Why Data Governance Matters
November 30, 2023
Regulatory Requirements for Data Governance
Data governance is of paramount importance for companies striving to comply with privacy regulations, particularly those governing Records of Processing Activities (RoPAs) and data subject access requests (DSARs). Many modern data protection regulations--including those enforced by the ICO in the United Kingdom, European regulators under the General Data Protection Regulation (GDPR), and several US state laws--demand that organizations maintain records and documentation of their data processing activities of personal data and that they be able to comply with a DSAR by producing all data held on a given data subject within a month.
While there are a number of technical capabilities organizations must possess to be able to comply with these requirements, they are made much simpler when they have developed and operationalized sound data governance principles.
- Do they understand what data they hold—and where they hold it?
- Do they know what it’s used for, how it is protected, and who is responsible for it?
- Do they maintain records of consent and lawful purpose?
- Do they understand how long they may keep data and have operational retention policies to dispose of it at the end of its lawful retention period?
Being able to answer these questions affirmatively is a good sign that an organization has strong data governance policies in place—and that it will be able to meet its regulatory obligations around RoPAs and DSARs.
The Business Case for Data Governance
In addition to compliance, good data governance makes business sense. Data provides great value to the modern enterprise, and many believe that data is a business’s single most valuable resource. It gives insight into customers, allowing organizations to maximize their customers’ lifetime value and enabling them to identify other potential customers in the population at large. Because this data holds value to others outside the organization, it must of course be protected, hence the need for data security policies and measures across data’s entire lifecycle.
Additionally, data loses value over time. Whether because of regulatory requirements for its disposal, the risks associated with data breaches and cybersecurity incidents, or the potential for disclosure in civil litigation, at some point in its lifespan, data becomes a greater risk than asset to its holder. Organizations must have the ability to identify data when it reaches this point, and delete it (assuming there are not other, competing, requirements that they retain it, such as for ongoing litigation).
Resolving Key Challenges to Data Governance
Organizations today, especially enterprise-scale ones, possess more data, of more types, about more subjects, coming from more sources, than ever before. They collect data about their customers, who they are, where they live, demographic information, financial information, their purchase history and patterns, and more. They produce data as part of their workflows–or producing and processing data may be the very nature of their business.
The data will likely be spread across multiple systems and locations. Data may reside on laptops, smartphones, large on-premises servers, and in a variety of cloud platforms, public, private, and hybrid. They may store years (or even decades) worth of internal communications on their email servers, but it’s likely that they continually add and remove additional communication and collaboration solutions, all of which store data.
Data mapping is too intensive and large-scale for most organization’s privacy teams to manage without advanced, intelligent technology. There is too much data, stored in too many platforms, spanning traditional on-premise infrastructures and private, public, and hybrid cloud locations. Companies, and even departments, routinely add and remove new communications and storage platforms, often without consulting their legal, privacy, compliance, risk management, and cybersecurity departments. But if problem or risk arises, these departments, and their leaders, will have to find the solution.
Intelligent, automated data discovery technology can overcome the challenges associated with building and maintaining accurate, up-to-date data maps. It can find and identify data subject to regulatory obligations across enterprise-scale technology infrastructures in a matter of hours or minutes, making it possible for organizations to create and maintain accurate, up-to-date data inventories on an ongoing basis—rather than just obtaining a snapshot of one moment in time.
To find out more about the relationship between data governance and data discovery technology, download our recent whitepaper, Data Discovery and Modern Data Governance.