What are some best practices companies should consider implementing when it comes to data governance?
While there is a lot of ground to potentially cover, strong data governance would at least include policies and procedures that are reasonably designed to do the following:
- Identify all data the business is using.
- Evaluate and classify data according to its business purpose and risks.
- Oversee data usage across the business.
- Safeguard the firm’s data and ensure its quality and resiliency through technical controls, policies and procedures.
In practice, building a strong data governance would include:
- Signaling a commitment to data governance from senior: Data governance requires a strong signal from senior leaders to help ensure employees are actively engaged in protecting the firm and understand the potential risks/benefits associated with protecting the firm’s data assets.
- Establishing a diverse data governance team or committee: To help ensure that data governance policies and procedures align with the firm’s business goals, companies should identify key stakeholders from across the organization and gain their input at the early stages. This can include decisions and discussions about topics like data classification, data custody, due diligence and monitoring of third parties with access to sensitive data, and general data safeguarding practices.
- Inventorying the firm’s data assets: A critical – and often difficult step – in data governance is creating an inventory of the firm’s data assets, its sensitivity, business purpose, access controls, etc. This would include data assets that are controlled by a third party. This inventorying activity will be essential in helping the firm understand how it can best manage the risks related to its data, and it will be an easier task if the firm has completed the previously mentioned steps.
- Assessing the risk and characteristics of the firm’s data: Based on the data inventory, the firm should assess, monitor and periodically re-evaluate key elements of the firm’s data assets, including data criticality, data quality, data sensitivity, regulations around data and data resilience.
- Implementing strong data controls that protect the firm’s data while meeting business needs: The data governance team should collaborate on formal standards and procedures that define the proper use, handling, transmission and storage of data based on its risk characteristics. These controls should be designed to:
- Allow data to be easily available to individuals within the firm that need it, while reasonably safeguarding data from individuals or third parties without a legitimate reason to access the data.
- Establish policies, procedures, and controls to protect the data from loss or corruption. This includes access controls, encryption, limitations on the transfer/transmission of data across devices or accounts and other data loss prevention controls.
- Monitor and test data controls to look for potential issues like improperly configured access controls or data that may have been manipulated.
- Create an incident response plan that provides clear steps for responding to data breaches and incidents, as well as operational disruptions that might make key data assets unavailable.
- Diligence and monitoring of the firm’s third-party network to ensure that the third parties are appropriately safeguarding and disposing of data.
How are new technologies, such as AI and machine learning, affecting data governance?
AI both complicates data governance and offers opportunities to improve it.
First, there is an increasing effort for governments to regulate the use of AI. For example, the Department of Justice’s recently revised guidance for corporate compliance programs around the use of AI, the U.S. Securities and Exchange Commission’s proposalon managing the conflicts of interest in the use of predictive analytics, etc. While it is too early to understand the impact of AI regulations will be, it is another aspect of data governance that firms will need to manage.
Additionally, the use of AI can create unique data risks for firms that must be managed. These include:
- Corrupting data sources (“poisoning”) or deceptive inputs
- Issuing false output (hallucinations/bias)
- Stealing/loss of intellectual property (e.g., source code of proprietary AI models, training data sets)
- Permitting unauthorized users to access the data informing the AI model, such as sensitive or personal information that is normally restricted (whether by hack or just by accident).
On the other hand, firms cannot ignore the productivity gains that AI technologies offer. When used correctly, AI tools offer compliance leaders unique opportunities to improve data quality and data security with less effort.