Turning data governance policy into practice

x-icon

Five practical and actionable priorities from leading UK companies

Here’s the story you don’t often hear about data governance…

It’s the bringer of opportunity to ensure your organisational success.

A lot of media coverage to date has focused on scaremongering around breaches and fines, but data management is fundamental for organisational success because once you’ve distilled the actionable insight, you uncover and can harness the value locked within it. Marking the next phase in data governance, 2020 will be the year when data shifts from being a liability to a business asset, where compliance moves beyond a tick-box exercise, and where data governance policy turns into practice.

“GDPR formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”

Elizabeth Denham, Information Commissioner’s Office

 

For the practical implementation of effective data governance programmes, data professionals have 5 key priorities:

 

1. Win hearts and minds around data governance: The senior leadership team has to be united in making employees aware of their personal responsibilities around data governance policy.

2. Align with company mission and values: Just as the company values guide how decisions are made, they also need to guide how data is used as part of business-as-usual.

3. Empower ownership and responsibility: Data privacy is everyone’s responsibility. To encourage ownership, make data real by showing it’s not just a number, it’s a person’s actual identity.

4. Automate data governance policy and embed within business processes: Having visibility over the entire data estate, across structured and unstructured databases, allows you to reveal data, manage it and mitigate risk.

5. Excite the organisation around data as a valuable asset: To better engage the C-Suite, reframe data so it’s perceived as a positive business driver and a bringer of opportunity, rather than a business liability.

 

Report methodology

The insights shared within this report were acquired during a roundtable discussion with a select group of data specialists, from leading UK companies, which was hosted by Exonar and chaired by its CEO and Founder, Adrian Barrett, and Alexander Brown, Partner in the Information, Communications & Technology Group at Simmons & Simmons.

“In the past two years, I’ve been witness to not only great change, but also a great deal of consternation around how to employ best practices around data governance in light of GDPR. It is clear that 2019 was a banner year for data privacy, and this will only continue forward into 2020 as our approach to data governance and regulation matures. As we enter a new year, I hope we will see change become practice, and policy an integral part of business-as-usual.”

Alexander Brown, Simmons & Simmons.

Also present were: 

  • Lead data protection counsel and DPO, healthcare industry. 
  • Privacy business analyst in a leading European investment and asset management company. 
  • Expert risk, privacy and compliance director of an international telecommunications company. 
  • Fraud, risk, and security expert, multinational telecommunications conglomerate. 
  • Compliance counsel at a global commercial real estate company. 
  • DPO at a global financial services organisation.

"Having a strategic data protection policy in place not only ensures the safety of the data, but also optimises its use to achieve strategic business objectives. That is why data protection policy must be so much more than a tick-box exercise. That policy must also be integrated at the highest levels of the organisation as business-as-usual.”

Adrian Barrett, Exonar 

Priority 1: Win hearts and minds around data governance

According to our panel, the need for data governance is now generally understood and accepted, but not all organisations are aligned on how to roll it out as part of business-as-usual. In many cases, it’s still left to one part of the business to manage, despite it being something that touches every function, and that every employee is responsible for.

For many compliance officers around our table, a key challenge in the post-GDPR world has been enabling data governance by winning the ‘hearts and minds’ within the organisation. During the discussion, one of our specialists, a compliance counsellor at a global financial services organisation, described how it’s common for employees to be unaware of their personal responsibilities regarding data governance policy.

Action i: Get the board on board

Our panel all agreed that change needs to come from the top, because if the senior leadership team isn’t united, pushing the data governance agenda and educating employees on its importance, will be virtually impossible. Simply enforcing policy isn’t enough, either. The key to getting buy-in is to provide insight around how data governance applies to each specific job function, as well as the wider organisation.

One of our panel, a fraud, risk, and security expert for a multinational telecommunications conglomerate said: “When GDPR was coming down the pipe, we had a problem with implementation. We needed to change the culture, so we used an internal communication channel and our C-level video chats each quarter to talk about GDPR. This way, we got it into the culture. We created one-pagers about what you needed to know and created a culture where people bought in.”

Things to think about:

  1. Can you value the risk in your data? The ICO fines for Marriott and BA equated to ‘say’ £1 for every record affected. Work out how you’d calculate yours.
  2. Work out the total cost of a data breach. Here’s a handy calculator from the Ponemon Institute https://databreachcalculator.mybluemix.net/
  3. Look at how and where a breach would damage your reputation. Read our blog on data breaches and trust: https://www.exonar.com/data-breaches-and-trust-what-can-the-ciso-doto-manage-reputational-risk/ 

 

Action ii: Make people think differently about data – It’s not just a risk, it’s an asset too

Our panel was united in their view that simply stating the importance of data isn’t enough. First, the senior leadership team needs to buy-in to the idea that data is valuable, but only if it is managed and actioned appropriately. The panel agreed that data is a key business enabler that organisations can’t afford to get wrong. To win those hearts and minds, data governance professionals must focus on positioning data policy as a business facilitator and a bringer of opportunity, rather than a difficult and painful process.

“There are different perceptions of data governance processes depending on different parts of the business. I want the DPO and the data protection counsel to be seen as enablers, helping the business move forward.”

Lead data protection counsel and DPO, healthcare industry

 

“There are only so many times you can warn people about the ramifications of having data which you don’t have the right to retain. You need to take a hearts and minds approach instead. So, in our business we changed track and asked our chief execs what they wanted to achieve with our data in the next few years. And off the back of that, we saw change at the exec and senior leadership team levels. The focus changed to seeing data as intrinsic to the business, as the enabler and opportunity, and not one to waste. Ultimately, we communicated our compliance message around business success and business objectives,”

Privacy business analyst in a leading European investment and asset management company

 

Things to think about:

  1. Use your internal communications channels to communicate to everyone – can you use company newsletters, video channels, internal chat forums?
  2. Get creative with your messages and campaigns to remain top-of-mind.
  3. Could you align to existing internal focus or programmes on data as an asset?

Priority 2: Align with company mission and values

Some members of the panel talked about how their most successful data privacy programmes had aligned to the company’s corporate vision.

But more important than that, the programmes aligned to the company values. Those values are the guiding principles that govern how decisions are made. In their experience, only when data governance programmes aligned with the company values, could they achieve buy-in and adoption across the business.

 

Action i: Use a cross-functional group to put the plan into action

An expert lead compliance counsel at a leading multinational telecommunications provider explained how they put this into practice. Only when they had mapped the programme back to their company values of trust and allegiance to client interests, could they set the context and establish gravitas around data governance. A cross-functional group was then able to successfully put the plan into action. And by aligning to the company’s values, there was never any ambiguity on the need for data governance. Just as a company’s vision and values drive the big strategic decisions, it’s equally important that they underpin decisions taken lower down the chain of command as part of business-as-usual.

Things to think about:

Who would you have in your cross-functional group?

We’d suggest someone:

I. Responsible for interpreting regulation and creating data governance policy (e.g. the DPO).

II. Responsible for understanding data risk, e.g. the CISO.

III. Responsible for implementing tools and processes to comply with regulation and risk, e.g., the CISO, Governance or IT.

IV. In infrastructure ownership.

V. Representing the business, in other words the people who have to work with those tools and processes on a day-to-day basis.

 

Action ii: Keep reinforcing your data principles across the business

The data protection counsel and DPO in the healthcare industry shared how their corporate vision and principles define everything they do in relation to data. 

“You’re more likely to get buy-in if you tie it into this vision and company principles. This worked really well at my company.”

 

A legal counsel gave the example of a company that has 

“Strong data principles that were set 50 years ago and have never changed. They stick to them even if they cost the business money. It’s super important that everyone follows principles from the top. It’s important to distil this into the principles of the business and to live them top-down.”

 

Things to think about:

  1. Keep reinforcing your data principles across the business.
  2. Get the internal comms team on side to help run campaigns.
  3. Organise short bursts of training and nudges throughout the year as opposed to one course.
  4. Rather than use a traditional ‘carrot and stick’ method for enforcing policy, why not try to make it fun and engaging? For example, if you leave your laptop open at Exonar, you get ‘sieved’. At the end of the year, whoever has been ‘sieved’ the most wins the golden colander in recognition for being the leakiest.

Priority 3: Empower ownership and responsibility

One of the big issues surrounding data protection for our panel is the lack of ownership within an organisation. When data becomes an asset that is owned by someone, individuals are reluctant to take ownership. So the big question is…

How do you establish ownership of data across the organisation?

Because when ‘the sh*t hits the fan’, it’s the person closest to the data who is accountable for it, despite data governance being everyone’s responsibility.

 

Action i: Clearly appoint your data owners

A privacy business analyst in a leading European investment and asset management company, said it is very important that there’s data ownership in his company. “If you manage a database, you are responsible for ownership of that data. If the ICO came in, you have to have someone managing the data.”

However, a legal counsel summed up what often happens, when he said, 

“People can be territorial about their data until it goes wrong. Then it’s not their data.”

What our panel agreed was that data privacy is everyone’s responsibility, even though ultimately there will be one data owner who is accountable. It’s why communicating the importance of data stewardship – from the senior leadership team right through to the frontline staff – is crucial, and why it needs to be reiterated again, and again, and again…and again.

Things to think about:

  1. Make your data protection rules simple: create 5 rules, not 5 pages of rules. The simpler your data privacy programme is, the more chance it has to be successful.
  2. Put data into categories, highlight the characteristics of those categories and how you expect the data within them to be handled.
  3. Write short policies that are realistic, useable and memorable.

 

Action ii: Help the team understand why the rules relate to their role

This can be done in several ways, but the key is to build relevance into that communication – don’t just tell people why data governance is important and that they need to be doing it, win them over by showing them how it relates to their specific role or function.

At the mid-level, one tactic that has worked well for several DPOs on our panel, is raising awareness around the real threats associated with improper data practices. By highlighting that data isn’t just numbers or information, it’s a person’s actual identity, it really brought the seriousness of data stewardship to life. Making data real moved the process of data governance from being viewed as a burdensome exercise to a powerful responsibility.

Things to think about:

  1. Consider tools like Exonar Reveal that empower your people to take ownership and responsibility for data.
  2. Monitor compliance to your data governance policy through a ‘workflow engine’ that identifies where they aren’t being followed, and nudges people to do the right thing. We enable this through the Exonar Resolve product.
  3. Think about how different technologies can work together to deliver on your objectives, for example data found to be sensitive is passed to another system for classification and encryption.

 

Action iii: Develop bespoke training programmes tailored to each role

A panellist from a telecommunications company said the key to engaging internal teams is making training around data principles fun, and not using generic materials. He said the key is to target smaller areas specific to what people are working on, because generic training doesn’t resonate.

“We ran internal campaigns that brought GDPR awareness to life. We built in real examples in ongoing newsletters that came out weekly.”

Fraud, risk, and security expert, multinational telecommunications conglomerate

 

He described how his company developed bespoke training programmes that were relevant to the different levels and business units:

  • The training employees received provided a broad overview and underpinned the relevance of data governance to their particular role.
  • The training materials ‘spoke’ to employees in the same casual, irreverent tone that the company was famous for, so they truly understood data governance and their role within it.
  • The actions to be implemented were connected directly to each role, which made people feel personally accountable.

Things to think about:

  1. Build simplicity and relevance into your communications with teams.
  2. Help them understand why the rules relate to their role and the importance of customer trust.
  3. Develop and evolve training programmes, keeping them relevant.

Priority 4: Automate data governance and embed within business processes

We asked our panel how they get people to do what they’re meant to. And when an organisation has thousands of employees, can technology help to automate governance as part of business-as-usual?

Action i: Start simple by identifying what your data governance priority is

One of our panel, compliance counsel at a global commercial real estate company, commented:
“For us, automation is key. We are very good at buying technology and software, but we have so much of it that we don’t know how it interoperates. We need a global data protection software that gives visibility across the whole organisation and transparency so it’s not all held in one place but can be accessible everywhere, allowing us to see how we manage subject access requests, records processing, data mapping. In 2020, we will see a big push around automation.”

 

While automation is a priority, it was pointed out that some of our group were not technology experts. While they knew that new technologies would be an important part of the answer to governance automation, they were unclear on how that could be done and from which vendors.

 

Action ii: The first step to mitigating risk is revealing what’s in your data estate

Our group agreed that a successful approach to ensuring compliance is taking steps to fully integrate it into the business process itself. For example, having the ability to see what’s in the data estate, across structured and unstructured databases, to clean up data so you’re able to distil the value locked within it, as well as take remediation actions to mitigate risk.

The privacy business analyst in a leading European investment and asset management company, commented that 

“Group wide, our programmes are all dependent upon having clean, accurate, up to date, information to enable the business to drive its commercial goals. We are looking at Exonar’s capability to create a single view of data, linking contacts, data portfolios, procedures, policies, and so on, into a holistic framework.”

 

Things to think about:

  1. What combinations of technology can help you achieve your objectives?
  2. Is the data to be governed unstructured (documents, emails), or structured (databases). Where is this data stored?
  3. Is the data you are looking to govern primarily in one system, or scattered across the organisation?

 

One more thing to think about:

Technology approaches to automation

Indexing data at scale and maintaining that index, is a great way that Exonar’s products differentiate from other forms of ‘data discovery’. Think of it like Google within your company, with instant results to find data of any kind, always up to date and ready to spot changes or non- compliance.

By indexing data across all of your organisation’s estate, not only can sensitive information be immediately found, but the same searches against specific policies can be repeated on an automated basis.

We believe that this is what automation of data governance should look like from a technology perspective, but of course we would say that having developed it!

Alternative approaches might use in-built search tools in specific systems, such as Microsoft Exchange for email, to find examples of non-compliance to policy. However, drawbacks of this are numerous, in terms of the narrow scope of search, the ability of those tools to properly read the content in the system, and limitations on accurate classification of content found.

For more information visit our website at www.exonar.com

 

Action iii: Run automation rules to bring data governance policy into practice quickly with ongoing monitoring

Then the holy grail is to automate these processes as much as possible, using the right blend of technology to help manage information governance at scale. In her plans for 2020, a DPO at a global healthcare provider commented:

“I want to have an automated data protection and governance process in place to create a single company narrative and drive efficiency.”

 

Things to think about:

  1. Use workflows to automate searches for policy infringement in your data on a daily, weekly or monthly basis.
  2. Run data governance policy searches on all of your data to reveal where they are not being adhered to, and specifically who isn’t following them.
  3. Configure auto-alerts via email to remind users when information is stored incorrectly or is past it’s retention period so they can take remediation actions.

 

Action iv: Implement processes for continuous improvement

It’s also important to have visibility over the extent to which data governance policies are followed, and to identify where the process has become so difficult that it’s slowing employees down or getting in the way of them doing their jobs.

Managing data retention is an issue for a data protection officer at a global financial services organisation. “We are working towards compliance in retention. We set a retention period, and we set a rationale around why we keep data as long as we do. As a result of that work we were awarded the budget to scrutinise our systems and work out which ones carry personal information and which data is at a certain age.”

What’s clear from hearing the group’s experiences is that when data policies are part of the operational workflow, data governance becomes an integral part of the business output, leading to greater efficiency and compliance across the board.

Things to think about:

  1. In order to objectively monitor progress, measurable benchmarks need to be established.
  2. If you were using Exonar’s workflow approach to automate searches for non-compliance, it becomes easy to measure and plot the number of infringements found over time.
  3. If the trend is declining, the organisation is improving, if rising, more needs to be done to win hearts and minds.

Priority 5: Excite the organisation around data as a valuable asset

“When you ask people whether data is an opportunity or a risk, most will say that it is both.”

A fraud, risk & security expert in a multinational telecommunications conglomerate told us this in response to questions about winning support for better information governance.

 

Yet attempting to secure funding for data governance can be tough. So often, people see data simply in terms of a risk. But our panel told us that when data is framed as a positive business driver, they had more success in engaging the C-suite and winning investment.

It’s the difference between a message that says:

“If we’re breached, the ICO will impose a massive fine.”

Or a message communicating:

“Data is a massive, untapped asset within the business to drive growth.”

Unsurprisingly, the second option is the one that our panel have seen better results with.

 

Action i: Change the conversation about data from risk to asset

By changing the perception that data exists as a business liability to one where it’s viewed as a key business asset, you can put forward the case that good data governance practices can turn your company’s data into clear business value.

“Just by shifting the view of data’s value potential and linking it to governance, it’s possible to get top brass on board with the importance of data governance. And it might even make them see data governance as something advantageous to the business, rather than as a set of bureaucratic handcuffs,” 

A leading European investment and asset management company.

 

“Use a company’s immaturity to your advantage and educate them about its business value”. Using this approach became the only way they “were able to secure the levels of investment required to fund better governance within the organisation.”

 

“We must move the mindset away from data as a part of risk, compliance, and legal. Instead, we must look at data as intrinsic to business.”

Data protection officer, global financial services organisation

 

What’s interesting is that using data as an asset is not specific to mature organisations only.

“Organisational maturity isn’t a prerequisite to initiating positive change. You can use a company’s immaturity to your advantage by speaking to it directly and showing the bottom-line benefits of implementing change.”

Business analyst, European investment and asset management company

 

Things to think about:

  1. How and in which areas can your organisation’s data be turned into clear business value?
  2. Is there a ‘data as an asset’ programme already underway that could establish governance of data as an asset and a risk?
  3. Talk to Exonar about indexing 2 million items, or 1TB of your data as a pilot to uncover ways that this could help your organisation. That way you expose a snapshot and shine a light on what you could do with your data.

 

One more thing to think about

Data governance in 2020 and beyond

As we enter the next decade, 2020 clearly marks the next phase where we see a shift from data governance policy, into practice and it becoming part of business-as-usual.

The bonus is that GDPR has now been in effect for a couple of years, which provides the opportunity to reflect on the lessons learned, both internally and from the wider industry, to continuously improve how you approach data governance.

2020 needs to be the year when we stop viewing data as a business liability, there to expose your organisation to breaches that result in catastrophic fines from the ICO. Instead, it’s time to change your perception and view it as a business enabler – data as the bringer of opportunity to ensure your organisational success in 2020.

But data in itself isn’t useful. First you must distil the actionable insights locked within to uncover and harness its true value.

“The companies who have the most successful data privacy/governance programmes, have tangible benefit. Keep it simple to begin with. The more simplistic the data privacy programme, the more chance it will be successful.”

Adrian Barrett, Founder & CEO, Exonar

 

Achieving this is reliant on the practical implementation of effective data governance programmes, which focus on 5 key areas:

1. Win hearts and minds around data governance policy
Change has to start at the top so it can filter down through the organisation but buy-in is only secured when you’re speaking the language of the senior leaders.

2. Align with company mission and values
Using the company values as a guide, you can empower a cross-functional group to put the plan into action and reinforce your data principles across the business.

3. Empower ownership and responsibility
Develop bespoke training programmes tailored to individual roles so people see the relevance of the rules to them personally.

4. Automate data governance policy and embed within business processes
Leverage technology to manage and automate the process of turning policy into practice, revealing what’s in your data estate and identifying areas for continuous improvement.

5. Excite the organisation around data as a valuable asset
Ultimately it has to start with changing the conversation about data from being a business risk to being a business asset.

 

Start discovering your data today

Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?

Book a demo today

 “Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”

Dave Parker, Group Head of Data Governance, Arrow Global