Data Governance and Board Responsibility

What is Data Governance

Data Governance Institute defines data as ‘a system of decision rights and accountabilities
for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.’

Data governance includes setting internal standards, policies, and procedures applicable for data collection, processing, storage/ retention, and disposal thereof. It also helps ensure that the data is secure, reliable, available, and accessible by authorised data owners to drive
business initiatives such as powering digital transformations. Data governance combines analytics with compliance requirements. With ever-increasing big data volumes from emerging data sources, such as the Internet of Things (IoT) technologies, organisations
need to continuously monitor and update their data governance procedures to enhance their business acumen.

Data governance has three main components which assist in developing the framework viz. people, processes, and technology.

People

A data governance team is accountable for the quality of data across all functions in the corporation, as in the case of the provisions of ‘The Digital Personal Data Protection (DPDP) Bill, 2022’ (which was granted the Cabinet’s approval on 5 July 2023 and is set to become an Act in the monsoon session of the parliament).

The following key personnel play a pivotal role in personal data governance and protection:
1. ‘Data Fiduciary’ who alone or in conjunction with other persons determines the purpose and means of processing personal data
2. ‘Data Principal’ is the individual to whom the personal data relates
3. ‘Data Processor’ is the person who processes personal data on behalf of the Data Fiduciary
4. ‘Data Protection Officer’ is an individual appointed for the protection of personal data and assists the Data Principal exercise their rights

Processes

Data governance teams must define processes for collection, transfer, alterations, access,and securing the data which should be subject to continuous control monitoring mechanisms, periodic audits, and compliance oversight by the Board.

The draft DPDP Bill covers processing (including collection/ recording, storage, alteration, dissemination, removal/ deletion, etc.) of personal data, and sets up a compliance framework, which includes the establishment of a Data Protection Board.

Data governance policies should be designed to ensure compliance with the government regulations regarding sensitive data and privacy, such as the EU General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), industry requirements such as European Union Agency for Cybersecurity (ENISA) Information Assurance Framework for cloud control and Payment Card Industry Data Security Standards (PCI DSS). Non-compliance with the provisions of defined regulations may entail fines and penal consequences which have been the primary drivers for organisations to adopt data governance tools that safeguard against all types of data breaches.

Technology

Software applications customised for the organisation’s business requirements help data governance teams to institutionalise and automate the best-in-class governance practices. To choose the right technological solution, the data governance team should consider the
complete life cycle of sensitive data starting from creation to storage/ retention.

Board Responsibility

Best practices for corporate governance suggest that data governance should be objective and balanced. Board oversight should focus on governing data to the least extent possible while laying thrust on digital platforms – which are tech-enabled.

Boards should encourage data governance teams to:
i) Construct a system that supports quality data
ii) Ensure that the data is accurate, timely, and easily comprehendible by employees as well as external stakeholders
iii) Apply data for effective decision-making
iv) Increase data literacy by using data analysis tools and improve processingtechniques
v) Collect and disseminate metadata associated with enterprise data warehouse content. Develop a strategic analytic plan to share with the management team.

Aligning the organisation’s strategic planning initiatives and board governance requires effective communication exchange between the board, management, and the data governance team.

Data governance teams should align data with corporate governance goals, thus enhancing the organisation’s data profile and developing data sets for effective allocation of the organisation’s resources by the Board. The existence of an effective data governance
framework assists in enterprise risk mitigation and helps the Board define the tone at the top.

In case of a data breach incident, the data governance framework acts as a saviour, helping Boards identify the location and extent of the data compromised and enforcing corrective actions immediately. Boards are able to mitigate cyber risks and threats with the help of a
robust data governance team.

On the one hand, there are rapid technological advancements, but on the other, there are increased incidents of external intrusion, wherein sensitive data is being compromised. The key to a rational approach towards data governance is for the entire organisation to have
complete recognition of 'data as an asset class', thereby creating value for the organisation with constructive board oversight.

Source: Express Computer