What are some best practices for data governance that companies should consider implementing?
There’s a lot of ground that could potentially be covered, but strong data governance would include policies and procedures that are reasonably designed to at least:
- Identify all the data your business is using.
- Assess and categorize data according to business purpose and risk.
- Monitor data usage across your business.
- Protect your company’s data through technical controls, policies, and procedures to ensure its quality and resiliency.
In practice, building strong data governance involves:
- Signals of a commitment to data governance from senior management: Data governance involves ensuring that employees are proactive in protecting the company and understand the potential risks/benefits associated with protecting the company’s data assets. This requires strong signals from senior leaders.
- Establish a diverse data governance team or committee: To ensure that data governance policies and procedures are aligned with the company’s business objectives, companies should identify key stakeholders from across the organization and obtain their input early on. There is a need. This may include decisions and discussions on topics such as data classification, data storage, due diligence and monitoring of third parties accessing sensitive data, and general data protection practices.
- Inventorying a company’s data assets: A critical and often difficult step in data governance is taking inventory of a company’s data assets, their sensitivity, business purpose, access controls, and more. This includes data assets managed by third parties. . This inventory is essential for businesses to understand how to best manage the risks associated with their data, and is made easier if businesses have completed the steps outlined above.
- Assessing enterprise data risks and characteristics: Based on data inventory, enterprises assess key elements of enterprise data assets, such as data criticality, data quality, data sensitivity, data and data regulations. , should be monitored and reassessed periodically. Resilience.
- Implement strong data controls to protect the company’s data while meeting business needs: Data governance teams develop formal standards and procedures that define the appropriate use, handling, transmission, and storage of data based on its risk characteristics. We need to work together. These controls should be designed as follows:
- Make data easily available to individuals within your company who need it, while reasonably protecting it from individuals and third parties who have no legitimate reason to access it.
- Establish policies, procedures, and controls to protect data from loss or corruption. This includes access controls, encryption, restrictions on the transfer/sending of data between devices or accounts, and other data loss prevention controls.
- Monitor and test data controls to look for potential issues such as improperly configured access controls or data that may have been manipulated.
- Develop an incident response plan that provides clear steps for responding to data breaches, incidents, and even operational disruptions that could result in the unavailability of key data assets.
- Diligence and monitoring of a company’s third-party networks to ensure that third parties are properly securing and disposing of data.
How will new technologies such as AI and machine learning impact data governance?
While AI complicates data governance, it also presents opportunities to improve data governance.
First, there are increasing efforts by governments to regulate the use of AI. for example, Recently revised guidance from the Department of Justice For corporate compliance programs regarding the use of AI, please visit U.S. Securities and Exchange Commission ProposalWhile it is too early to understand the impact of AI regulation, this is another aspect of data governance that businesses will need to manage.
Additionally, the use of AI can create unique data risks for businesses that need to be managed. These include:
- Corruption (“poisoning”) or invalid input of the data source
- Emit incorrect output (hallucination/bias)
- Theft/loss of intellectual property (proprietary AI model source code, training data sets, etc.)
- Allowing unauthorized users to access data that informs AI models (whether through hacking or simply by chance), such as sensitive or personal information that is normally restricted.
On the other hand, companies cannot ignore the productivity gains that AI technology brings. When used correctly, AI tools offer compliance leaders a unique opportunity to improve data quality and data security with less effort.
