11 Questions About Corporate Data Governance That Directors and CEOs Should Be Asking

The onus on boards around corporate data governance is only growing, especially with the introduction of new rules for boards and directors of critical infrastructure – which generally requires operators to identify, prevent and mitigate risks to data and report back to the Commonwealth.   Boards and CEOs must sharpen the focus around data practices and cybersecurity, asking the right questions, and digging deeper to understand where gaps and shortfalls are occurring.   What are the critical questions around corporate data governance that boards and CEOS should address? 

1. How are we keeping data safe and making the most of our data?  These are the two key benefits of corporate data governance. Keeping our data safe means we have the right to be in business or operate. When boards and CEOs are looking at the safety and compliance of an organisation’s data, they must insist on proof. There must be systems in place that prove at all levels of the organisation that data is being measured and controlled.  While safety and compliance are essential, it is the idea of making the most of our data that really propels our operations and business forward.  Boards and CEOs need to ensure there is time and energy dedicated to data beyond safety and compliance. But how do boards and CEOs ensure verifiable oversight of corporate data governance?  Let’s explore these ideas as questions that must be addressed.  2. Have we identified all our data assets and which ones are critical to business operations?  We cannot manage everything perfectly from day one, so it’s essential to prioritise. This starts with identifying those data assets that are critical. We should look to both our business lines or branches, as well as the applicable rules and regulations. Industry analysts IDC say that worldwide data will grow 61% to 175 zettabytes by 2025. Organisations simply can’t keep up with how fast data is created and used. We must prioritise the critical data assets and govern these first.  3. Do we understand where Personally Identifiable Information (PII) sits within our data sets? Have we clearly articulated who has the authority to manage and use these data sets?   Information about people – especially customers – is almost always intertwined throughout our data assets. This is a hidden cost that emerges based on changing expectations for a mandate for data owners’ ability to control their data.   The first step in managing this challenge is to ensure the organisation documents where this personal information sits within data sets.  4. What are our key risks and mitigation strategies around data?  Risks around data can emerge from and affect all parts of our operations, so a whole-of-organisation approach is required. There should be a well-documented list of risks and impacts circulated throughout the organisation to ensure they are prioritised and addressed appropriately.   5. Does everyone in the organisation understand their role in looking after data properly and making the most of it?   Without clear roles and responsibilities, data management is at best reactive and uncosted. At worst, catastrophic data issues can fall through the gaps. Roles and responsibilities should be well documented and understood. 6. Are all our projects clear on how they will touch or create data?   Organisations mature and grow, project by project. Corporate data governance is not something that sits in a silo but should be embedded in every department and every project – especially if you want it to be a sustainable part of the organisation’s DNA. It is worth drilling down on how data is treated at a project level, and whether the organisation is proactively improving data practices with each new project.   7. Is there clear ownership over our data and do owners understand their responsibilities? How do we ensure there is accountability for this? Are data stewards identified properly and supported well?   Data ownership (deciding about) and stewardship (looking after) go hand-in-hand. If this is not defined, at best, it can be reactive, and at worst, no one is looking after critical data. Look for documentation of ownership and responsibilities and what support is in place for data stewards – who should be formally identified as the individuals who take a keen interest in the data their business area needs to be successful.  8. What are our data security policies and are we adhering to them – where are the gaps? [often these gaps are significant]  Like baseball, you only get points if you get to home base, not if you get to the first base (or second, or third).  Proof that we are adhering to our security policies is the home base strategy. Writing policies or circulating policies don’t earn the points, although they have an essential part to play. It goes without saying that policies must be independently checked to ensure they are full in scope and fit for purpose.  9. Are we following the relevant consumer rights / GDPR regulations around data owner’s consent – including the ‘right to be forgotten’?   As we outlined in point 3, we must know where data sits within our organisation so we can make sure we are treating it properly and complying to the relevant regulations. What’s often left unsaid is that a full effectiveness audit is required – not just of where this data sits, but what the documented processes are, who participates in these processes, and how the processes interact with data.   10. Are we regularly testing our data backup and disaster recovery systems to ensure they’re effective and up to date?  You may as well not have a backup and recovery system if you don’t test it. There must be evidence of discrete tests on individual pieces of data, along with evidence of successful scenario tests. Testing must be done regularly – we recommend at least annually but do check your regulatory mandates.    11. Do we understand and provably act on data owners’ expectations to retain and destroy their data?  As a guiding principle, check if your organisation is asking data owners about their data retention and destruction expectations (outrageous, I know). This isn’t something to leave in the fine print of your privacy policy – instead, insist that your organisation makes it upfront, clear, and transparent. With careful planning, communicating data policies can increase your brand’s trust and reputation by being open with consumers and giving them agency. This is undoubtedly where data practices are heading – get a first-mover advantage in your industry.