Here we are at the 4th post in our series on data governance.
The objective is now to ensure that :
- the technical operations and implementations comply with the rules – internal or external - of the organization (see our first post The 5 keys of data governance : Part 1. The rules) ;
- what has been enforced is not going against the goals of the organization.
If you compare data governance with the governance of a state, you'll find the same 3 powers in place : the executive, the legislative and the judicial powers (learn more in our white paper Digital trust, Data governance, Data management : The key trilogy for excellence).
It's the executive power that defines the objectives : what are we to do with all the data ? What's their use ?
The legislative power « only » sets out the rules, the goals to pursue are not decided at this step. However, the control must relate to both the observance of the rules and the examination of these rules in order to make sure that they don't go against the company's goals.
This double task of the executive power demands that :
- the goals are known ;
- the control responsability is not limited to complying to rules.
In order to sum up this concept, you must be able to invariably answer these 3 questions :
- Who makes the control ?
- What does it involve ?
- And when does it occur ?
The « who » :
- In the data world, you'll meet internal auditors in the management of data security, in the document and content management, and in the data quality management (see the role list of the DAMA organization).
- Among the external auditors, you'll find the National Authorities in regards to GDPR (and all that is « Private Life »), in finance you have e.g. the Basel Committee on banking supervision and the Financial Markets Authority which both act as banking regulations, and a company can of course be financially controlled by an accounting and financial auditor.
According to the concerned legislation, you will have different control authorities.
The « what » :
This stage addresses two important issues :
- the security aspect on one side ;
- and the accuracy on the other.
An auditor will check three elements concerning security : data protection, retention and continuity. As for the data reliability control - reliability which supposes that the company has complete control over its data - it will be done on four elements (see table above) but will especially concern the update within the framework of GDPR (data quality). It's important for enterprises to set up control systems of the data quality which depend on applications. This permanent measure of the quality and reliability of data, which has not been in the tradition of I.T. services so far, is the real challenge here (read more on this subject on our blog, see Data quality - Where to start ?).
The « when » :
- an external audit can happen at any time, e.g. following a complaint.
- an internal audit will take place after a dysfunction (which is often noticed by users).
As you can see, there're a lot of similarities between data governance and state governance, the difficulty of the task residing in the concern of controlled - or even policed - mastery, and with the same end goal of perpetuating the smooth operation (for the enterprise or for the state).
In the fifth and final installment of this series, we will ponder over the last pillar of data governance : the data risks.