Crafting a Robust Data Governance Policy

10 Must-Haves for Organizational Success

If your organization is updating its data governance policy or writing a new one, this article can help you identify the essential pieces that should go in your policy.

Good governance and management of data is a fundamental part of any large organization's operations and its ability to communicate both internally and externally. Your data governance program needs be nested within the company’s operational structure and lay the foundation for how your team manages their data. The primary goals of the policy should be to enhance communication and mitigate risk. 

Prior to writing or updating the policy, there are a few items that really help if they are completed first:

• The organization’s data is inventoried, categorized and classified

• A data governance manager (could be a CDO, CTO or CIO) is assigned

• A data governance team and/or committee is selected to review the policy and facilitate the governance program

The structure of your policy depends on the size of your organization along with its complexity and risk. Writing an effective policy requires some collaboration among different specialties, therefore assigning leadership and a team to gather input and write the policy is critical. The data governance policy likely is not a one-stop shop; it should refer to associated policies that are more specific to data management and applicable regulations. Also, policy compliance measures can either be built in, contained within separate policies, or a part of separate contracts. With this in mind, below are the ten must-haves in a data governance policy.

1. Purpose and Scope: This first section outlines the purpose of the policy (e.g. to ensure the proper handling, storage, retention, and disposal of data). It also specifies the scope of who it applies to (i.e. some departments or users may have separate policies) and what types of data are covered. This section is written with the goal of enhancing the business’s communication and risk mitigation in mind.

2. Data Ownership: Up front, it is best to clearly delineate organizational responsibilities. This segment needs to be toward the beginning of the policy and clarify who owns which data and who is responsible for maintaining it.

3. Roles and Responsibilities: Since most readers just want to see what pertains to them, it is important to list roles and responsibilities explicitly. This section defines what each individual or team must do. Additionally, this section is part of the foundation for ensuring that you are documenting how your organization complies with laws and contractual obligations. Compliance and penalties for not following this policy can also be built into this section. Some roles to consider include:

a. Data Custodian - handles the safe storage, transport, and maintenance of data, ensuring that technical implementations adhere to the organization's policies.

b. Data Steward - upholds data quality; helps align data usage with the policies and guidelines set forth.

c. Data Architect - designs and manages the organization's data infrastructure, aligning it with strategic goals.

d. Data Analyst - interprets and analyzes data to provide insights.

e. Data protection officer -  under GDPR (for those operating in the EU), oversees how the organization collects, stores, and uses personal data, ensuring compliance with applicable laws, regulations and policies.

f. Chief Data Officer - as a senior executive, holds strategic responsibility for the organization's data use, driving the implementation of the policy across all levels of the organization.

g. Data User -  relies on access to data to perform their job duties; their usage must meet the rules and standards outlined in the policy.

h. Training and awareness Manager - responsible for educating staff about their roles and responsibilities and promoting awareness of data management best practices.

4. Data Classification: Data needs to be classified according to its sensitivity level to determine the appropriate level of security controls. Your organization’s definitions for its data classifications go here.

5. Data Quality: Your quality rep should help create this section and ensure it is nested within their efforts. This section includes standards for data accuracy, completeness, consistency, timeliness, and relevance. It is a best practice to align the data quality program with metrics to track, assess, and redirect data governance efforts.

6. Data Privacy and Security: Your organization needs to have some basic procedures for protecting data from unauthorized access, alteration, or destruction, in line with applicable data protection laws and regulations (e.g. FISMA, FERPA, GLBA, and California’s CCPA or the EU’s GDPR). Handling, usage and access should be covered here or in separate identity access management (IAM) or acceptable use policies (AUP). This section can refer to sub-policies such as data loss prevention, security awareness training, and onboarding. Basic risk management and controls could include topics like encryption and masking, approved data sources, notices, and the right to be forgotten.

7. Data Sharing and Disclosure: These guidelines explain under what circumstances and with whom data may be shared or disclosed. Laws like PCI DSS and HIPAA as well as contractual obligations and risk will shape this section.

8. Data Backup and Recovery: The organization’s backup and recovery plan is critical in the event of a loss. Complying with applicable laws (e.g. Sarbanes-Oxley), contractual obligations, and risk management concerning provenance and audit trails will help the development of this section as well. Risk management and planning for recovery ensures business continuity in case of unexpected events. It needs to reference an additional policy or clear guidelines for how often backups are conducted, what data is backed up, and where it is stored. However, the management and details for the recovery should be in a separate document or policy. 

9. Data Retention and Disposal: This section details how long different types of data are stored as well as merged, transitioned, or securely disposed of when no longer needed. Again laws, regulations, contractual obligations, and risk management should be taken into consideration.

10. Policy Review and Update: The frequency of policy reviews and updates are defined here. This provision and its enforcement keeps the policy relevant and effective.

A data governance policy is not just a static document but a dynamic tool that should be adapted to the specific needs of your organization. Its implementation has to be a priority, as it forms the foundation for how data is managed and used. Good data governance means that data is treated as a valuable asset, with clear standards and procedures in place to maintain its quality, security, and privacy. Effective data governance is not just about having a policy in place, but also embedding its principles into the fabric of your organization’s culture and operations.