It is likely that sometime in your career you have heard - or said! - some variation of the phrase “The __________ is only as good as the data.”
- The database is only as good as the data in it.
- Our conclusions are only good if the data we have is good.
- We’re relying on this being good data to help us make our predictions.
- We need more/better information (data) to make a decision.
Increasingly, our workplaces are data-driven or data-informed. We rely on data to support or refute the decisions we want to make. In the process, we collect, use and store massive amounts of data in file cabinets, hard drives and the cloud.
How do we deal with it? We need data governance to figure that out.
At its core, data governance is a set of rules and guidelines for how we deal with all the data, and how those rules are enforced.
Probably the most well-known form of data governance are the rules surrounding HIPPA compliance. The health care industry is required by government regulation to share health records with patients, to provide those record upon request, and also to protect the records from prying eyes.
However, data governance is not reliant on government regulation. The questions surrounding how data is collected, stored and shared should be answered by every organization that has data – and virtually every organization does. From customer, employee and/or donor records to inventory data, from proprietary documents to minutes of staff meetings, every organization creates data. Without it, business as usual would grind to a halt.
Data governance policies should consider the following questions:
- How did we get this data?
- What are the rules around data entry?
- Are the people to whom this data pertains aware that we collected it? Are they required to give us permission to use it?
- What are the appropriate ways this data can be used?
- Where and how is the data stored?
- Is the data secure, or as secure as it needs to be?
- How sensitive is the data?
- Who has access to the data regularly? Who can be granted temporary access? Why do they have/need access?
- How is this data shared outside of our organization? Do we allow it to be shared? Under what circumstances?
- What are the federal and state regulations that surround this data? Are our storage/sharing methods in compliance with those rules?
Chances are, as you read the list of questions, you realized that some of them have already been discussed in your organization. Data governance is not a “one and done” situation. It is an ongoing series of discussions, policy creation and enforcement that works to keep your organization’s data accurate, accessible to those who need it, and secure from those who don’t.
Data Governance in Action
Each organization needs to create its own set of policies for how to deal with data. Not only that, but different data sets may have different rules.
Consider the following scenario:
A manufacturing company maintains a list of all the different products it creates, including those currently in research and development.
- Appropriate patents are filed and are publicly available for those that have gone beyond the testing phase.
- All the data pertaining to the products still in testing is kept secure in a password-protected shared digital storage area.
- Access to research and development areas is restricted.
- Anyone who sees the files and/or the products being tested is required to sign a nondisclosure agreement (NDA) which is then kept on file.
In order to more closely manage those who have access to the premises, the same company uses a visitor management system. All visitors to the organization are required to sign in and, at that time, digitally sign the NDA if necessary. Thus, the visitor management system helps to enforce the data governance surrounding the products in development. However, the data in the visitor management system comes with its own set of questions.
- What happens to the data in the cloud-based visitor log?
- Who has access to the records of who has visited the company?
- Will the organization use this data for marketing purposes, or strictly for security reasons? How will visitors be informed of this decision?
It is up to the company to determine the data governance surrounding this data, but also to make sure any use of the data is in compliance with applicable regulations.
Having a data governance framework in place is essential for all organizations, especially those that deal with sensitive data. Why is it so important?
- Compliance with the law: Not only do certain companies have to consider laws and regulations, both general and specific to your industry, but businesses need to comply with the Sarbanes-Oxley Act PCI, and any other regulations that are applicable to their business. Non-compliance could result in fines, and even jail time for certain individuals.
- Privacy and intellectual property protection: Think back over the last 10 years; how many times have you heard about a data breach that put financial and/or personal information of thousands of people at risk? With identity theft always a concern, organizations that collect personal information need to have data governance and security high on the priority list. This personal information could be customer credit cards, employee Social Security Numbers, insurance records, or something as simple as addresses and phone numbers. It is also necessary to protect internal documents and proprietary information.
- Avoiding bad data: Bad data can cripple an initiative, derail a project and mislead even the most diligent employee. Data governance isn’t just about security; it is about how data is collected and standardized. It needs to be accurate and accessible to ensure that the data you are using to inform decisions is the best Often, data in databases can be inaccurate or incomplete, which causes numerous problems. Imagine trying to create an e-commerce shopping site, only to find the database of products is filled with incomplete descriptions, no standard capitalization practices, and inaccurate or duplicated identification numbers. Suddenly, instead of focusing on the e-commerce site, staff has to spend countless hours correcting the data.
So what are the benefits of having good data governance in place?
- Standardized data: As described above, having data standards in place during the collection process can short-circuit potential problems down the road. That e-commerce website would be a snap to create if data had gone through a review process before being entered into the database. Likewise, a digital visitor logbook can require guests to enter complete information, e.g. email addresses and phone numbers. There is no guesswork later when the time comes to contact them for a callback interview, send a thank you email, or otherwise get in touch.
- Data is accessible: What is the use of data no one can see? Refining the rules of where data is stored and who can see it can help increase collaboration across departments. Storing all applicable data in an accessible system helps to eliminate duplicate data and allows people from one department to see what other departments have collected. (This, of course, assumes that the data is not sensitive or requires special access privileges. That is another pillar of appropriate data governance.)
- Data givers know what to expect: Having thoughtful conversations about data governance ensures that people providing data to your organization (e.g. a customer providing payment information) can feel confident. Documentation about the rules that govern certain data sets needs to be available for reference. While it is highly likely a customer may only look for that information if there is a problem or a concern, the fact that it exists can go a long way to reassure them that their data is in good hands.
- Employees know what to expect: On the other side of the equation, employees need to be confident that the actions they are taking with the information are appropriate. Most employees want to do the right thing when they are entering, retrieving, and reporting on data. Employees who take short cuts may be doing it out of ignorance, not out of malice. Expectations clearly communicated can stop any problems in their tracks. Of course, employees who do misuse data purposely, like stealing customer lists or sharing proprietary information, should face consequences outlined in employee handbooks and data governance documents.
Who is Responsible for Data Governance?
It might seem easy to relegate the responsibility of data governance to your IT department. All this talk about databases, data sets and security seems to be firmly rooted in technology. They can handle it all, right? The truth is a lot more complicated.
While IT may be responsible for building the database, encrypting connections and otherwise securing data from outsiders, they have little to no control over how employees enter, use and/or abuse the data they have access to every day. IT might password protect areas of electronic storage so only authorized personnel can see the data, but are the authorized personnel following the rules?
Written documentation helps, but can only go so far. Every data set has different rules and different people working with it. Complicating matters, the different ways people need and want to use the data changes and evolves over time.
Data governance is as much a matter of company culture as it is black and white rules or regulations. IT can enforce some rules and regulations with security measures and required fields, but there is a lot of leeway even inside those fences to create bad data or share data inappropriately.
The fact is, data governance is an ongoing conversation between employees at all levels of your organization. Sometimes these discussions will be started at the top and work their way down, while in other situations it might actually be a bottom-up conversation. Regardless of where the initiative begins, the discussion needs to permeate every silo at every level.
These are murky waters and sometimes difficult conversations. Consider:
- Data entry clerks notice that some records have missing information. Do they:
- Pull the records with missing information and refrain from entering them until the remaining information is provided?
- Enter what they can in the records – the key fields are available – but flag them somehow so missing information can be added later?
- Enter the incomplete information and promptly forget about them? (This may actually be appropriate, depending on the type of database and the use of the data.)
- Make up information to fill in the blanks?
- A Vice President wants to use very sensitive protected records to do some sort of marketing initiative. The records are only supposed to be used for legal purposes. Will lower-level employees:
- Be comfortable enough to explain that using the data for that purpose is against the law?
- Say they can do it, but later enlist back up from a company lawyer or another executive to confront the VP and explain the problem?
- Say nothing and forge ahead with the initiative because they are too afraid of repercussions from on high?
These types of situations occur every day at all kinds of organizations. Every employee needs to recognize and report bad data and inappropriate usage. Rules might be set at the top, but mistakes and misuse can happen at every level.
Data governance might feel like a minefield, and in a way it is. But it is a minefield that is navigable as long as there is open conversation and communication among the stakeholders of your organization. Given the sheer number of data sets present in any organization, it is highly unlikely you or anyone else will know all the rules. But a few basics can go a long way:
- Always strive for accuracy. Do not ever knowingly supply bad data.
- Provide the most complete data possible.
- Don’t give access to those that shouldn’t have it. If you aren’t sure, ask others first.
- Ask for permission before using data for a new purpose.
- Understand the purpose of the data you have, and carefully evaluate new uses.
- Understand any federal and state laws that govern the data.
- Report bad data, missing data and misuse.
These guidelines can be the start of the conversations needed to create internal rules around specific data sets. Putting it all together and keeping the conversation going can help your organization preserve the integrity of the data and the people who use it.