Even if you just passively follow the data management space, you've no doubt heard a lot about the practice of data governance over the past several years. If you do a Google search on terms related to the pillars of data governance (people, processes and technology), you'll get dozens of results. While data governance has evolved with the IT space over the years to include new technologies and different employee roles, one thing has remained constant: The universal belief that governance is crucial to an organization's long-term success.
You might expect the number of in-production data governance programs to be soaring due to industry interest and ongoing marketing efforts by vendors. But like many things in life, perception and reality don't match. To highlight this fact, take a look at these key points from a recent TDWI study:
- 50% of surveyed organizations considered their data governance to be “tribal,” meaning there was no formal enterprise governance.
- Even fewer respondents (43%) said their organizations had a centralized governance committee – an institution that brings business and IT leadership together to set governance rules and policies.
- Nearly half (48%) agreed that governance in their organization only covers corporate assets such as the enterprise data warehouse.
Can we afford to forget about data governance?
One reason data governance has developed such a bad rap relates to the debate about what's coming next for data governance. As this Forbes article explains, many consider data governance to be "dead," and bogged down with spreadsheets and meetings. I can say without hesitation that the option to forget data governance and move on is not feasible. With the vast amount of unstructured data that's flooding organizations today, the onset of data lakes, and self-service data preparation (just to name a few), data governance is more relevant than ever. Public sentiment is also a factor – many individuals are rethinking how organizations should manage their personal data in the wake of the Cambridge Analytica/Facebook incident.
A more valid question to ask at this point is this: How can we finally make data governance stick?
GDPR: A reason to embed data governance across your organization
For many companies, the blueprint for data governance is ready. It's in the form of a regulation that's effective May 25, 2018: The General Data Protection Regulation (GDPR). Consider some of the components of the law:
- Right to access. Data subjects as outlined by the GDPR have the right to obtain from the data controller confirmation as to whether or not their personal data is being processed, where and for what purpose.
- Right to be forgotten. Also known as data erasure, the right to be forgotten entitles the data subject to ask the data controller to erase his/her personal data, cease further dissemination of their data, and potentially have third parties halt processing of that data.
- Privacy by design. Privacy by design calls for organizations to include data protection principles and practices from the onset of system design (rather than adding it on later).
- Data minimization. This calls for controllers to hold and process only the data absolutely necessary for the completion of its duties, as well as limiting the access to personal data to those who need it to perform processing.
- Data protection impact assessment. DPIA is required when the “processing of data is likely to result in a high risk to the rights and freedoms of natural persons."
This small sampling of what the GDPR entails speaks directly to what is needed for an enterprise data governance program. Think about some of the similarities between the GDPR requirements and data governance. Proper data governance that sticks involves having access to all your data and ensuring you perform essential tasks such as: Identification analysis, data quality (to standardize and match records), personal data term definitions, user-based data masking, data encryption and metadata management. All things imperative for data governance are point by point required for the GDPR.
Interamerican and Telia Denmark are two companies that are using the GDPR as a catalyst for long-term success. Both deal with millions of customer records, so being able to comply with the GDPR was of utmost importance to their businesses. During the process of working toward compliance, something interesting happened. Both companies began to see added benefits from their GDPR programs – they saw their GDPR work turning them into organizations that successfully governed data at an enterprise level.
What was once a burden has turned into an opportunity – an opportunity to use the GDPR as a way to make data governance stick.
It has been really positive to see that we are achieving a level of data quality of which we might not have been sufficiently aware had we not started this process.