Embedding Good Data Governance across the Business
As is identified in the title and elsewhere in this publication, data has become a critical asset of the majority of organisations operating in today’s world – beyond simply data-rich or data-driven businesses. It is vital, therefore, that the data is well managed and protected, arguably in a more sophisticated way but at least to the level of protection given to other critical assets of a business.
What is data governance and why is it important?
The Collins dictionary defines ‘governance’ with respect to a company as ‘the way in which it is managed’. ‘Data governance’ and ‘privacy governance’ and other similar broad terms are used frequently, and sometimes interchangeably, to describe an organisation’s management or control of privacy, data protection and data security. From a practical perspective, this is most commonly achieved by way of a compliance programme. While themes emerge between approaches to data governance, several of which are discussed below, no one size fits all: governance models vary according to the size of the organisation in question, the processing activities it undertakes, its industry sector, and indeed the organisation’s posture and risk appetite as regards data privacy and security.
Effective governance generally requires some form of structure and a set of rules, and this applies equally in the context of data management. This is most commonly achieved by way of processes, procedures and internal policy documents that are prepared in line with applicable laws and industry practice.
Good data governance is crucial in facilitating an organisation’s compliance with applicable privacy and security laws. Indeed, in certain jurisdictions it is actually a legal requirement. However, with successful implementation, good data governance can provide much more than a simple compliance tool; it can allow organisations to make use of its data as an asset in an effective and efficient way that can, in turn, benefit the business and lead to valuable outcomes both operationally and financially. In short, embedding good data management practices and tools can enhance the value of data as a critical asset and, ultimately, the value of the business.
What good governance looks like and how it is achieved
Governance models vary and, consequently, what amounts to good governance also varies. There is no one defined set of requirements: certain styles or measures that work effectively for one organisation could, quite simply, be wrong for another. That said, there are common themes that flow through good governance models, certain of which we discuss in detail below. Organisations that are considered as demonstrating good governance have probably approached and applied to their organisation all the areas we discuss.
Plan of action
Before any steps are made towards implementing some form of governance structure, an organisation needs to develop a clear plan of action as to approach; this is paramount for success. Without a sound plan, gaps in good governance are inevitable and potential efficacy and efficiency gains will be missed.
A solid plan will include at least the following.
- Goals: The first question to be asked is: ‘What do we as an organisation wish to achieve by undertaking this initiative?’ The answer will be very different depending on the organisation asking it but all will generally be geared towards ensuring the data retains its value. Common goals include compliance with a new regulatory requirement or related guidance, expansion of the business into new sectors or jurisdictions, or increased, new or different processing activities. Some organisations tailor their goals for governance around compliance with a particular accreditation, for example, ISO 27001.
- Strategy: The second question is: ‘How do we as an organisation intend to achieve these goals?’ The answer will again differ depending on the organisation asking it but strategies will very often include several of the topics discussed below. Time frame is also important here; it should be realistic, while also endeavouring to maintain momentum with the project because the time required to implement a governance programme is often underestimated.
- Team: The third question that should be asked is: ‘Who will be suitable for helping us achieve these goals and implementing this strategy?’ Note that at this stage, the team being established does not have to be the team who will manage the programme once implemented, and most likely will not be, in its entirety. For example, given the potential size of a project of this nature, having a project manager on the team can be very useful but a project manager is unlikely to be involved in the day-to-day governance matters once implemented. It is also very common for organisations to consult, or even rely on, third parties for assistance at this stage, such as external legal counsel. Further, the implementation of good governance will often require new additional resources, for example, a data protection officer (as discussed below) or a chief privacy officer.
One thing to note about preparing a plan in this context (and indeed any plan) is that it should always be adaptable to change. Many things could arise that directly affect the original plan. Privacy and security are areas that are particularly vulnerable to change, whether this is because of the release of new guidance or enforcement action taken by a regulator, so organisations should be prepared to adapt to such changes. Further, data governance as a concept and how it is implemented is also evolving with new methods or tools for governance emerging regularly. It is important, during all stages of a compliance programme, from the planning to implementation to maintenance, that the organisation be as agile and proactive as possible as opposed to rigid and reactive. Although the latter cannot always be avoided, a flexible, proactive approach generally puts the organisation in a stronger position to deal with potential curveballs that affect the plan or otherwise, such as the discovery of a large and previously unknown data processing activity, an unknown data set of significant value or a historic security incident.
Global programme and the GDPR
In recent years, the world of data privacy and security has seen a massive shift into focus with new laws and legal regimes being enacted globally. Arguably the most influential and far-reaching of these laws is Regulation (EU) 2016/679 (the General Data Protection Regulation (GDPR)). The GDPR came into effect in May 2018 and overhauled privacy and security compliance globally. Although this publication is not intended to focus on the GDPR and its requirements, it is worth highlighting that the it has global reach, applying to any organisation located in the European Union processing personal data of an individual and to any organisation located outside the European Union processing personal data of an individual located in the European Union (subject to meeting certain criteria). As such, the GDPR is probably a fundamental core element to any good data governance programme and, in turn, any good data governance – seeking to ensure the protection of such a critical asset.
Since the GDPR came into effect, many other new laws have appeared, for example in Brazil, South Africa and in certain US states such as California, with many other countries either in the process of finalising draft laws or preparing to announce new laws. When analysing any of the new and emerging laws, it is evident that they have been inspired and influenced by the GDPR as they contain many of the same or similar principles and obligations. That said, no single piece of legislation globally has had as significant and far-reaching an effect, nor do any of the later laws require any higher level of compliance, as the GDPR. Therefore, it is generally recommended that any governance programme be built around and geared towards compliance with the GDPR. In this respect, compliance with the GDPR is often referred to as the ‘gold standard’ for privacy and security. To the extent that any new laws are enacted to which the organisation will be subject, it is recommended that the new law be compared against the GDPR to identify whether there are any nuances in the new law that may require actions or measures in addition to the existing governance programme to comply with those nuances. Certain requirements may be limited to local matters but others may need to be rolled out globally. From a compliance perspective, these requirements may include registration of an entity with a public register, appointment of a privacy- and security-focused role (e.g., similar to a data protection officer (DPO, as discussed further below), or the translation of a particular policy into the local language.
In addition to benchmarking governance against the GDPR, for an organisation’s compliance programme to amount to good governance and to ensure sufficient protection is given to the valuable data, it is crucial that the programme be rolled out across the entire organisation, globally if applicable. The programme remains subject to any local law requirements, of course, but from a general principles perspective, policies and procedures should be applicable to all employees, and the reporting structure should take into account persons and teams located in offices that are not the organisation’s headquarters or where, for example, the legal team are largely based. As noted above, the GDPR is considered the ‘gold standard’ of privacy and security compliance and, therefore, by implementing a governance programme that is built on the GDPR globally, the organisation is prepared and in a better position should any new privacy laws or requirements be implemented. Global implementation also leads to be better understanding by personnel of the principles and requirements, and a stronger privacy and security culture across the organisation, which ultimately helps enhance the value of the data as one of its assets.
One of the most time-consuming, but arguably most important, action items when implementing a governance programme is data mapping. This stage is sometimes overlooked, partly because it and its value are often misunderstood. Data mapping is a process that records or ‘maps’ details about an organisation’s processing activities, including types of personal data, categories of individuals (e.g., employees, customers), locations of processing activities (both geographically and by team or business line), and purposes of the activities. This exercise should also track other key considerations, such as with whom the personal data is shared (whether this be with another team or business line within the same organisation or a third party), where data is stored and what security measures are in place to protect the data. A common approach, depending on the resources available, is to distribute an initial questionnaire to key stakeholders across the business that aims to capture, at a high level, information regarding a team’s processing activities. Following this, those performing the mapping (whether internal or external advisers) will ordinarily analyse the initial findings and determine how to best delve deeper; this may involve live interviews or additional written requests (or both). The information is then gathered and documented in the organisation’s chosen ‘map’: for some organisations, this is an Excel spreadsheet and may incorporate sophisticated PowerPoint diagrams; for others the information is collated by way of a purpose-built off-the-shelf piece of software.
Completing a comprehensive mapping exercise well will be critical to the success of global governance within an organisation as it can highlight key considerations that shape the governance programme. For example, it may identify countries or offices where higher risk or simply more processing is taking place, or laws to which the organisation is subject of which it was not previously aware. Such an exercise also helps identify gaps in knowledge and understanding of data privacy and security concepts across the organisation that can influence policies, procedures and training.
As noted, a data mapping exercise can be time-consuming, particularly if the organisation is a large global cooperation. It is often difficult in such instances to identify who is the best person (or persons) on the ground to assist with the process and drive it forward. Given the time and complexity involved, this is often the stage at which implementation of a data governance programme falls down. However, from experience, governance will never be fully successful and reflective of an organisation’s needs, including its legal obligations, if at least some mapping is not completed.
Establishing the team and identifying key stakeholders
As noted above, the team overseeing the implementation of a compliance programme and other measures around governance does not, and likely will not, be entirely the same team operationalising, managing and maintaining governance once implemented (the Privacy Team); however, there is likely to be some overlap. A task for the team overseeing the implementation of a compliance programme and other measures for governance is to determine the best model for the Privacy Team and, ultimately, to create the Privacy Team.
There are several ways to do this and points to consider when doing so:
- looking at existing privacy-related roles and seeking to structure and maintain governance around those roles (e.g., chief privacy officer, general counsel, compliance officer or privacy lawyers). This is common if said roles already take on a level of the governance responsibility without it having been expressly defined as governance, such as completing data protection impact assessments;
- whether any new roles are required, for example a DPO (see further discussion below) or whether additional personnel are required;
- where best in the organisation the Privacy Team should sit. A key question here is often whether it should form part of an existing team (e.g., legal, IT or compliance) or whether it should be a stand-alone team that supports and engages with other teams if and when required. This often depends on manpower and resources but, for instance, larger organisations are more likely to find that a stand-alone Privacy Team with fewer reporting lines is more effective;
- how best to structure the reporting lines both within the Privacy Team and outside. This will be partly driven by where it is determined the Privacy Team will sit; and
- whether there would be benefit in having Privacy Team members located in specific countries or jurisdictions, or whether the Team can be located in one or a small number of countries while relying on a local network of persons who have a sufficient understanding of privacy to allow them to assist the Privacy Team when needed. Considering the discussion above regarding benchmarking compliance against the GDPR, if an organisation is subject to the GDPR in a significant way (e.g., it has key employee or customer operations in the European Union), it would be useful to have one or more team members located there.
Once the structure has been determined, it is crucial to define the roles of the members and consider how they will influence governance, to ensure that it is embedded within the culture of the organisation. For example, one person’s role may focus on security incidents whereas another may focus more on policy preparation. The Privacy Team is likely to be fairly well known in the organisation and, therefore, it is much more efficient and easier to manage requests from the business if there are clearly defined responsibilities.
After the Privacy Team has been established, it is important to identify key stakeholders across the organisation. In this respect, a stakeholder is person, or a team, who is not an expert in privacy but whose engagement will be pivotal to the success of the governance programme given their role, purpose or location. These persons or teams will probably be in areas such as IT, legal, HR, operations and product, but will depend largely on the nature of the organisation’s business. The more data the organisation processes, the more stakeholders it is likely to have.
Data protection officer
Although the role and the idea of a DPO has existed for some time, it was given new weight and meaning by express provisions in the GDPR. A DPO is mandated in certain instances (e.g., where an organisation’s activities involve large-scale systematic monitoring of personal data) and the appointed individual should be a person with expert knowledge of data protection law and practices whose role is mainly to assist the organisation to monitor internal compliance with the GDPR, including informing and advising the organisation and its personnel about its obligations with regard to privacy and security. The DPO should act independently to the extent possible to avoid being conflicted as the role is more focused on compliance than the commercial business. For example, a DPO should report to the highest management level of the organisation, probably the board, whereas members of the Privacy Team are likely to have more corporate reporting lines.
When determining whether a DPO should be appointed and have a role in governance, there are a few factors to consider, including the following:
- An organisation should first assess whether it is required by law to appoint a DPO. Although it is recommended to structure governance around GDPR requirements, note that if the organisation is not actually subject to the GDPR, appointing a DPO should not be considered. As an alternative, appointing a specialist with a different title but similar responsibilities could be useful to ensure good governance throughout the organisation.
- The role of a DPO is regulated by the GDPR so if an organisation appoints a DPO (as that role is defined in the GDPR), it is subject to the relevant obligations under the legislation.
- As noted above, the DPO should not be conflicted. Conflict is most likely to arise when the individual also performs a more commercial role, such as chief financial officer.
Even where not strictly required by data privacy laws or regulations, appointing a data protection specialist can be very useful within an organisation that is seeking to implement a compliance programme and protecting its data assets.
Policies and procedures
One of the most important tools, if not the most important, for implementing a compliance programme and embedding a cultural governance within an organisation is to have written policies and procedures. Policies and procedures can take many forms and cover many topics. It is for the organisation to determine what exactly should be documented and how, although it is worth highlighting that the GDPR does require the ‘implementation of appropriate data protection policies’ when seeking to demonstrate compliance, and other privacy laws have similar requirements. Common policies and procedures include the following:
- Data protection: This usually sets out the principles to which the organisation adheres in respect of data privacy (largely reflective of the GDPR or other applicable privacy and security law principles) and how it administers its compliance according to those principles;
- Data breach or incident response: The purpose of this document is explain to personnel what a security incident is, how to identify one and what to do if one has, or potentially has, occurred. Such a document may also go further and detail the internal process that will follow, such as the teams and persons involved in investigating, how reporting would be assessed, and so on, whereas some organisations opt to have this latter information in a policy only applicable to the teams and persons it governs;
- Data subject rights: The purpose of this document to explain what data subject rights are, how to identify when a person is making a request to exercise a right (this is particularly useful for a consumer-facing business), and what steps personnel should take if they receive a request. Such a document may also go further and detail the internal process that will follow once a request has been received, such as how to respond to the request (template responses are always helpful in this respect), the time frames for responding, among other things, whereas some organisations opt to have this latter information in a policy only applicable to the teams and persons it governs; and
- Document retention: The purpose of this document is to explain when, why and how documents should be retained and deleted. This may also incorporate a retention schedule with specific periods for retaining documents; how detailed this is will depend on the nature of the organisation. When determining a retention period for any document or data type, several laws may have an impact, including local laws and market practice on the subject matter, such as a statute of limitations requirement for a contract.
These are fairly standard policies and procedures that are generally recommended at a very basic level and their existence is indicative of an organisation having good data hygiene, which is vital bearing in mind its value as a critical asset for most organisations currently, as previously described. However, there will are likely to be several other policies and procedures that are suitable and, indeed, advisable for the relevant organisation.
Privacy by design
Privacy by design is a principle that has been around for some time, and now forms part of an integral principle of many data privacy laws, including the GDPR. ‘The 7 Foundational Principles’ is a leading guide in this respect, which is intended to apply to an organisation’s entire ecosystem and highlights that to be able to enjoy the benefits of innovation, such as new technology, organisations must also ensure that the protection of data, including controlling data flows, is preserved. Privacy by design essentially requires organisations to put privacy and protection of personal data first. It requires organisations, at the time of determining the relevant processing activity and during the processing itself, to implement appropriate technical and organisational measures that are designed to implement data protection principles in an effective manner and integrate necessary safeguards that meet the requirements of applicable law and protect the rights of individuals.
As discussed previously, good governance should be proactive and not reactive. If an organisation deploys a policy of privacy by design such that it can identify potential privacy risks early and implement mitigating measures, it will be in a position to reduce the risk profile of the organisation and be in a significantly better position with regard to compliance generally.
Several privacy laws require organisations to be active in assessing their own activities to identify and mitigate risks, or determine that a particular data processing activity should simply not be undertaken because the risks are too high.
Laws that include assessment requirements often either have a threshold for completing the assessment (e.g., type of processing activity) or they are optional. That said, when an organisation is about to begin a new processing activity, such as launching a new product or implementing a new security measure, the completion of such an assessment remains good practice, even where the threshold is not met or its completion is not otherwise compulsory. From a governance perspective, assessments should be undertaken, of course, when required by law but completing them when not required is also good practice and should be encouraged when there is a potential risk to data, security and individuals, such as in the collection of sensitive personal data. It can be the case that risks will not be clear on the face of it and that an assessment actually helps to highlight them. Alternatively, an assessment is a way to assess a potential or known risk, to weigh up the pros and cons, and to determine whether the risk can be mitigated sufficiently.
As with privacy by design, assessments of this nature allow organisations to be proactive rather than reactive when it comes to assessing and preventing harm to privacy and security. Documented assessments are also a great compliance tool in that they can easily demonstrate an organisation’s commitment to privacy and security, should a third party (e.g., customer) or indeed a regulator request it.
How good governance is maintained
We have discussed ways in which good governance can be implemented and demonstrated; the next hurdle, and often one that organisations neglect, is maintaining it – and maintaining it to a consistent standard, reflective of the value and level of criticality of the data in question for the organisation. Below are some common examples of how organisations can ensure good data governance be truly embedded and maintained.
Operationalise the programme
Operationalisation of any programme, particularly one that involves new policies and procedures, is vital to its success. This may seem obvious but it is surprising how many organisations put significant hours of work and resource into preparing a compliance programme that is then placed in a drawer and left untouched and forgotten. Others will only operationalise to a degree, resulting in an inconsistent approach across the organisation. These failures could be for several reasons, such as lack of senior leadership buy-in or approval, lack of appropriate communication channels to spread the word, or the organisation is not receptive to change.
So how does an organisation ensure this does not happen? There are many ways in which an organisation can operationalise a compliance programme, including:
- ensuring from an early stage that senior leadership and key stakeholders are on board with the programme and are willing to support and discuss it when the time comes. Referring back to the discussion above regarding developing the Privacy Team, the clearer the structure and the reporting lines, the easier this task will be and the more support the programme will be given;
- getting approval to send organisation-wide communications about the programme, or at least relevant policies and procedures, and deploying technologies to administer where appropriate or necessary;
- identifying appropriate communication channels at an early stage. This will begin the process of increasing awareness, which is vital to the success of the programme. If mass communication is not appropriate or not an option, there should be an appropriate and effective way to spread the message about the programme and any new policies and procedures;
- launching a central privacy repository of documents and information, possibly in the form of a portal, which is a great way to ensure all personnel can access the documents and information relevant to them easily; and
- audit, or threaten to audit, employees’ compliance with policies and procedures. Depending on the nature of the relevant employee’s violation, consider disciplinary recourse or other remediation actions, such as additional training.
Training employees at all levels on governance is of the utmost importance to the success of a compliance programme as it will assist in truly embedding privacy and security governance into the culture of the organisation; providing employees with clear examples and situations they can relate to is often a very successful way of achieving this. When considering what training to provide and how, an organisation should consider the following:
- Structure the training programme so that it is continual and not just undertaken at the beginning of an employee’s enrolment with the organisation.
- Tailor training to specific roles and levels within the organisation. For example, any employees involved in investigating and handling security breaches should be trained in this area. Key stakeholders should also be given more advanced and additional training if they are to effectively assist the Privacy Team, as discussed above.
- As new policies and procedures are introduced, consider which areas of the business require specific training and which can be provided with a written overview.
In line with the theme of being proactive and not reactive, privacy and security laws and related guidance are evolving with speed and we expect to see multiple new and updated laws and related guidance appearing globally during the coming months and years. Although compliance with the GDPR will position an organisation well to tackle new and emerging laws and guidance, it does not necessarily amount to absolute compliance with each and every one. The Privacy Team or lead data specialist within an organisation needs to remain alert and vigilant to the introduction of new laws and guidance and proactively seek to identify potential gaps in advance of them coming into effect.
Monitor and learn
Good data governance should be seen as a living programme, and not simply a compliance programme that is implemented and left to run on its own. It needs to be regularly monitored and analysed to see where it is working, and where it is not. For example, organisations should diarise the provision of regular updates to employees on governance, by way of a newsletter for example, undertake regular audits, and seek feedback from employees to see if policies and procedures can be improved, as they will be the ones using them regularly.
Further, another source of learning comes from any incidents suffered by the organisation. Although not something an organisation wishes to suffer, it does assist with identifying compliance and operational gaps, provided lessons are learnt. Mock incidents, also referred to as ‘table-top exercises’, are also a fairly common tool for assessing how an organisation would respond to an incident; these can be undertaken however best suits the organisation, for example, by a team or an entire organisation – or perhaps even both. At the very least, those responsible for privacy and security should be well versed in how to handle an incident in a rapidly responsive manner, allowing for regulatory notification requirements where appropriate.
There is no perfect model of data governance, nor is there a perfect method for embedding a good culture of governance within an organisation. That said, we have outlined several key features that can be useful in developing a successful and sustainable compliance programme and achieving recognisably good governance models. As explained earlier, the implementation and maintenance of a good governance model is highly advisable for any organisation that processes data or is affected in some way by data privacy and security issues, which, in today’s world, is almost all organisations. Where that data represents a critical asset – as it does for many organisations at the current time – it will be vital.
With this in mind, and the fact that data privacy and security has shifted into focus on a global scale of late, a culture of good governance is something all organisations should be working towards: not only can it assist in demonstrating compliance with applicable data privacy and security laws but it can also help to foster safer and more effective data processing, which, in turn can, help to drive efficiencies and, ultimately, the success of the business.
 Sarah Pearce is a partner and Ashley Webber is an associate at Paul Hastings (Europe) LLP.
 ISO/IEC 27001:2013 (issued by the Information Organization for Standardization) specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
 Privacy by Design – The 7 Foundational Principles: Implementation and Mapping of Fair Information Practices (Information and Privacy Commissioner of Ontario), at https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf. See also the chapter on Privacy by Design in this guide.