing processes to back end office functions. The areas that extract data value and those that are liable for data risk, in particular, are guidelines for razor focus.
Why do you store data?
Ask the important questions about your data sources, data quality, data regulatory risk, and data tech and tools. Also, revisit permissions of all data citizens (any employee who handles data). What service providers or vendors do you share data with — and why? While taking stock of the reasons for data, keep in mind the five “why’s” of data governance.
The 5 “Why’s” of data governance
1. Data regulation
There is no way you can ensure GDPR and CCPA compliance unless you maintain efficient data governance and data management systems. Whether or not you collect data from citizens of the EU or California, expect this to be the name of the game to stay competitive.
Design a data governance plan persistent in the face of any evolving privacy laws. Think long-term to create a data governance plan poised to scale while staying flexible in anticipation.
Takeaway: Be certain you understand the scope of these privacy laws.
2. Data integration
There are few lines of business that aren’t data-driven in some respect. All lines of business must now take ownership of data, this kicks off with education. If data owners, data stewards, and data users don’t understand the importance, they likely won’t be too invested. All internal data stakeholders must be equally invested. Only then can fluid communication thrive in order to meet the response deadlines required by data privacy laws.
Takeaway: Educating internal stakeholders is a fundamental aspect of a robust data governance plan.
3. Data volume
Massive data volume increases risk — both through data breaches and inability to comply with privacy regulations. As the amount of data increases, scalable master data management (MDM) systems become essential. Creative data management, and lean systems built to trim, are critical for unhindered growth. These systems cut unnecessary data and retain only quality data with inherent business value. Before you can structure a plan, you need to know where all your data is, what it is, and why it’s necessary.
Takeaway: Data inventory is a prerequisite to design a data governance plan.
4. Customer focus
From now on, customer data must be treated as though it’s borrowed – you no longer own it. All data now expressly belongs to the customer, and it’s the customer’s right to instruct on what they want you to do with it. All organizations must respond to a customer’s directive regarding their data, and in real-time.
You’ll also need to vet any vendors that process data for you. Under the GDPR, if they aren’t compliant, then you aren’t either. Likewise, CCPA necessitates revisiting your vendor contracts. Map your vendors and define your role with them ahead of time.
Takeaway: Cultivate customer empathy into your design.
5. Tech
A good data governance plan not only takes advantage of available tech, but also searches for areas where new tech can automate scalable data processes. As technologies evolve, the role of AI, machine learning, and other emergent technologies in data management and governance, will increase. Assess your technical assets and decide where adopting additional tools can improve data flows and processes.
Takeaway: Research new tech and be prepared to budget for future tech and tools.
Which data governance plan is best?
There is no one-size-fits-all template for designing a data governance plan and team. The data governance model you design must be flexible enough to mold into your business framework as it exists today. It could be disruptive to impose a model out of convention, especially if it’s not complementary to your business structure.
However, this is not to say that you don’t want to emulate structures that might work well with segments of your business. You are free to customize. Take advantage of the experiences of companies that have walked this path before. Explore data governance plan theory and research data governance plan frameworks that have already been deployed.
What are data governance models?
While the strictness of the CCPA and GDPR are relatively new, data governance is not. Data governance, like many business models, has gone through a variety of iterations. Most are variations of the three most common frameworks:
- Top-down — centralized
- Bottom-up — distributed or decentralized
- Hybrid — centralized control with distributed management/decentralized ownership
The shape of the plan that works best for your company depends directly on your industry, size, business model, and business culture.
For example, a smaller firm with a traditional business model and hierarchical business culture may fit well with a top-down, centralized approach. But for larger firms that practice agile methodology, decentralized ownership may be much more effective and scalable.
The current state of any master data management (MDM) model and governance initiatives already in place will also be instrumental when designing a data governance plan.
Who is your data governance team?
Examine the architecture of your firm in preparation for designing a data governance plan. You’ll want to visualize the integration of a data governance team. The design of your governance plan and governance team are not mutually exclusive.
Highlight existing stakeholders that could be essential candidates for roles in your data governance team. How you assign those roles and titles should be in line with your company’s architecture, rather than by convention.
Set data governance plan priorities
After you’ve assessed your current set up, reviewed key objectives, and explored data governance plans and team models, it’s time to set data governance priorities and goals. It’s critical to take specific steps before you can move on to others.
Until you’ve mapped your data, you can’t identify areas of liability in data storage, management, or governance, a prerequisite to moving forward with your design. Estimate time and human resource costs for each goal so you can create a roadmap with achievable milestones. A timeline with reachable objectives will serve you well if you make a proposal to the executive level to gain sponsorship.
Use the GDPR and CCPA as templates for future data privacy law
Spotify and Adobe discovered that approaching data governance is better done with empathy for the consumer. Omnicom and Dentsu realized that data privacy regulations will continuously evolve with legislation revisions and lawsuits setting precedent. The GDPR and CCPA set the bar fairly high on data privacy laws, and we can expect ensuing regulation to follow their lead.
Consumers are aware of these laws. Transparency about your data governance approach is paramount. An honest appraisal of your current data management and governance systems, while keeping an eye on the rights of your customers, and the other on regulatory policy, is an essential first step to design a robust data governance plan.
