The governance of information and data isn't a subject that only regulated companies need to worry about. Businesses, regardless of their size or the industry they're in, need to understand how they store and use data, and whether it's adhering to their own privacy policies or complying with a regulatory mandate. Without formal data governance, companies are managing the associated risks by default.
"Some organizations don't know where to start, so they bury their heads in the sand hoping it goes away, or they'll wait until they get burned and then they'll do something," said John Isaza, a partner at Rimon Law, in an interview. "And if they get burned, they may say we need to get burned again to see a pattern."
High-profile incidents, such as the Target and Ashley-Madison hacks, raise awareness of the problem but tend not to change the way individual companies operate, unless perhaps a direct competitor was breached. Even then, little if anything may change.
"It's not a question of if you'll have a data breach; it's when you'll have a data breach. We tend to forget that inadvertent data disclosure has a lot of problems with it, and it's a big portion of why these problems come up," said David Horrigan, e-discovery counsel and legal content director at e-discovery software provider kCura, in an interview. "Carelessness really has to be part of a governance policy."
Who is in charge of data governance varies depending on the size of a company, the industry it serves, and internal considerations. The players typically include some combination of IT leadership, business leadership, the chief security officer, the chief privacy officer, the records information manager, someone from the general counsel's office, and the person responsible for compliance.
"The justification for a team comes when you realize you're keeping a lot of data, you need to protect the data, quickly find the data, and make sure you know when you can get rid of the data," said Richard Lutkus, a partner at law firm Seyfarth Shaw, in an interview. "Once things get too hard for people to manage on their own, companies start looking at better ways to organize their data as they're implicated in more lawsuits."
Data governance is sometimes relegated to the IT team, especially when it is viewed in traditional IT terms. In fact, there is a debate about whether information governance and data governance mean the same thing or not -- and the explanations vary.
An Association of Information and Image Management blog describes information governance as "the overarching policies and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives." Data governance is defined as consisting of "the processes, methods, tools, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate."
Semantics aside, neither data governance nor information governance alone is sufficient. We present some considerations that apply to both. After you've reviewed these, tell us about your own data governance experiences. Is your organization sticking its head in the sand, or leading the charge in good data governance practices? Tell us all about it in the comments section below.
Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.