Unravelling data governance

Consumer confidence in data management is at an all time low, and businesses are being held accountable. Any business that doesn’t ensure it has an effective data governance strategy in place is vulnerable to widespread criticism, client loss or ultimately prosecution.

But what does “data governance” really mean? When we talk about governance are we all talking about the same thing? Having kept a watchful eye on how this discipline is evolving, I’ve begun to wonder – if there isn’t a common understanding of what “data governance” is, how can we ensure that we’re all working towards the same goal?

As a data marketing business the consequences for EHS Brann Discovery of not keeping client data safe and secure are serious, and have the potential to damage our organisation irreparably. We pride ourselves in being early adopters of data governance practices because of our understanding that it must be dealt with effectively, at the heart of all we do as a business. I’d like to share our view on what data governance is, and isn’t, and how we’re making it work effectively for us.

Data governance IS a multi-disciplinary approach
Governance ensures that an organisation’s data is trustworthy and fit for purpose. It puts processes and practices in place within the organisation, with people accountable for fixing and preventing issues with data, to ensure the business becomes more effective.

But data governance is not one thing, it is a discipline that comprises of a number of distinct areas of data control, each having their own role to play in removing risk and maximising the value of data as an asset to a business. Each of these areas (shown in diagram 1) and their associated processes and procedures; from data handling through to data auditing, ensure that the data assets of a business are managed properly and are of the highest possible quality.

For a business to be truly confident that it has an effective data governance strategy in place it needs to have paid consideration to each of the component areas and agreed the business requirements, processes, procedures and ultimately the people responsible to deliver these.

At EHS Brann Discovery we have done just this, taking each area in turn to build up our overall approach to governance. For example in the area of “Data Handling” we have created “The Data Journey”, and agreed processes for all data touch points in our business; receiving data, storing data, transmitting it, auditing it and destroying it. This was developed with the intention of creating a sense of ownership within the team, our approach summarised in diagram 2. We believe it offers the right blend of senior management backing, information security best practice, inspiring training and communications and an ongoing programme of review to ensure our approach to data handling meets all requirements of our business, our clients’ and the data industry as a whole.

As part of our data handling journey we have rolled out training to everyone from our Managing Director to the Commercial Team, as well as operational and client-facing staff. It’s important that all staff, even those who do not handle sensitive data, understand the impact on our business in the event of a data loss. An internal communications campaign re-iterates key data governance messages and our monthly internal newsletter features a data governance column. We also educate our clients and suppliers in our data journey and processes.

IT solutions are in place to make processes easier for staff, including an email attachment remover and a Media Library System (MLS) to log incoming and outgoing data and provide visibility of all data stored in the company, its location, owner and recommended destruction date. As such we can confidently tell you about every piece of data we hold as a business. Our team is required to undertake quarterly personal data audits including checking for physical data in their work area, computer desktop, local drives and email, with all staff signing a “Data Agreement Form” which is retained on file.

This is one area of our governance model, but we have applied the same approach and standards to each area and are regularly audited by clients and external companies to ensure we can be confident in all aspects of our approach.

Data governance ISN’t…
‘Data governance’ and ‘data security’ are primary examples of terms which are often interchanged, yet which have very different meanings. Consider this; an organisation may have effective data security practices in place to protect its information and systems from unauthorised access, use, disclosure, disruption, modification or destruction, yet cannot prove its data is compliant and fit for use. It therefore cannot claim full control and understanding of its data – the sentiment at the heart of data governance. Data security is actually another component of a much greater discipline; only when all components are in place can an organisation consider itself to have a proficient data governance strategy.

And all this considered it still doesn’t mean the strategy is in any way “effective”.

The concluding bit
It’s a certainty that talk of data governance will continue to rumble away in the data, marketing and main stream media in the future, especially in light of the recent T-Mobile data theft, but it’s also a discipline that will continue to grow in size and expectation. I’d even suggest that it’s only a matter of time before regulation by accreditation becomes mandatory. Yet regulation can only come from common understanding; the reason why defining data governance is vitally important. What we have also come to understand is that a definition, just like an effective data governance strategy, is an ever evolving journey fuelled by an ongoing commitment to review, revise and optimise practices at every step.

EHS BRANN DISCOVERY
Paul Eveleigh, IT Director