Suits The C-Suite

With the rise in regulatory requirements and global industry standards to address the increased business consumption and volume of consumer data caused by the COVID-19 pandemic, companies have placed greater significance on the protection and handling of data. Now perceived as part of the wider challenge of maintaining operational resilience, issues in data quality, security, privacy and the threat of cyber-attacks rank higher on the data agenda of many organizations.

However, compliance with data handling policies can no longer be entrusted to Data Protection Officers (DPOs) alone — there needs to be an entire data lifecycle management process that is sustained by more individuals who will be held specifically accountable for both the responsible use and protection of data. This presents organizations with the opportunity to maximize data value through improved data governance, taking advantage of increased data volume to automate and scale data governance processes while ensuring its ethical use.

While data governance refers to the exercise of authority, control and shared decision-making over the management of data assets, it should be distinct from the concept of data management. Data management is the practice of ensuring that an organization’s data is accurate, relevant and effective in fulfilling its business objectives. This includes activities to maintain data such as data classification, labeling, and proper handling. Data governance, on the other hand, sets the policies on how an organization manages data, and implements and monitors compliance.

Data governance is mandatory for success if an organization wants to maintain a “single source of truth” to its data, enabling it to reduce redundant data, enhance data quality and maximize the value of information. According to the EY article “Three priorities for financial institutions to drive a next-generation governance framework,” organizations must focus on three key areas in governing the use of data.

Regulations around data privacy have become increasingly difficult to comply with, given the current data storage and access technologies. In the past, ensuring data privacy only entailed focusing on role-based access controls (RBAC) that restricted sensitive data access. Now, the widespread adoption of the cloud and the introduction of open application programming interfaces introduced new challenges not addressed by traditional controls. This makes it highly difficult for organizations to monitor the legitimate use of personal data, ensure transparency or obtain consent from individuals, and exercise data deletion for a specific individual.

Companies must take a structured approach along the entire data lifecycle to achieve compliance. Meeting customer needs and achieving compliance with privacy regulations requires organizations to be transparent in how they store, process, control, and distribute private data. While modern data privacy controls are growing as a trend, these controls are predicated on the exponential growth and diversity in data usage and sourcing. Traditional risk-based approaches that apply retrospective controls will not be sufficient to manage the complexity of data privacy as technologies and use cases become more sophisticated. For companies to ensure proper processing of personal data, they must take a structured approach along the entire data lifecycle similar to the traditional “process and controls” approach, with more forward-looking considerations.

New technologies using public cloud will offer a competitive advantage if they can automate controls and reduce costs while being able to properly use data. The use of the cloud in particular can be seen as a new challenge for data governance or a simple extension of an existing technology practice. However, organizations must take the opportunity to use modern technologies to actually solve challenges in data governance.

A well-formed data governance framework for the cloud will need to consider regulation, visibility, data classification, risk management and change management. Organizations will need to determine the controls required to be compliant across regions, keep abreast of changing global regulations, and provide evidence that the necessary controls are in place. They must also determine how data should be classified, how different classifications should be handled, and how operational risk should be measured and reported. Organizations will need to exercise key controls in moving data while avoiding control gaps and ensuring consistency. These controls must be maintained over time, while the information in the cloud should be automatically tagged to make it useful for enterprise reporting.

Innovation through artificial intelligence (AI) and machine learning (ML) is not just driving business transformation — it also highlights unique risks and challenges regarding the governance of data. Both AI and ML applications are becoming more accessible and powerful as firms increase their access to open-source algorithms, use of big data, and low-cost computing.

Organizations need to establish an AI/ML governance framework that addresses the data-related risks of AI/ML ecosystems in aggregate. The framework should use cases where new technologies are applied and include early risk assessments based on an understanding of AI and ML. It should ultimately be automated to balance risk against data value, mapped against clear benefits and business outcomes. As these technologies become more accessible and advanced, in turn becoming integral components of business functions, achieving this level of automation and integration will be imperative for organizations.

As companies grow increasingly cognizant of the disruption and risks posed by weak data protection, they need to develop robust data governance frameworks and prioritize improving controls over the ethical use of data. Organizations cannot wait for a cyber-attack or data breach — they must shift to a proactive strategy with enhanced capabilities in areas such as privacy frameworks, data and analytics growth, data traceability and detection, and data security and controls.

By strengthening capabilities that approach data in a protective and operationally efficient manner, organizations can enable a data governance framework that supports key business outcomes focused on long-term growth.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.


Nixon C. Garais is a manager of SGV & Co.