Why enterprises need to think about data governance

Abstract image of blue and white lines

Data is increasing at a rate never before witnessed. Exabytes and zettabytes of data are now regularly talked about and organisations need to deal not only with the volume of data, but also data governance.

With GDPR due to come into force in the UK on 25 May 2018 (despite Brexit), there is a real need for organisations to think and actually do something about data governance. But where should firms start?

Issues around data governance include the software costs, management consulting costs and technical implementation costs, and the promise of return on investment from data governance needs to be cast iron.

Another issue is that good data governance looks different for different industries, accrding to Dan Telling, managing partner at data consultancy Bench.

"What is good for a pharmaceutical company may be quite different to what is good for a retailer," he says.

"It also exposes a failing in traditional approaches to data value management projects as common wisdom would ask an organisation to consider people process and technology."

Challenges

One of the biggest challenges organisations face when trying to get a handle on their data is understanding what they have, where it lives, who can access it, who has been accessing it and how has that access been used, says John Hughes, enterprise director at Varonis.

"With the upcoming GDPR regulation, organisations will be tasked with shoring up their data governance, and that includes identifying files containing sensitive data, reducing access on a need-to-know basis, monitoring access and ensuring the data is properly disposed when no longer necessary to operations," he says.

Creating a data governance strategy

Hughes says that a data governance strategy first starts by "turning on the lights".

"Organisations cannot protect what they cannot see. They do this by classifying their data, assessing where it lives, who has access, how they were granted access and what they are doing with that access."

There should also be a corporate policy in place with named and accountable data owners. "Ownership should be at board level, preferably the CEO. The policy should cover all three sides of the triangle, Availability, Integrity and Confidentiality. This should cascade down to documented procedures and guidelines. All staff should have mandatory data training," says Manish Trivedy, an ITSM consultant at Soitron. He adds that availability should include critical systems for business to continue functioning, including links to its business continuity and disaster recovery.

Steve Murphy, SVP and general manager EMEA at Informatica says that it's important to make sure data governance tools are unified across the enterprise so that everyone can get the best out of them.

"A single comprehensive solution will reduce running costs, decrease time-to-value and improve business outcomes. Data governance that combines technical data on the backend with a business lens on the front-end results in programme and business agility," he says.

Implementing strategy

When it comes to implementing the newly-created data governance strategy, organisations must get a clear picture of their data landscape. "Next, they need to identify how that data is processed across business systems, where it is stored and how it travels," says Murphy. Automating data discovery is a good way of achieving this, as the data landscape of a business changes constantly, and humans cannot process that data in real time. An automated data discovery and management approach speeds up the process and increases its accuracy based on varying data inputs.

Nick Coleman, global head of cyber security intelligence at IBM, says he would advocate referring to a target Data Governance (DG) operating model (people, processes, technology and data) to know what good looks like, and drive out the gaps.

"We frequently produce a heatmap for clients to help visualise this information," he says.

He adds that in doing so, this will identify both 'quick wins' and longer-term objectives that organisations can work towards. "As the most significant positions are filled within the Data Governance organisation, then the establishment of metrics and decision-making bodies can begin," says Coleman.

Getting the benefit

With a data governance strategy in place and operational, Murphy says this can help companies develop a unified approach so that all data sources can be exploited for common goals, with siloes between departments removed and collaboration across international boundaries improved. "In turn, a holistic view of data supports companies [to] improve customer service. Having a single source of information means organisations can pre-empt their likely purchases or the problems that they're trying to solve. By responding to these needs, it's much more likely that revenues will increase and clients will be engaged. Good data makes for a successful business," he says. But Murphy warns that pitfalls come when trying to change the existing culture to make room for this new, unified approach, as doing so requires a change in how different stakeholders store and use information. "CIOs in particular need to take responsibility for leading the change and helping employees to get involved - data governance is a cultural shift as much as a technology project," he says.

Ken Krupa, CTO at MarkLogic says there are caveats to be mindful of when implementing governance programs. "The boil the ocean' mentality must be avoided at all costs. Agility and incremental successes are key."

"Additionally, if the data governance program focuses more on the governance part and not enough on the data part of the equation, there's a risk of creating an internal bureaucracy that may achieve the opposite of what is intended," he adds.

The future and GDPR

With GDPR looming in the future, crippling fines could be imposed on organisations that don't get a grip on data and its governance.

Alastair Broom, UK security practice director at Logicalis, warns that the regulation also introduces the right to be forgotten' where EU residents can request the deletion of their personal data, if there's no compelling reason for it to be held by an organisation.

"This will drive the requirement for information lifecycle management, so that data is managed not just through creation and use but also through destruction," he says.

"This will prove a big challenge, as it is very easy to create data, but once it is out there, it is much harder to track down all instances of it and ensure it has been deleted."

Having data governance in place will help organisations establish the rules and help avoid hefty penalties.

Main image credit: Bigstock

Data protection and startups: an uncomfortable truth General Data Protection Regulation (GDPR)

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.