In the first post of our series on data governance, we introduced the « rules » : definition, compliance and evolution. In this second post, we'll address the second pillar : the organization.
The organization : definition of the roles and responsibilities of the different actors
First decision to make : who is responsible for the company's data ? Every company must choose someone who will be responsible of the data governance program, this profile is to be selected among the various professions related to digital transformation : Chief Data Officer, Chief Digital Officer, Information Systems Manager. In addition to defining the roles of each employee involved with data, this « data manager » will answer to management and guarantee the implementation and day-to-day application of the governance rules as they have been defined.
The implementation of the governance rules gives rise to procedures and good practices highlighting the various profiles and associated access rights. At the organizational level, the person responsible for the governance project must define these rights : their duration, their scope and the responsibilities arising from them. For example, which profiles are allowed to create the data ? To modify them ? Use them ? What about storage? And security ? Can data be transferred outside the company ? In what conditions ? Etc.
As you can see, this point tackles some essential questions which impact all departments having to deal with the established rules. The needs for access or use of data are multiple and must be globally organized. Once this is done, the elected data manager becomes the referent person with management and has a control duty in order to ensure that the rules are followed and the organization respected. But we'll come back to this subject in a later article.
The person in charge of governance is therefore the one who holds the keys to the « data realm », they have to know the users, the uses and define the needs by profile, not to mention the security aspect. Each user gets an access according to their needs and will not be able to reach other data than the ones they need in their duties. This aspect needs to be strengthened when it comes to data that is subject to external regulations (personal data submitted to GDPR, for example) or data that is considered as confidential.
The rights granted to users must be checked over time (limited duration of rights) and in space (workstation). All this must be thought out, formalized and communicated in order to ensure its proper execution on the one hand, and on the other hand to ensure control of it in order to identify any responsibilities in the event of a controversy.
The data access types
Access profiles depend on the level at which users are involved, and the purpose of their use. It is possible to establish three distinct levels :
- Collection, creation, storage, protection…
- Modification, utilization, re-use, archiving…
- Analysis, sharing, copying, testing…
Some data are just for internal use or only concern employees (HR), other data are used for marketing purposes. In all cases, the data must be clearly identified - a major difficulty for companies working in silos - and be protected from external as well as internal attacks without blocking the work of the parties concerned. The security strategy is an integral part of the data governance plan, and the legal aspect of the processing using this data must be taken into account.
At the organizational level, the person in charge of governance will inevitably encounter mistrust, even distrust, coming from certain parties who will see with displeasure that their functions are now regulated with protocols which they have not been used to follow, some may also see a brake on competitiveness within their department. The change will always dissatisfy some, but it is crucial to make those refractory to change aware that the benefit of the new rules for the company will ultimately prove to be beneficial for all collaborators too.
Responsibility is strategic, compromise will sometimes be necessary, but the overall vision must prevail in the end because it is about the sustainability of the organization. The person in charge of governance must have a good knowledge of the past of the company (and of its achievements) while having a long-term vision on the desired evolution.
In the third post of this series, we will review the financial aspects of data governance within the organization.