Data Governance Framework: How to level up your data management practice

Most enterprises think they do Data Governance well, and already have a decent framework in place. I’ll be honest, this is partly true, but there are not many businesses addressing Data Governance in its entirety.

June 9, 2022

10
minutes to read
minutes to read

While the term ‘Data Governance’ will be nothing new to many of you in the enterprise space, the definition of what it encompasses has evolved in a big way.

Let me explain.

Data Governance used to be all about security, SPAM, Payment Card Industry (PCI) compliance, and that’s really it. Now, it’s far more overarching, with broader reach across many facets of the business.

The volume of data being collected, distributed, processed, and activated across channels, platforms, and providers, has increased substantially. This has created new challenges with privacy, compliance, and business continuity. While data and its use across the business has continued to evolve, the governance processes have not evolved at the same pace. This has led to large gaps that expose businesses to greater risk.

Like our legal system, the complexity and coverage has evolved over time, as gaps have been discovered and new challenges faced. We may have only started with hundreds of laws, but now we have hundreds of thousands of laws.

However, these measures are often implemented after something bad happens, like a security or spam act breach. So rather than scrambling to make amends after the fact, you should be taking the front foot, and looking at how you can mitigate these issues before they become newsworthy.

Beyond security and compliance, I propose, the quality and accuracy of reliable data to the business should be included under the Data Governance umbrella. With companies relying so heavily on data today, what value is inaccurate data worth to you?

With that in mind, here are five pillars that should be part of your data governance strategy today:

‍Data Security: The security measures put in place to prevent data breaches & leakage.‍
Data Quality: Policies and practices put in place to ensure everyone is contributing to the data framework consistently.‍
Data Privacy: The protection, compliance, and adherence to lifecycle data management.‍
Data Ethics: The practice of ensuring the way you collect and use data adheres to your business ethos, community expectations, and regulatory requirements.‍
Data Auditing: The overarching process to ensure the other pillars are operating correctly.

All five of these areas should fall under the responsibility of enterprise data management and should be treated as equal parts to the success of your Data Governance Framework.

Developing a good data governance function: Where to begin?

You can never mitigate all issues. But ‘good’ Data Governance can only be achieved by investing time and effort into thinking ahead, regularly re-evaluating your goals, and having the people, processes, and tools in place to deal with issues as they arise.

This process starts with a robust enterprise data definition, best documented in a Data Dictionary.

A Data Dictionary should be a living document that describes the data entities used across the business, along with their relationships, field names, data types, accepted values, and privacy classifications to name a few characteristics.

Some great tools exist which tackle this task head-on. But I find a good version-controlled content platform like Confluence works well as a base. This Data Dictionary should be the central starting point for anyone in the organisation who needs to understand what defines an entity, what fields are available, and for what purpose they can be used.

It can and often does include the downstream systems that rely on that data, potentially as sub-documents, which include mapping of source-to-destination fields — along with any transformations that are required for that destination.

Though, a Data Dictionary is not a solution architecture or design document. Its sole purpose is to be your enterprise source of truth for master data definition.

But who maintains these documents and the processes that enable good data governance?

Building a data governance team

Sometimes you need internal people that own a particular role like a security officer, or dare I say, ‘a committee’. It might also make sense to outsource some of those roles, or the crafting of the change management processes that enable those roles to function effectively.

We all know the age-old problem of out-of-date documentation. This frustrating situation is allowed to occur through inadequate process control. When people work off inaccurate source documents, downstream issues are bound to occur.

But who evaluates the impacts and determines the correct processes to use?

For enterprises especially, the formation of a Data Council is becoming a more common mechanism to govern your data strategy. This includes investing in a role such as a Chief Data Officer (CDO) — who often sits as part of the executive leadership team, reporting into the CEO.

How does a Data Council function?

The council itself could be chaired by the CDO and comprise a group of stakeholders from across the organisation. These like-minded professionals will have a vested interest in data, both as consumers and producers.

For example, this could include Product Owners, Business Unit Managers, Data Scientists, Data Engineers, Developers or Architects. The group govern the data structures used across the organisation and the process for change management. They define how entities and properties are named, structured, collected, protected, distributed, and enriched across the data framework.

One of the key responsibilities of this group is to triage requests for changes to the entities defined in the data dictionary.

This governance chokepoint is crucial to ensuring that impact assessments can be more easily evaluated, to reduce unexpected issues in downstream systems and activation points.

The nitty-gritty: taking a closer look at the five pillars of a successful data governance framework

So, now we have a team of stakeholders with the motivation, skills, and responsibility to craft the policies required to deliver a robust enterprise-wide data framework. They’ll also need operational support from the entire business and the managerial oversight to ensure these processes are followed by all.

The team can now focus on the 5 pillars, which must be balanced in unison to deliver a secure, reliable, and compliant data framework which meets business requirements.

Data Security

Security governance deals specifically with protecting sensitive data and the systems it touches, using defined data policies and business processes.

This is a huge subject. Not just because it covers the overarching traditional aspect of protecting data while in transit, storage, and use — it encompasses what the value of data is to the entire business.

Many companies today rely on access to customer data, to personalise the products & services they provide, sure. But they also send this data to external platforms to enable profitable personalised marketing and advertising campaigns.

Some, even outsource parts of their business to external parties, such as their call centre departments.

Sensitive data is now required outside of the traditional ‘enterprise’ and yet, must be secured in similar ways to corporate data. All while enabling revenue streams and smooth operation across the organisation.

So where does traditional security fit in?

The security of data has traditionally sat with the Security Team under the management of the CTO. While I don’t see a need to change this structure, there is a need for the CDO to work in close collaboration with this team to ensure the infrastructure, user management, data leakage prevention, and other governance processes are in place to protect data across the organisation.

Data Quality

Accurate and consistent data is crucial for many aspects of businesses today. It drives functionality like segment performance reporting, campaign measurement, and effective optimisation and personalisation strategies. However, the metrics collected from any MarTech platform should only be used for marketing purposes. Business performance reporting should always be collected from core back-end systems such as Enterprise Resource Planning platforms (ERP’s) and financial accounting systems.

There is no use for bad data. So, ensuring your enterprise Data Dictionary is well maintained is a great start. But what if a development team doesn’t follow it and changes some data types? Or your data collection strategy is not designed in a way that prevents content editors from impacting it?

These are some of the ways that data frameworks break. System integrations, Marketing Automation personalisation logic, and BI tools, to name a few, all rely on consistent representations of data.

We’ve all heard of Quality Assurance (QA) testing and User Acceptance Testing (UAT). Well, the ‘data pipeline’, from collection to activation and to reporting, should be included in this battery of tests.

Whether you include a new ‘Data QA’ role in your team composition, or your ‘Data Officer’ is present for the requirements definition of each platform iteration, Data Governance involvement is crucial. This should include any change across the data stack, including app/web releases, integrations via API or batch and any process that can consume or change data across the data framework.

The quality and consistency of data should be a focus for everyone across the business. When it comes time to updating or designing a new app, page or entire SaaS product, the Data Layer, based off the Data Dictionary, should be considered, tested, and approved as much as the UI.

On that note, automated testing is your friend and saviour here!

Data Privacy

Data privacy is another deep subject that has had its fair share of media attention — and for good reason.

It encompasses the security of data as well as the regulatory policies to which your business must adhere. Even before the advent of GDPR, companies had a ‘duty of care’ to ensure security of their customer data. Since the introduction of GDPR and similar regulations, it has become legislated, with substantive fines and negative brand impact at stake.

Gone are the days when you can include an email address or customer number within an email link. Gone too, is the practice of storing unencrypted passwords or PCI data in databases or hosted systems. I mean, you should never have been doing either of these anyway!

But now, looking at your entire data framework through a privacy lens, also includes evaluating who could access your customer data and whether they need to.

To this end, your team (whether internal employees or external contractors) using your platforms should only have the minimum access required for their role. The analytics team rarely need access to core PII data — not even Last Name, so why expose it?

A well architected group and permission structure are required to ensure the right people can see the information they need and nothing more.

Most modern, hosted platforms allow for ‘federated authentication’, which allows your IT department to centrally manage user accounts, passwords, and access, without logging into multiple platforms.

Some platforms even enable you to implement your privacy rules directly across their stacks. For example, some data may need to be obfuscated in the UI for some roles, whereas other data might need to be redacted from certain integrations and downstream systems.

The platforms and products you consider, may even be strongly influenced by the Privacy requirements you stipulate and their ability to meet your needs.

Whatever the definition of your privacy rules, the process of assessment, enforcement and auditing are imperative to delivering a robust Privacy Framework that sits as part of your Data Governance function.

Data Ethics

Businesses are starting to realise, that ethical use of their customer data is as important a subject as any discussed already. Their customers demand it, and in some cases, the regulation requires it.

Ethics encompasses everything from the questions you ask in forms, the data you collect from websites, apps or call centres, and the way you use it.

In some cases, such as the Insurance sector, which is already highly regulated, it’s common to see some sort of Ethics Committee already in place.

An ‘Ethics Council’ may not be required for smaller businesses, though its function should be delivered by people within the organisation. For today’s enterprise, it’s most often required.

Most of us agree that targeting discount coupons based on age is bad form. But what about targeting power tools to people who identify as men only? Apart from this being an unnecessary limitation in audience size and a poor targeting strategy, it might also not sit well with your customers.

Equally comes the subject of ‘third party data sharing’. Does your business feel this should be forced upon your customers as a condition of your service? Or will you make it optional and offer a solid value proposition in return?

These questions need to be identified, considered and outcomes enforced, as importantly as the Privacy rules.

Data Auditing

Auditing your data framework is required to ensure it functions correctly, or if broken, is fixed in a timely manner. It’s as crucial as financial accounting to ensure money is collected, people are paid, and your services stay connected.

However, auditing your data framework usually involves monitoring many systems, with automated integrations, moving large amounts of data. This is not practically possible with human oversight alone.

Wherever possible, integrations should be designed to retry failed records an appropriate number of times, before flagging the record as ‘errored’ and alerting the appropriate team for remediation.

A good example is consent management. We can all agree that consent is important. But what if a customer changes their email marketing permission status and the system recording the change fails to send the updated value to the Marketing Automation platform?

If a SPAM complaint is made, a regulatory body may ask you to prove the lineage of change and what reasonable steps you took to fix failures. Without adequate alert monitoring and audit logs to track the changes, you may be fined for breach of compliance.

Data Auditing not only provides the safety net for any legal disputes regarding customer data. But also, the comfort of being ahead of discrepancies before they become large-scale issues that impact revenue or reputation.

Your guiding question: Are there gaps to address in your own Data Governance framework?

With so many priorities to manage across a modern business these days, Data Governance is one that justifies being high on your list. The 5 pillars discussed here, are the key focus areas within this deep subject area. Every company needs to consider them. Whether you build this capability internally or outsource the expertise will depend on your company size, risk profile, and many other factors.

So where to from here?

I challenge you to ask yourself these questions:

Do you send unencrypted customer PI data to external parties?
Do you suffer from inaccurate reports or have an ineffective measurement framework?
Are you positive you’re not unnecessarily exposing sensitive data?
Would your customers be happy knowing how you use their data and with whom you share it?
Do you know if errors are preventing reliable integration between systems?

Any company that uses customer PI data should consider an external data audit or review. Especially if you felt uncomfortable reading this article!

The Lumery specialises in reviewing, fixing, and enhancing modern digital enterprise stacks. We get to know your business, your desired outcomes and evaluate the key areas of People, Process, Tech & Data, to identify the gaps and provide solutions to meet your needs.