We are constantly connected, constantly creating and sharing data. As a consequence, every segment of our society is now expected to be responsible for its own data safety and security when using digital technology and to understand the privacy and security implications of the devices and tools it us.
– Australia Information Security Association (AISA) Chair Damien Manuel and Deputy Chair Alex Woerndle
Not surprisingly, data governance is increasing in importance on board and audit committee agendas, and the governance of data and privacy is now an integral part of an organisation’s overall governance requirements and director responsibilities.
Data governance principles
Best practice data governance, like good financial governance, involves implementing the processes, procedures and standards necessary to provide the board and other stakeholders with confidence in the information it provides. Best practice data governance, like the governance of other plant and equipment assets, also includes assessing the effectiveness, integrity and robustness of the technology used.
At board level, data governance is concerned with the framework of systems and processes that support informed decision making in the usage, investment and security of data assets.
Data governance strategy
The collection, processing, accessing, communication, reporting and security of data is essential to every organisation. Therefore, the oversight of data security and data performance frameworks is essential to good corporate governance.
How does a board fulfil its role in data governance?
The time and focus a board applies to data governance will depend on many things including organisation size, maturity, industry and strategic direction. It also includes how deeply it operates with stakeholder personal data or big data assets. The broad principles, however, are universal:
Skills and experience. Does the senior management team have enough capability to oversee data risk and compliance, manage data projects, etc. Does the board have enough capability to challenge management on technology issues (for example, regulatory privacy compliance, cybersecurity, artificial intelligence in business, digital disruption) and make informed decisions? Does the board include information technology in its professional development program for directors?
Understand the role of data in your business. How does data technology currently support and enhance your business? How is personal data managed and who are the stakeholders (and who manages them)? Is it integrated and efficient? Is it deeply aligned to your strategy (for example, does your business model rely on big data)? Or does it take a lighter but wider touch (for example, are you collecting an increasing amount of stakeholder personal data as part of your BAU) Is it protected and secure?
Understand the opportunities and risks. How is similar data used by others in the industry? How would customers and other stakeholders like their personal data used? What data management opportunities does technology present? Does your organisation’s IT culture promote or stifle innovation or communication? What are the risks (current and future) and how can they be mitigated?
Fit data to strategy and strategy to data. Does your business, including technology and human resources, have the capability required for your data objectives and strategy? Do strategy execution plans and budgets include appropriate time frames and costs for short-term and long-term data management?
Focus on stakeholders. Does the board consider a wide range of stakeholder perspectives when making decisions about data? Is stakeholder-care a key value? Does this align with actual practice and is it communicated externally? What should the organisation do, or stop doing, to enhance stakeholder trust?
Good governance and monitoring. How does the board perform its oversight of data risk and strategy frameworks? How does it monitor regulatory compliance? What are the controls and reporting? What are the performance indicators?
Five data protection questions for directors
Directors need to consider how decisions are being made about connecting the digital and the physical. They need to understand who is responsible and how are they held accountable. This oversight may need to evolve (and deepen) when data is applied to business as usual decisions that could bring risk (operation, regulatory, reputational, ethical) into the organisation.
Below are five questions boards and management should be discussing when it comes to data protection:
- How is our executive leadership informed — through their systems, processes and governance — about the current level and business impact of data risks to the organisation?
- What is the current level and business impact of data risk to the organisation? What is our plan to address identified risks?
- How does our cybersecurity program apply industry standards and best practices?
- How many and what types of privacy breaches do we detect in a normal week? What is the threshold for notifying the executive leadership?
- How comprehensive is our privacy breach incident response plan? How does it fit into the broader cybersecurity framework? How often is it tested? What is the role that board directors play and are they included in annual exercises?
Establishing a culture of effective data and privacy governance
Of key importance in any data governance framework is to foster an organisational culture that values data and privacy. The board needs to work with management to ensure this culture is developed and embedded.
- Have the values and risk appetite underpinning data handling been established and communicated throughout the organisation?
- Is the organisation appropriately equipped and resourced to embed the right culture into its people, systems and processes?
- What channels does the board use to ensure it knows how data handling is occurring ‘on the ground’?
When combined with adequate risk and strategy frameworks, an organisational culture of effective data and privacy governance allows for the development of enhanced privacy and security resilience. Data crisis resilience needs to be a part of long-term business and stakeholder strategy.
- How ready is the board and management to deal with a data-related crisis?
- How can the board improve its resilience capabilities, such as change readiness and incident management?
- Are privacy and security risks accounted for throughout the organisation and in project development?
- How are third-party relationships managed, secured and assured?
- Have all stakeholder impacts been accounted for in data crisis plans?