Establishing and maintaining an efficient and robust data governance framework allows organisations to mitigate cyberthreats. Organisations gain greater control and security over the data they collect and use. This Insight explores the importance of data governance and some examples of best practices in data governance.

What is data governance?

Data governance includes the processes and procedures a business implements to collect, manage, use, and protect data. This may include security protocols, limiting personnel access to data, and maintaining data retention and destruction policies and procedures.

Benefits of good data governance

Good data governance will enable a business to mitigate cyber risks and comply with its legal obligations, including under the Privacy Act 1988 (Cth) (Privacy Act).

Australian Privacy Principle 11 requires APP entities to take reasonable steps to destroy or de-identify personal information they hold once it is no longer needed for the purpose for which it was collected or used. Businesses must understand how they collect and manage data, and where that data contains personal information, to consciously and efficiently identify when it is no longer needed and destroy or de-identify it.

In addition, good data governance offers the following benefits:

  • centralised policies and systems will reduce IT costs related to data governance;
  • developing data standards will allow for better cross-functional decision-making and communication;
  • conducting compliance audits allows for easy management of data and helps firms maintain compliance standards;
  • business intelligence for short and long-term planning, such as mergers and acquisitions, can be supported by data;
  • data growth (and storage) is tracked, controlled, and remains organised; and
  • data is secured reducing effects of cyberattacks.

Implementing a data governance framework

A data governance framework is an organisation’s collection of policies and procedures on data. For example, when and how certain data may be collected, who may access and use that data in what ways, and how that data is discarded when no longer needed.

According to the Business Application Research Centre (BARC), Europe’s leading data analyst for firms specialising in software, implementing a data governance framework is a complex and ongoing task that should not be described as a “big bang initiative”, as it runs the risk of participants losing interest and dedication over time. BARC recommends that that businesses implement an initial framework that is manageable, then progressively expand that framework as inefficiencies are identified and resolved.

BARC recommends adopting the following steps when implementing a data governance framework:

  1. define goals and understand benefits;
  2. analyse current state of data governance;
  3. derive a roadmap;
  4. convince stakeholders and budget project;
  5. develop and plan the data governance program;
  6. implement the data governance program; and,
  7. monitor and control.

Best practices for data governance

  1. Identify critical data elements and use data as a strategic source

Not all data is of equal importance. Understand what data you collect and why. This will help you to identify data that is not required, and implement appropriate data retention protocols for essential data.

Reducing the amount of data you hold will mitigate the impact of any cyberattack on your business.

  1. Implement and maintain policies and procedures for the entire data lifecycle

Data often has an extensive lifecycle where it is created, cleansed, updated, stored, analysed, transmitted, backed up and deleted. You should understand how and why data is collected and used at each stage in its lifecycle to identify and manage any cybersecurity risks to your business. Equally data with a limited lifecycle should not be retained to manage cybersecurity risks.

  1. Involve employees in the data governance process

Involve staff in your data governance framework to ensure your entire business is aware of and can adhere to policies and procedures. This awareness will improve everyone’s capability to respond cyber threats and data breaches, and foster cooperation between departments.

One way to involve staff is through ensuring you have the right policies and procedures in place and offering relevant and up to date cybersecurity training. For more information, read Sainty Law’s insight here.

Next steps

Review your data governance approach and begin implementing strong data governance into your day-to-day operations. Your business should construct a framework and develop policies and procedures which allow you to manage data in a manner that is efficient and legally compliant.

For more information and guidance on creating, implementing or augmenting a data governance framework, contact Sainty Law at