In previous installments of our data governance series, we answered “what is data governance?” and identified why an organization needs data governance. This third post outlines five steps for implementing a data governance framework.
Implementing data governance can be daunting. The question we’re usually asked is, Where do I start? Well, channel your inner Sound of Music soundtrack and sing along, friend: “Let’s start at the very beginning, a very good place to start…” (And if you’re not at the beginning of your program but stumbling along in the wooded foothills of the business intelligence Alps, don’t worry, you can begin climbing your mountain there, too.)
Implementing a data governance framework is an iterative process.
Data governance is not a project that can be done in a week’s time—and not just because there’s too much work to do! Sure, the work needs to be broken up into executable chunks, but data governance is also a practice that needs to be cultivated and kept alive and vital. It’s a perpetual cycle.
Whether you’re starting a data governance program from scratch or wanting to improve your existing program, start here. And review these items yearly to keep your program fresh:
- Assess your current state: Where am I?
- Make rules about privacy: One of the most important items to tackle today.
- Establish a single source of truth: Where is the best place to get the right information?
- Outline your supply chain of data: Understand the where/why/who about data in your organization.
- Conduct data security and risk assessments: What is important for my business via our risk profile?
1. Assess your current state
Data is valuable, yes, but a company can’t benefit from that value without the people, processes, and technology in place to mine insights and create data-informed decisions that positively impact the business. Consider your company’s current state for each of these areas.
People. Think about the people in your organization and how they use data to make increasingly better decisions. Assess the current state of people and their roles in data governance by asking the following questions:
- Who is currently making decisions on your platform relating to data connections?
- Who is currently making architecture decisions for your platform?
- Who is currently overseeing access and security in your platform?
- Who is currently responsible for data/platform engagement?
Processes. Proper data and analytics hygiene (data validation and data quality processes) help make better business decisions and better business decisions lead to a better ROI. Building proper processes that provide rules for data quality help build a better understanding of metrics definitions. Improper use of data can lead to unwanted litigation (regarding GDPR, privacy, or security), churn, and loss of market share. One question can reveal a lot about the current state of an organization’s processes:
- What are the current pain points in our processes?
Technology. The technology you use defines who can use the data and what they have access to. Technology makes your data secure and accessible, but it’s a moving target given fluctuations involved in updates, advances, turnover, etc. Technology also makes a difference in how the story of your data is told. Dashboards can either bore or inspire, confuse and complicate or create alignment and action. Ask these questions to assess the current state of your technology:
- Who currently uses the platform?
- What are the data sources for the platform?
- What does the adoption of our platform look like?
2. Make rules about privacy
A hallmark of data governance is privacy-related safety, both for your customers and your company. It’s critical to establish how your company will handle Personal Identifiable Information (PII) and Personally Identifiable Health Information (PHI).
Privacy concerns carry a level of risk in most organizations, but that risk will vary depending on the type of business. Further, these risks are always changing, so you might want to involve a team like Further to conduct a consent management and data privacy audit to truly identify your current state relative to your industry.
Reach out to your chief privacy officer or chief security officer to get more information about your business privacy strategy, but here’s a list of privacy elements to be aware of, since any of these elements could identify a person. You should also be aware of combinations that could identify someone (such as the combo of a zip code and procedure code).
- Name: full name, maiden name, mother’s maiden name, or alias
- Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer ID, patient ID number, financial account number, or credit card
- Personal address and telephone information: street address, or email address, telephone
- Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
- Biometric data: retina scans, voice signatures, or facial geometry
- Information identifying personally owned property: VIN number or title number
- Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
- Medical: EHR, Rx
Read more about recent privacy changes and how your organization could be impacted.
3. Establish a single source of truth
Is a single source of truth a myth? We hope not. If you can make your team aware of a SSOT, you can eliminate a lot of frustration and build trust. Answer these questions about the dimensions and metrics you are sharing to help identify your data’s source.
- Where did it come from?
- What does it mean?
- What is the context?
- Can we trust the data?
Once you can identify the source for data, keep these points in mind for communicating that source to your team:
- Acknowledge that information may be in multiple places and multiple meanings
- Knowing where to go to get that information is important.
- Context can change the meaning of the metric.
Aligning on source is a trust exercise that happens over time, so it’s important to document, document, and continue to document to make sure everyone is clear on where your data is coming from. Documenting the metrics used in databases, reports, and BI dashboards help people understand the meaning and context.
For example, if you have a dashboard with various metrics, you should create a definitions section or page that lays out the rules for interpretation. Include information about where it came from, how frequently the data’s updated, and what it means. In some cases, it may be important to include instructions on how to interpret the data, along with including the formula that gives it context.
4. Outline your supply chain of data
Organizations have their own supply chain of data. The one pictured is generic and should be modified to fit your organization. This supply chain includes the activities that need to happen for the collection and dissemination of information to stakeholders. These activities help create the policies and procedures to support data processing correctly and reliably, they enable people on the front lines to find the right data, and they serve as guide rails to ensure that the entire supply chain of data is being used to help meet business goals.
- Data Processing Activities are the activities used to support the processing of data in your organization. Data validation is a key component of making sure your data is accurate from source to data store to BI tool.
- Management activities are the methods used to manage these activities.
- Business processes are the subject areas or business units that will use the data for decision-making.
5. Conduct data security and risk assessments
Securing data is essential today more than ever. Data breaches are on the rise, customers are on high alert for real risks, and brand reputations are at stake. Here are some key things to look out for when performing data security and risk assessments:
Social engineering (a non-technological way of using human interactions to steal data):
- Does your organization have training sessions for new hires and ongoing training to help staff identify and avoid social engineering situations?
- How can you help staff better understand and be prepared for this type of situation?
Yearly review of data access policies:
- Business changes frequently and thus so might your access policies.
- As advancements in technology make processing data quicker, so the risk of a hack or data breach increases.
- Conducting reviews on a regular basis (no matter how boring it might be) will help you keep on top of things.
- If something changes, do not wait for the yearly review and update of policies—do it now. These policies are as much alive as your business is, so you need to make sure they are up to date to help staff with the procedures they need to follow.
Know the risk level for each data category in the organization (see Risk Matrix, below):
- Categorize your data into subject areas such as marketing data types, patient data, and financial subject areas.
- Conducting a risk assessment opens up the kimono, revealing the workplace reality of risk.
- Keep an open mind during the assessment so areas are not blocked from the discussion.
- Conducting an assessment on an annual basis helps identify new potential risks.
The Risk Matrix below is a tool that can be adapted to your organization to assess the risk in a visual way. Here’s how to use it:
- For each of your data categories, assign a severity value of 1-5 (with 5 as the highest risk and 1 as the lowest risk). In this case, “severity” means, “how bad will it be for us if stuff goes wrong in this category.”
- Next, assign a likelihood value of 1-5 (5 highest risk/1 lowest risk) to each category. In this case, “likelihood” means, “what’s the chance of something going wrong in this category.”
- Interpret the matrix: The orange areas are the very high risk items and the green are the lowest risk items. Orange items should be reviewed on a regular basis.
- Review Risk Matrix with stakeholders
- Assess yearly to understand changing business landscape i.e. GDPR & CCPA
The discussion of risk that the Risk Matrix starts is about awareness to make sure institutions talk about these risks and think about how severe they are. If they’re very severe, you need to discuss mitigations efforts, including policies and procedures to guide risk attenuation. You’ll never eliminate risk entirely—it’s business!—but you can make clear-eyed plans for dealing with risk across your organization.