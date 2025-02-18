Data governance is still a challenge at some organizations. Operational silos among departments, a lack of strong data governance leadership, and the ever-increasing glut of data are factors, as is a failure to understand the universe of data.

“Some elements of sound data governance involve understanding the various data types that you may have. Once you understand the types, you can start looking at the sensitivity level of the data, classify that information, and determine how best to protect and manage it,” says Erich Barlow, head of information security - Americas | global IT security professional at standards and certification organization BSI Americas. “Having a clear vision of the business context for collecting and storing data is also an element of a sound governance strategy. Developing this vision allows information to be governed in a manner consistent with current established standards and regulatory requirements, while also providing an outline of a potential data governance strategy.”

A sound data governance strategy needs to address the ethical use of data -- to avoid issues such as illegal discrimination -- or face consequences, such as fines, potential litigation, and reputational harm.

"Establishing data ownership and stewardship is also a crucial element of a sound data governance strategy,” says Barlow. “This process helps improve data control and ensures that only reliable sources are used and managed.”

Related:How to Navigate Data Governance Implementation

Arunkumar Thirunagalingam, senior manager data and technical operations at healthcare company McKesson, says to empower data sovereignty, organizations should formulate policies that include data definitions, access rights and data protection, compliance processes, data quality standards and performance metrics to ensure adherence to standards. Organizations should also be able to adapt to new regulations and business needs.

Common Challenges Organizations Face

Adam Ennamli, chief risk and security officer at General Bank of Canada, says approaching data governance as an IT or compliance initiative is the most fundamental mistake organizations make.

“[A] sound data governance strategy must be driven by the business, for the business, focusing on how data acts as an input to decisions,” says Ennamli. “If governance is pushed down as a technology, security or regulatory project, the business users may see it as a burden rather than a value driver,” says Ennamli.

Another mistake is trying to do too much at once.

“Too many organizations try to govern all their data at once, creating elaborate ‘frameworks-on-slides’ that look impressive on paper but won’t last a week in execution, says Ennamli. “Instead, pick a critical business product or process, which can then lend you their influence across their organization, establish governance there, show tangible benefits and then expand.”

Related:Questionable Oversight: Who Watches the Watchers on Sensitive Data?

Governance is also an ongoing process, not an event.

[G]overnance isn’t a project with an end date. It’s an ongoing hygiene exercise that requires continuous attention and focus,” says Ennamli. “You don’t have to build an army if you did the initial work right, just a diverse team of experts that understand the business dynamics and have foundational data knowledge.”

McKesson’s Thirunagalingam warns that it’s also possible to imagine starting from the wrong end, having ignored the needs of certain key stakeholders until late in the game. The result of that is resistance to the adoption of solution and misaligned policies for the governance of the business with its operational requirements.

“Do a bit and then build up. Make things simple at first [to] quickly deliver business value, such as increasing data accuracy or [enabling] more effective compliance,” says Thirunagalingam. “Promote accountability by embedding governance into business outcomes and encouraging ownership of data stewardship to all employees.

Related:What Data Literacy Looks Like in 2025

BSI Americas’s Barlow says some organizations don’t understand how much data they possess, which can hamper the implementation of an effective data management program. Similarly, they may not fully grasp what regulations they must comply with or what data is specifically collected.

“This is especially true if the data collected is metadata from websites or applications. Some of this information is under regulatory control, so the business may need to apply additional control measures to comply with these requirements,” says Barlow. “Another challenge is finding the proper framework to fit the needs of the business and that of its clients and customers. Many standards exist, but some standards are suggestive and provide guidelines, while others are prescriptive, state-specific requirements that need to be adopted. This, in turn, means that the control measures required by a specific standard may be costly for the business to implement.”

When organizations aren’t aware of the data they possess and what controls may be required to comply with a given standard. The misunderstanding then snowballs into an ineffective program that does not meet the business's needs. It also puts the data at risk since the control measures are ineffective."

“Organizations in highly regulated industries such as healthcare and finance, don’t have a good handle on the data they collect,” says Barlow. “Typically, the organization will collect an overabundance of data that is not needed for their services, [and] because they collect it, they must manage it. Some of these businesses are unaware that this information can be sensitive and require specialized care such as [at]-rest or [in]-transit encryption, so they spend more than budgeted.”

Who Should Spearhead Data Governance

Many different types of roles are assigned to head governance because organizations approach it differently. It could be the head of compliance or privacy, the CISO, an existing risk function, the CIO or CTO, or another role. BSI Americas’ Barlow believes CISOs are the best choice.

“Information security officers are well placed in many organizations to address specific issues that may arise in handling or storing data,” says Barlow. “Additionally, InfoSec teams can help organizations understand the various requirements pertaining to their business’s data. The Information security team will have hands-on knowledge of how to implement the various security measures required by specific data management standards.”

If organizations have a data security officer or a data protection officer, they too should be involved in developing the methodology and management of data because they understand the complexity of the data and how to adhere to various international standards and local regulations. He also recommends having the legal team involved since litigation is the reason why some companies developed data management standards when they did.

General Bank of Canada’s Ennamli says while voluntary or designated data stewards are a decent idea on paper, it rarely workout out due to competing priorities and loyalties.

“You want dedicated, focused people that will look at the data, the processes, the operations, and build critical bridges between technology assets, informational assets, and business value units, translating requirements and emerging a clear, pragmatic mapping in both directions,” says Ennamli.

McKesson’s Thirunagalingam says strong data governance leadership comes solely from the chief data officers, and similar high-level executive sponsors expected to ensure cross-departmental collaboration.

“The person guarantees that data governance strategy is implemented towards the business goals and that top management endorses the strategy,” says Thirunagalingam. “Collaboration is of the utmost importance -- businesspeople, IT teams, data stewards, lawyers, etc., all are essential. There is a governance committee for which members are recommended on a cross functional basis to ensure policies are holistic in terms of addressing and meeting technical, legal, operational and other organization objectives.”

Tips for Success

Given the ever-increasing reliance on data for analytics, AI, and to inform business strategy, organizations that have not yet defined and implemented a data governance strategy should do so now.

“Taking control of your data will be crucial for when businesses begin developing or utilizing new and emerging data-driven technologies like AI and quantum computing,” says BSI’s Barlow. “Addressing security issues early on will also help to ensure the information is available for use by emerging technologies in the future. Taking control of your data and addressing security issues will benefit both your business and customers, so the information must be accurate and readily available to be included in various models and training algorithms.”

General Bank of Canada’s Ennamli underscores the need for simplicity.

“The most successful governance tip is to focus on making governance digestible, meaning, practical, jargon-free and useful for end users,” says Ennamli. “The minute governance becomes an obstacle to getting value creation work done, people will inevitably find ways around it, so be pragmatic and realistic in your approach.”

And don’t forget the importance of cross-functional collaboration. Without strong data governance leadership and the right people involved, organizations risk inadvertent use or outright exploitation of data in a manner that’s harmful to the organization and its stakeholders.