Good governance: who’s who and what’s what in data ownership
“I’m struggling up this sandy godforsaken hill and then some guy’s standing on the sidelines going, ‘I don’t know what’s so hard about data governance. It’s easy,’” explains Jason Dye, director of enterprise data governance at Ally. His job, he says, can be as thankless as it is high-stakes. Nothing underlined this more than the coronavirus pandemic, which, according to Experian’s 2021 Global Data Management Research, has made businesses more reliant on their data assets, and the trustworthiness and security thereof, than ever before.
A staggering 93% of businesses reported data management issues as a result of the COVID-19 pandemic and the disruption it had caused in consumer behavior and supply chain dynamics. “Strong customer interactions are dependent on trusted data and our ability to serve that data when needed,” explains Experian managing director Andrew Abraham. “From the efficiency of the customer experience online to the data that helps us analyze markets and attitudes changing at a dizzying pace, the right data has become indispensable.”
Little wonder that nine out of ten companies are resolute to boost their data management resilience so they can better weather the next crisis. In light of changing regulations and growing data usage by a broader range of stakeholders, improving data ownership, a crucial but often overlooked tenet of data governance, is as good a place to start as any. Let’s take a deep dive into the whys and hows of defining roles, responsibilities and processes to ensure that data assets are accounted for and protected across functions and at all levels.
Data ownership: the beating heart of data governance
Data governance, according to the Data Governance Institute, “is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” In simpler terms, it’s a set of principles and practices that ensure that data is acquired, managed, used, and stored in a way that businesses can make the most of it.
Data governance frameworks are put in place to make sure that data assets are secured and inherent risks contained, the rules of data usage are established and understood within the organization, and data quality is continually monitored and improved. The benefits of a well-thought-out framework include better decision-making across the organization, higher business and IT agility and scalability, cost savings, stronger regulatory compliance as well as greater efficiency, and confidence in data quality.
Under a data governance framework, data owners are individuals or teams with the right to make decisions about who can access, edit and use data within a specific data domain. This doesn’t mean they actually own any of the data assets they govern, of course – those still belong to the company itself. How data is created and managed is what data owners can and must ultimately decide on to protect the confidentiality, integrity, accuracy, and availability of information assets.
Albeit a key component of data governance success, the issue of information ownership has been pushed near to the forefront of the CIO agenda as a result of regulatory restrictions such as GDPR, HIPAA, or CCPA. How to resolve it, however, remains a serious challenge. A survey of over 500 information technology leaders in the US and UK found that 95% are concerned by insider threat and most believe employees have put data at risk in the previous 12 months either by accident (79%) or on purpose (61%).
Data owner vs. data steward vs. data custodian: key data governance roles explained
Who’s on the steering committee? What are the three types of data ownership? What’s the role of a data owner? And what’s the difference between a data owner and a data steward anyway? Here are the roles that are the most critical for data governance success.
Mostly made up of members of the C-suite, the steering committee is responsible for defining the company’s data governance principles and making sure they’re translated into action by holding other data governance functions accountable. Ideally, it represents all the key stakeholders within the organization, both from IT and business domains. The committee is single-handedly responsible for greenlighting any process or policy change in data handling practices.
Data owners are usually senior members of the organization who make sure that data is managed properly across systems, functions, and business activities. “They need to have the authority to make changes and also have either the budget or resources available to them to undertake data cleansing activities,” explains data governance coach Nicola Askham. However, they don’t necessarily work with the data they govern on a daily basis. Enter the data steward.
Data stewards are the ones who oversee the day-to-day management of data and support data owners with expert knowledge of what data means and how it’s used within their domains. According to Dun & Bradstreet’s Jonathan Cramer, “They are the face to a company’s data management. This fosters a sense of security and trust for the data with employees, as data stewards build a more data-focused culture and advocate for the proper use of and attention to data.”
Typically sitting in departments as database administrators, data custodians are tasked with the actual nuts and bolts of storing, archiving, transporting, backing up and recovering data in tandem with data stewards. Data custodian responsibilities include protecting data integrity during technical processing, ensuring that data content and controls can be audited, applying change management practices during database maintenance and implementing data quality principles.
Trick question: how do you ensure data ownership and assign data ownership responsibilities?
When creating a data ownership model, one size will definitely not fit all. Let’s have a look at some of the main factors to consider.
According to ISACA, data type should be ground zero. Under GDPR, for example, personal information, personally identifiable information in particular, is owned by the data subject, regardless of who collects it and why. Next, where data is created or gathered should be thought through. On the other end of the spectrum, data generated by employees while working for an enterprise is typically considered the property of the employer.
Data location and availability add further nuance to the ownership of data. Nielsen SVP of internal audit, compliance and governance Kevin Alvero explains, “If two enterprises separately track stock prices, neither one owns the digits (i.e., the raw data) or the stock price itself, which is publicly available information. However, a file containing the enterprise’s recording or documenting of the stock price is generally considered the property of that enterprise.”
In any case, identifying the best candidates for data ownership must start with understanding the different types of data used within the organization. “Assigning people whose organizational down line is responsible for that data often makes them best candidates, as they not only sit with the position of authority, but also can fight the corner of that data as a strategic asset,” Experian analysts point out. Meaning product data might be best governed by the head of product, with a C-level executive validating the data ownership model itself.
GDPR and beyond: the most daunting security challenges of data ownership
According to Alvero, there are five major risk factors organizations have to tackle to make sure data ownership is well-defined and properly implemented: information security, data retention, data inventory, consent, and third-party contracts.
Data loss and theft pose an imminent threat to companies’ bottomline, business continuity, and reputation. So does data retention if an organization has no policy in place to prevent users from holding on to data they don’t or no longer need. That’s where data inventory can do a world of good, offering insight into what information a company collects and from what sources as well as where it’s stored and what it’s used for. Off the back of GDPR, consent has become a core tenet of data privacy compliance, along with businesses’ responsibility regarding third-party vendor risk management.
Total data control, GDPR-ready cloud and more: how Tresorit can help overcome data ownership and security hurdles
An end-to-end encrypted content collaboration platform, Tresorit provides the strongest data protection measures in the cloud to ensure easy compliance with data governance practices and guidelines. Here’s how.
- Stay in control of what happens to your data
- Set up and enforce enterprise security policies in one place
- Take advantage of GDPR-friendly cloud collaboration
- Use end-to-end encryption to protect personal data in the cloud
Tresorit allows you to implement data protection measures while collaborating on files, including controlling who has access to personal data, logging file activities, and creating internal security policies for data management.
With Tresorit, you can make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes such as 2-factor authentication or the secure sharing of personal data.
Keep your data in secure, certified data centers, choose where your data resides to meet regional regulatory requirements, and use Tresorit’s Data Processing Agreement to demonstrate compliance.
Tresorit doesn't have access to your encryption keys or to the personal data you manage in your files. Meaning that even if our servers were breached, no one would be able to read the contents of your files.