There are many reasons why organizations design, develop, and deliver Data Governance Programs. Typical reasons include improving data quality, improving analytical capabilities, resolving known data issues, improving understanding and accountability for data, assuring regulatory compliance, etc. The list is lengthy. The protection of data, personal, health or otherwise, has been steadily bubbling to the surface as the most important and easier place to start. I didn’t say “easy.” I said “easier.” Let me explain.
First of all, gaining consensus on the need to protect data is a no-brainer. The government (wherever you are) is telling you that you must protect the data and be able to prove you are doing so. There are lots of rules around protecting data. Everybody needs to be aware that there are rules, be told the rules, be told how to follow the rules, and follow the rules. Sounds pretty easy.
That is … unless your organization has never protected data before.
While meeting with a client the other day, I shared four progressive statements— basic principles so to speak— about data governance that are associated with protecting data. While my client was quick to write them down, he quickly noticed that these statements build on each other and can become the basis of protecting data through data governance.
The principles are:
-
Your customers think that you are protecting their data.
-
The government says you must protect their data.
-
Senior leadership says we will protect their data.
-
Data governance tells us how to protect their data.
Allow me to quickly walk through each principle.
Your customers think that you are protecting their data.
This is a fact. You will lose your customers if they have the slightest notion that their data is not safe while under your care. I have always said (to some peoples’ chagrin) that the auditors are your friends. I say that because the auditors are the people in your organization who can tell you that you are protecting your data in a demonstrable way. I suggest that it is better to engage your internal auditors proactively rather than to wait for an assessment report from an external source (read – bad news!). The chances are that you and your organization already know if you are doing a “good enough” job of protecting your customer’s personal information. It is not enough these days for the customers to trust that you are protecting their data. I am guessing that the day is coming that customers require proof.
The government says you must protect their data.
This is another fact. You cannot argue with it. A quick Google search on “protect customer data” returns over 119 million results, mostly from companies looking to help you protect your data. This result led me to believe that somebody is telling organizations that they must protect their data.
Over 75 countries have adopted comprehensive data protection laws, including nearly every country in Europe and Latin America. The U.S. is noteworthy for not adopting a comprehensive privacy law; instead the U.S. has adopted laws specifically targeted at financial, medical, political, and internet privacy. Specific privacy is even guaranteed in the Constitution of the United States. The government takes privacy very seriously and the rules are getting stricter. I am guessing that the day is coming that the government will require that organizations demonstrate that they are following the law and protecting their customer data.
Senior leadership says we will protect their data.
This principle may not be based on fact. It is my experience that Senior Leadership must say that their organization protects sensitive customer data, but they may be less certain that their data is being protected appropriately. To assure that their organization is protecting data requires that every single person in the organization is aware of the rules and held formally accountable for how they handle sensitive data. In many organizations, their people are unaware unless there is a specific activity targeted at making them aware and another activity targeted at making certain their behavior is adjusted to follow the handling rules.
Sensitive data includes personally identifiable information (PII), personal health information (PHI), and increasingly intellectual property (IP) — just to name the most obvious categories. No matter the industry you are in, there is data that has to be protected. Your Senior Leadership that says you will protect sensitive data. The question is how?
Which leads us to the fourth and final principle.
Data governance tells us how to protect their data.
Read that principle a few times. While it is common knowledge (at least for data practitioners) that Data Governance can do many things to improve the value of your organization’s data (refer to the beginning of this article), organizations are still looking for ways to get started in governing their data. Protecting sensitive data is a great way to get started.
If you agree that peoples’ behaviors must change in order for data to be protected, then the organization must focus on specific activities that assure that type of change. The activities include, to name a few: the definition of roles and responsibilities, the best practices, a communications and awareness plan specifically around Data Governance (and the protection of data), the development of thorough education and delivery of these materials, and many more.
But one thing is for certain. Data Governance, defined by yours truly as the “formal execution and enforcement of authority over the management of data,” should include a protection component.
Data Governance tells us how to protect data. As usual, I suggest that organizations stay non-invasive in their approach to Data Governance. Protecting data must start with increasing peoples’ awareness of the rules and how to enforce those rules.
Conclusion
Improving data quality and analytical capabilities, resolving data issues known and undiscovered, improving understanding and accountability for the data, and so on and so forth are all results of organizations governing their data. Much is written and spoken about successful Data Governance programs in these areas. Your organization may have even started with one of these focuses and if you did, I hope you are being successful
Protecting customer data is also a great place to start a Data Governance program. In the Non-Invasive Data Governance approach that I use and write about very often, people of your organizations become data stewards (meaning they have formal accountability for protecting data), just because they come in contact with sensitive data.
Therefore, these Data Usage Stewards must learn and abide by the rules associated with the handling of sensitive data. The first step toward the goal of protecting customer data begins with raising the level of awareness of people in your organization. This goal is relatively easy to achieve when compared to the effort required to achieve the results mentioned in the first line of the conclusion to this article.
Organizations should not hesitate to initiate their Data Governance program by focusing on the protection of data. Protecting customer data is a great place to start. Feel free to share where you started.
