Blog Category: Privacy & Compliance
Here’s the story you don’t often hear about data governance…
It’s the bringer of opportunity to ensure your organisational success.
A lot of media coverage to date has focused on scaremongering around breaches and fines, but data management is fundamental for organisational success because once you’ve distilled the actionable insight, you uncover and can harness the value locked within it. Marking the next phase in data governance, 2020 will be the year when data shifts from being a liability to a business asset, where compliance moves beyond a tick-box exercise, and where data governance policy turns into practice.
“GDPR formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.” Elizabeth Denham, Information Commissioner’s Office
“GDPR formalises the move of our profession away from box ticking or even records of processing, and instead seeing data protection as something that is part of the cultural and business fabric of an organisation.”
Elizabeth Denham, Information Commissioner’s Office
1. Win hearts and minds around data governance: The senior leadership team has to be united in making employees aware of their personal responsibilities around data governance policy.
2. Align with company mission and values: Just as the company values guide how decisions are made, they also need to guide how data is used as part of business-as-usual.
3. Empower ownership and responsibility: Data privacy is everyone’s responsibility. To encourage ownership, make data real by showing it’s not just a number, it’s a person’s actual identity.
4. Automate data governance policy and embed within business processes: Having visibility over the entire data estate, across structured and unstructured databases, allows you to reveal data, manage it and mitigate risk.
5. Excite the organisation around data as a valuable asset: To better engage the C-Suite, reframe data so it’s perceived as a positive business driver and a bringer of opportunity, rather than a business liability.
The insights shared within this report were acquired during a roundtable discussion with a select group of data specialists, from leading UK companies, which was hosted by Exonar and chaired by its CEO and Founder, Adrian Barrett, and Alexander Brown, Partner in the Information, Communications & Technology Group at Simmons & Simmons.
“In the past two years, I’ve been witness to not only great change, but also a great deal of consternation around how to employ best practices around data governance in light of GDPR. It is clear that 2019 was a banner year for data privacy, and this will only continue forward into 2020 as our approach to data governance and regulation matures. As we enter a new year, I hope we will see change become practice, and policy an integral part of business-as-usual.” Alexander Brown, Simmons & Simmons.
“In the past two years, I’ve been witness to not only great change, but also a great deal of consternation around how to employ best practices around data governance in light of GDPR. It is clear that 2019 was a banner year for data privacy, and this will only continue forward into 2020 as our approach to data governance and regulation matures. As we enter a new year, I hope we will see change become practice, and policy an integral part of business-as-usual.”
Alexander Brown, Simmons & Simmons.
Also present were:
"Having a strategic data protection policy in place not only ensures the safety of the data, but also optimises its use to achieve strategic business objectives. That is why data protection policy must be so much more than a tick-box exercise. That policy must also be integrated at the highest levels of the organisation as business-as-usual.” Adrian Barrett, Exonar
"Having a strategic data protection policy in place not only ensures the safety of the data, but also optimises its use to achieve strategic business objectives. That is why data protection policy must be so much more than a tick-box exercise. That policy must also be integrated at the highest levels of the organisation as business-as-usual.”
Adrian Barrett, Exonar
According to our panel, the need for data governance is now generally understood and accepted, but not all organisations are aligned on how to roll it out as part of business-as-usual. In many cases, it’s still left to one part of the business to manage, despite it being something that touches every function, and that every employee is responsible for.
For many compliance officers around our table, a key challenge in the post-GDPR world has been enabling data governance by winning the ‘hearts and minds’ within the organisation. During the discussion, one of our specialists, a compliance counsellor at a global financial services organisation, described how it’s common for employees to be unaware of their personal responsibilities regarding data governance policy.
Our panel all agreed that change needs to come from the top, because if the senior leadership team isn’t united, pushing the data governance agenda and educating employees on its importance, will be virtually impossible. Simply enforcing policy isn’t enough, either. The key to getting buy-in is to provide insight around how data governance applies to each specific job function, as well as the wider organisation.
One of our panel, a fraud, risk, and security expert for a multinational telecommunications conglomerate said: “When GDPR was coming down the pipe, we had a problem with implementation. We needed to change the culture, so we used an internal communication channel and our C-level video chats each quarter to talk about GDPR. This way, we got it into the culture. We created one-pagers about what you needed to know and created a culture where people bought in.”
Our panel was united in their view that simply stating the importance of data isn’t enough. First, the senior leadership team needs to buy-in to the idea that data is valuable, but only if it is managed and actioned appropriately. The panel agreed that data is a key business enabler that organisations can’t afford to get wrong. To win those hearts and minds, data governance professionals must focus on positioning data policy as a business facilitator and a bringer of opportunity, rather than a difficult and painful process.
“There are different perceptions of data governance processes depending on different parts of the business. I want the DPO and the data protection counsel to be seen as enablers, helping the business move forward.” Lead data protection counsel and DPO, healthcare industry
“There are different perceptions of data governance processes depending on different parts of the business. I want the DPO and the data protection counsel to be seen as enablers, helping the business move forward.”
Lead data protection counsel and DPO, healthcare industry
“There are only so many times you can warn people about the ramifications of having data which you don’t have the right to retain. You need to take a hearts and minds approach instead. So, in our business we changed track and asked our chief execs what they wanted to achieve with our data in the next few years. And off the back of that, we saw change at the exec and senior leadership team levels. The focus changed to seeing data as intrinsic to the business, as the enabler and opportunity, and not one to waste. Ultimately, we communicated our compliance message around business success and business objectives,” Privacy business analyst in a leading European investment and asset management company
“There are only so many times you can warn people about the ramifications of having data which you don’t have the right to retain. You need to take a hearts and minds approach instead. So, in our business we changed track and asked our chief execs what they wanted to achieve with our data in the next few years. And off the back of that, we saw change at the exec and senior leadership team levels. The focus changed to seeing data as intrinsic to the business, as the enabler and opportunity, and not one to waste. Ultimately, we communicated our compliance message around business success and business objectives,”
Privacy business analyst in a leading European investment and asset management company
Some members of the panel talked about how their most successful data privacy programmes had aligned to the company’s corporate vision.
But more important than that, the programmes aligned to the company values. Those values are the guiding principles that govern how decisions are made. In their experience, only when data governance programmes aligned with the company values, could they achieve buy-in and adoption across the business.
An expert lead compliance counsel at a leading multinational telecommunications provider explained how they put this into practice. Only when they had mapped the programme back to their company values of trust and allegiance to client interests, could they set the context and establish gravitas around data governance. A cross-functional group was then able to successfully put the plan into action. And by aligning to the company’s values, there was never any ambiguity on the need for data governance. Just as a company’s vision and values drive the big strategic decisions, it’s equally important that they underpin decisions taken lower down the chain of command as part of business-as-usual.
Who would you have in your cross-functional group?
We’d suggest someone:
I. Responsible for interpreting regulation and creating data governance policy (e.g. the DPO).
II. Responsible for understanding data risk, e.g. the CISO.
III. Responsible for implementing tools and processes to comply with regulation and risk, e.g., the CISO, Governance or IT.
IV. In infrastructure ownership.
V. Representing the business, in other words the people who have to work with those tools and processes on a day-to-day basis.
The data protection counsel and DPO in the healthcare industry shared how their corporate vision and principles define everything they do in relation to data.
“You’re more likely to get buy-in if you tie it into this vision and company principles. This worked really well at my company.”
A legal counsel gave the example of a company that has
“Strong data principles that were set 50 years ago and have never changed. They stick to them even if they cost the business money. It’s super important that everyone follows principles from the top. It’s important to distil this into the principles of the business and to live them top-down.”
One of the big issues surrounding data protection for our panel is the lack of ownership within an organisation. When data becomes an asset that is owned by someone, individuals are reluctant to take ownership. So the big question is…
How do you establish ownership of data across the organisation?
Because when ‘the sh*t hits the fan’, it’s the person closest to the data who is accountable for it, despite data governance being everyone’s responsibility.
A privacy business analyst in a leading European investment and asset management company, said it is very important that there’s data ownership in his company. “If you manage a database, you are responsible for ownership of that data. If the ICO came in, you have to have someone managing the data.”
However, a legal counsel summed up what often happens, when he said,
“People can be territorial about their data until it goes wrong. Then it’s not their data.”
What our panel agreed was that data privacy is everyone’s responsibility, even though ultimately there will be one data owner who is accountable. It’s why communicating the importance of data stewardship – from the senior leadership team right through to the frontline staff – is crucial, and why it needs to be reiterated again, and again, and again…and again.
This can be done in several ways, but the key is to build relevance into that communication – don’t just tell people why data governance is important and that they need to be doing it, win them over by showing them how it relates to their specific role or function.
At the mid-level, one tactic that has worked well for several DPOs on our panel, is raising awareness around the real threats associated with improper data practices. By highlighting that data isn’t just numbers or information, it’s a person’s actual identity, it really brought the seriousness of data stewardship to life. Making data real moved the process of data governance from being viewed as a burdensome exercise to a powerful responsibility.
A panellist from a telecommunications company said the key to engaging internal teams is making training around data principles fun, and not using generic materials. He said the key is to target smaller areas specific to what people are working on, because generic training doesn’t resonate.
“We ran internal campaigns that brought GDPR awareness to life. We built in real examples in ongoing newsletters that came out weekly.” Fraud, risk, and security expert, multinational telecommunications conglomerate
“We ran internal campaigns that brought GDPR awareness to life. We built in real examples in ongoing newsletters that came out weekly.”
Fraud, risk, and security expert, multinational telecommunications conglomerate
He described how his company developed bespoke training programmes that were relevant to the different levels and business units:
We asked our panel how they get people to do what they’re meant to. And when an organisation has thousands of employees, can technology help to automate governance as part of business-as-usual?
One of our panel, compliance counsel at a global commercial real estate company, commented:“For us, automation is key. We are very good at buying technology and software, but we have so much of it that we don’t know how it interoperates. We need a global data protection software that gives visibility across the whole organisation and transparency so it’s not all held in one place but can be accessible everywhere, allowing us to see how we manage subject access requests, records processing, data mapping. In 2020, we will see a big push around automation.”
While automation is a priority, it was pointed out that some of our group were not technology experts. While they knew that new technologies would be an important part of the answer to governance automation, they were unclear on how that could be done and from which vendors.
Our group agreed that a successful approach to ensuring compliance is taking steps to fully integrate it into the business process itself. For example, having the ability to see what’s in the data estate, across structured and unstructured databases, to clean up data so you’re able to distil the value locked within it, as well as take remediation actions to mitigate risk.
The privacy business analyst in a leading European investment and asset management company, commented that
“Group wide, our programmes are all dependent upon having clean, accurate, up to date, information to enable the business to drive its commercial goals. We are looking at Exonar’s capability to create a single view of data, linking contacts, data portfolios, procedures, policies, and so on, into a holistic framework.”
Indexing data at scale and maintaining that index, is a great way that Exonar’s products differentiate from other forms of ‘data discovery’. Think of it like Google within your company, with instant results to find data of any kind, always up to date and ready to spot changes or non- compliance.
By indexing data across all of your organisation’s estate, not only can sensitive information be immediately found, but the same searches against specific policies can be repeated on an automated basis.
We believe that this is what automation of data governance should look like from a technology perspective, but of course we would say that having developed it!
Alternative approaches might use in-built search tools in specific systems, such as Microsoft Exchange for email, to find examples of non-compliance to policy. However, drawbacks of this are numerous, in terms of the narrow scope of search, the ability of those tools to properly read the content in the system, and limitations on accurate classification of content found.
For more information visit our website at www.exonar.com
Then the holy grail is to automate these processes as much as possible, using the right blend of technology to help manage information governance at scale. In her plans for 2020, a DPO at a global healthcare provider commented:
“I want to have an automated data protection and governance process in place to create a single company narrative and drive efficiency.”
It’s also important to have visibility over the extent to which data governance policies are followed, and to identify where the process has become so difficult that it’s slowing employees down or getting in the way of them doing their jobs.
Managing data retention is an issue for a data protection officer at a global financial services organisation. “We are working towards compliance in retention. We set a retention period, and we set a rationale around why we keep data as long as we do. As a result of that work we were awarded the budget to scrutinise our systems and work out which ones carry personal information and which data is at a certain age.”
What’s clear from hearing the group’s experiences is that when data policies are part of the operational workflow, data governance becomes an integral part of the business output, leading to greater efficiency and compliance across the board.
“When you ask people whether data is an opportunity or a risk, most will say that it is both.” A fraud, risk & security expert in a multinational telecommunications conglomerate told us this in response to questions about winning support for better information governance.
“When you ask people whether data is an opportunity or a risk, most will say that it is both.”
A fraud, risk & security expert in a multinational telecommunications conglomerate told us this in response to questions about winning support for better information governance.
Yet attempting to secure funding for data governance can be tough. So often, people see data simply in terms of a risk. But our panel told us that when data is framed as a positive business driver, they had more success in engaging the C-suite and winning investment.
It’s the difference between a message that says:
“If we’re breached, the ICO will impose a massive fine.”
Or a message communicating:
“Data is a massive, untapped asset within the business to drive growth.”
Unsurprisingly, the second option is the one that our panel have seen better results with.
By changing the perception that data exists as a business liability to one where it’s viewed as a key business asset, you can put forward the case that good data governance practices can turn your company’s data into clear business value.
“Just by shifting the view of data’s value potential and linking it to governance, it’s possible to get top brass on board with the importance of data governance. And it might even make them see data governance as something advantageous to the business, rather than as a set of bureaucratic handcuffs,” A leading European investment and asset management company.
“Just by shifting the view of data’s value potential and linking it to governance, it’s possible to get top brass on board with the importance of data governance. And it might even make them see data governance as something advantageous to the business, rather than as a set of bureaucratic handcuffs,”
A leading European investment and asset management company.
“Use a company’s immaturity to your advantage and educate them about its business value”. Using this approach became the only way they “were able to secure the levels of investment required to fund better governance within the organisation.”
“We must move the mindset away from data as a part of risk, compliance, and legal. Instead, we must look at data as intrinsic to business.” Data protection officer, global financial services organisation
“We must move the mindset away from data as a part of risk, compliance, and legal. Instead, we must look at data as intrinsic to business.”
Data protection officer, global financial services organisation
What’s interesting is that using data as an asset is not specific to mature organisations only.
“Organisational maturity isn’t a prerequisite to initiating positive change. You can use a company’s immaturity to your advantage by speaking to it directly and showing the bottom-line benefits of implementing change.” Business analyst, European investment and asset management company
“Organisational maturity isn’t a prerequisite to initiating positive change. You can use a company’s immaturity to your advantage by speaking to it directly and showing the bottom-line benefits of implementing change.”
Business analyst, European investment and asset management company
As we enter the next decade, 2020 clearly marks the next phase where we see a shift from data governance policy, into practice and it becoming part of business-as-usual.
The bonus is that GDPR has now been in effect for a couple of years, which provides the opportunity to reflect on the lessons learned, both internally and from the wider industry, to continuously improve how you approach data governance.
2020 needs to be the year when we stop viewing data as a business liability, there to expose your organisation to breaches that result in catastrophic fines from the ICO. Instead, it’s time to change your perception and view it as a business enabler – data as the bringer of opportunity to ensure your organisational success in 2020.
But data in itself isn’t useful. First you must distil the actionable insights locked within to uncover and harness its true value.
“The companies who have the most successful data privacy/governance programmes, have tangible benefit. Keep it simple to begin with. The more simplistic the data privacy programme, the more chance it will be successful.” Adrian Barrett, Founder & CEO, Exonar
“The companies who have the most successful data privacy/governance programmes, have tangible benefit. Keep it simple to begin with. The more simplistic the data privacy programme, the more chance it will be successful.”
Adrian Barrett, Founder & CEO, Exonar
Achieving this is reliant on the practical implementation of effective data governance programmes, which focus on 5 key areas:
1. Win hearts and minds around data governance policyChange has to start at the top so it can filter down through the organisation but buy-in is only secured when you’re speaking the language of the senior leaders.
2. Align with company mission and valuesUsing the company values as a guide, you can empower a cross-functional group to put the plan into action and reinforce your data principles across the business.
3. Empower ownership and responsibilityDevelop bespoke training programmes tailored to individual roles so people see the relevance of the rules to them personally.
4. Automate data governance policy and embed within business processesLeverage technology to manage and automate the process of turning policy into practice, revealing what’s in your data estate and identifying areas for continuous improvement.
5. Excite the organisation around data as a valuable assetUltimately it has to start with changing the conversation about data from being a business risk to being a business asset.
Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?
“Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.” Dave Parker, Group Head of Data Governance, Arrow Global
“Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”
Dave Parker, Group Head of Data Governance, Arrow Global
Get the latest product updates, company news, and insight delivered right to your inbox.