Most CIOs know that mishandled data can lead to financial, reputational, legal, and all sorts of other troubles. That’s why having a strong data governance policy, one that ensures security and compliance yet is also accessible and manageable, is a top priority for any organization that’s committed to data integrity and preservation.
Unfortunately, because data governance requirements and practices are still evolving, it’s easy for IT leaders to fall into pitfalls that, over time, can undermine even the best intended planning efforts. To keep your organization from falling into a trap that can render its data governance policy ineffective or even dangerous, keep an eye out for the following seven common mistakes that must be avoided at all costs.
1. Treating data governance as a technology project
Given data governance’s inherently fluid nature, policy development shouldn’t be viewed as a project that can be simply planned and released. A data governance policy that fails to keep pace with evolving requirements will ultimately fail. Worse yet, such a policy can be viewed as an annoying impediment to getting work done, leading teams to create their own workarounds.
Treat data governance as a business challenge, suggests Rajiv Mirani, CTO at cloud software and service provider Nutanix. Data is an asset that needs to be understood and protected by the organization, he says, “similar to the way many companies implement cash-handling processes, which are fully understood and accepted by the organization because they understand the importance of handling cash safely.”
An important governance task that’s frequently overlooked is evaluating both the amount and type of data being collected and retained. “Data can have tremendous value if used appropriately, but ultimately the benefits are limited to the data you can manage, leverage, and secure,” Mirani explains. “It’s important to weigh the pros and cons of data carefully and not just capture and retain by default.”
2. Neglecting to convey data governance’s overall business value
Data governance must be an enterprise-wide initiative, says Crystal Singh, an analyst and research director at Info-Tech Research Group. “Effective data governance programs are aligned or mapped to business capabilities and value streams,” she notes. They ultimately roll up to the larger organizational objectives established by senior leadership, Singh adds.
It’s important to ensure that data governance is not perceived as an IT department pet project, Singh warns. “This is not only vital for securing and holding onto the senior leadership buy-in and support that, hopefully, goes beyond platitudes,” she notes. “It’s crucial for the scalability and sustained success of the data governance program.”
When a CIO fails to clearly articulate and demonstrate how data governance and associated initiatives are helping to drive successful business outcomes and productivity improvements “it remains merely excellent in concept and less so in execution,” Singh says.
3. Failing to draw data owners into the data governance process
The biggest governance mistake is not inviting data owners into the governance process and gaining their buy-in, says Kathy Rudy, chief data and analytics officer for technology research and advisory firm ISG. “The organization that governs and manages data for the enterprise doesn’t necessarily ‘own’ the data it governs,” she notes. More likely, specific business units or departments are the actual owners, with governance teams serving merely as data stewards. “In many organizations, finding the data owner can be a challenge itself, as often the owner doesn’t recognize itself as the ultimate owner of the data.”
Rudy believes it’s important to communicate the data governance program’s plans and benefits directly to the ultimate data owners. Then gain their buy-in and ask them who in their organization can collaborate in the program. “Start at the top and work your way down,” she advises.” Communicate progress back up the chain and ask for support in unblocking any resistance or objections encountered during program rollout.”
Buy-in is particular important to the hardest part of any data program: building the data taxonomy and platform that will manage the data. “In nearly every instance, this will require changes to data structures [and] cleansing of data that’s dated or not in line with corporate taxonomy,” she says. “Without buy-in from the data owners who have influence over the data sources, your program won’t be successful.”
4. Overlooking impact assessments
Combining a data protection impact assessment (DPIA) with a privacy impact assessment (PIA) is the best way to understand the who, what, when, where, why, and how of data collection, use, disclosure, and processing, says Dana Mueller, a compliance architect at cybersecurity and compliance company Laika. “Organizations not performing a comprehensive DPIA/PIA may be disadvantaged by misunderstanding the data they handle/maintain and how to appropriately protect data from unauthorized use/disclosure,” he explains
Organizations could also face steep regulatory fines and penalties, as well as a loss of customer trust, when data is improperly handled, says Jay Trinckes, also a Laika compliance architect. Legal costs too, he notes.
5. Defining data governance without the infrastructure to uphold it
A critical mistake many IT leaders make is introducing data governance policies without first ensuring that all key enterprise parties have the tools and knowledge to effectively implement them.
“If you centrally define policies and hand over a new cloud data platform without a centralized way to manage it, then business teams will build their own tools to manage data in their own way,” warns Patrick Barch, director of product management at financial services firm Capital One.
Instead, build the tools and platforms teams necessary to properly adhere to the data governance policy before launching it. “By enabling all activity to live in a central location, data governance teams can trust that enterprise standards are being met while tracking anything that may get out of policy,” Barch says. This approach reduces business teams’ overall data management burden, allowing staff to spend more time working with data and less time governing it.
6. Forgetting that data governance education is ongoing
Failing to accept the reality of an evolving workplace environment that encourages employees to adopt new data-sharing platforms can, over time, leave a data governance policy in tatters.
Ajay Bhatia, general manager of the digital compliance unit at enterprise data security provider Veritas Technologies, recommends regularly instructing all employees on data governance tools and policies. “Information sharing over unauthorized apps happens all too often simply because employees don’t know, or fully understand, the tools that are available, nor the consequences to the business of using unauthorized apps,” he explains.
Bhatia also suggests listening to employees before standardizing on a specific set of collaboration and messaging tools. “The tools you have may meet the needs of the business, but do your employees feel they meet their needs?” he asks. Actively discussing which messaging and collaboration tools your employees want to use prior to drawing the line on disapproved devices and services will help keep data safely secure within governance policy guidelines. “Your flexibility and their clear understanding … will help control the sharing of sensitive information on tools that are an absolute no-go,” Bhatia says.
7. Failing to designate a strong project leader
When developing a data governance strategy, the buck should stop with a designated project leader. This senior IT team member will sit at the table with business colleagues to hammer out a firm and detailed policy that meets all targeted goals. “[The] leader needs to help make and enforce the rules to keep the company’s data clean,” says Heidi Csencsits, a consultant with The Parker Avery Group, a retail and consumer goods consulting firm. The data governance chief should also be responsible for calling together IT and management colleagues to periodically tweak and update the governance document.
Without a well-designed governance strategy, organizational data can become siloed as each business unit or department implements a separate transaction system infested with unique data meanings and rules. “As these different systems start to build and collect data over time, subtle discrepancies can develop, leading to difficulties in finding one version of the truth as each system begins to report different results,” explains Rob Gentry, also a Parker Avery consultant. “These inconsistencies are avoidable with a solid enterprise data governance program that includes data definitions and formats that will be used across the organization.”