By Tarun Kher, Partner, Risk Advisory Services, BDO India
Data encompassing input as well as processed output, stored within an organisation, is an
asset for the governing board – much beyond people, devices, and facilities.
What is Data Governance
Data Governance Institute defines data as ‘a system of decision rights and accountabilities
for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what
circumstances, using what methods.’
Data governance includes setting internal standards, policies, and procedures applicable for
data collection, processing, storage/ retention, and disposal thereof. It also helps ensure that the data is secure, reliable, available, and accessible by authorised data owners to drive
business initiatives such as powering digital transformations. Data governance combines
analytics with compliance requirements. With ever-increasing big data volumes from
emerging data sources, such as the Internet of Things (IoT) technologies, organisations
need to continuously monitor and update their data governance procedures to enhance their business acumen.
Data governance has three main components which assist in developing the framework
viz. people, processes, and technology.
People
A data governance team is accountable for the quality of data across all functions in the
corporation, as in the case of the provisions of ‘The Digital Personal Data Protection
(DPDP) Bill, 2022’ (which was granted the Cabinet’s approval on 5 July 2023 and is set
to become an Act in the monsoon session of the parliament).
The following key personnel play a pivotal role in personal data governance and protection:
1. ‘Data Fiduciary’ who alone or in conjunction with other persons determines the
purpose and means of processing personal data
2. ‘Data Principal’ is the individual to whom the personal data relates
3. ‘Data Processor’ is the person who processes personal data on behalf of the Data
Fiduciary
4. ‘Data Protection Officer’ is an individual appointed for the protection of personal data
and assists the Data Principal exercise their rights
Processes
Data governance teams must define processes for collection, transfer, alterations, access,
and securing the data which should be subject to continuous control monitoring
mechanisms, periodic audits, and compliance oversight by the Board.
The draft DPDP Bill covers processing (including collection/ recording, storage, alteration,
dissemination, removal/ deletion, etc.) of personal data, and sets up a compliance
framework, which includes the establishment of a Data Protection Board.
Data governance policies should be designed to ensure compliance with the government
regulations regarding sensitive data and privacy, such as the EU General Data Protection
Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), industry requirements such as European Union Agency for Cybersecurity (ENISA) Information Assurance Framework for cloud control and Payment Card Industry Data Security Standards (PCI DSS). Non-compliance with the provisions of defined regulations may entail fines and penal consequences which have been the primary drivers for organisations to adopt data governance tools that safeguard against all types of data breaches.
Technology
Software applications customised for the organisation’s business requirements help data
governance teams to institutionalise and automate the best-in-class governance practices.
To choose the right technological solution, the data governance team should consider the
complete life cycle of sensitive data starting from creation to storage/ retention.
Board Responsibility
Best practices for corporate governance suggest that data governance should be objective
and balanced. Board oversight should focus on governing data to the least extent possible
while laying thrust on digital platforms – which are tech-enabled.
Boards should encourage data governance teams to:
i) Construct a system that supports quality data
ii) Ensure that the data is accurate, timely, and easily comprehendible by
employees as well as external stakeholders
iii) Apply data for effective decision-making
iv) Increase data literacy by using data analysis tools and improve processing
techniques
v) Collect and disseminate metadata associated with enterprise data warehouse
content.
Develop a strategic analytic plan to share with the management team
Aligning the organisation’s strategic planning initiatives and board governance requires
effective communication exchange between the board, management, and the data
governance team.
Data governance teams should align data with corporate governance goals, thus enhancing
the organisation’s data profile and developing data sets for effective allocation of the
organisation’s resources by the Board. The existence of an effective data governance
framework assists in enterprise risk mitigation and helps the Board define the tone at the top.
In case of a data breach incident, the data governance framework acts as a saviour, helping
Boards identify the location and extent of the data compromised and enforcing corrective
actions immediately. Boards are able to mitigate cyber risks and threats with the help of a
robust data governance team.
On the one hand, there are rapid technological advancements, but on the other, there are
increased incidents of external intrusion, wherein sensitive data is being compromised. The
key to a rational approach towards data governance is for the entire organisation to have
complete recognition of 'data as an asset class', thereby creating value for the organisation with constructive board oversight.