Risk Advisory Staff Consultant | Freed Maxick
As organizational data becomes more and more critical to drive key business decisions, the need for a comprehensive data governance program is growing. The Data Governance Institute defines data governance as, “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” In other words, data governance is the controls and processes in place to ensure security, integrity and availability around high quality data.
There are many components that go into developing and maintaining a formal data governance program within your organization. Components such as security, data classification and compliance with regulatory obligations are all important areas to focus on when assessing the existing data governance measures in place at your organization. Below, are 3 components to take into consideration for your data governance program and why these components are imperative.
- 1.) Data Security – More than likely, your organization is dealing with sensitive and confidential information (such as PII or ePHI). It is critical to assess the information being handled and verify that this information is being safeguarded appropriately to prevent data leaks/breaches. This includes taking inventory of critical PII and sensitive data elements that your organization handles on a regular basis. Next, it is crucial to understand who might need access to this data. For example, things such as payroll and banking information for employees should only be accessible by certain HR and internal accounting personnel. Has your organization defined your critical data elements and restricted access to appropriate personnel?
- 2.) Data Classification – Data classification stems from data security. To ensure that data is being protected and stored properly, guidelines must be established within company policy to ensure that information is not mishandled. Generally, information is ranked based on the sensitivity of the information. A common ranking system for data classification is as follows; confidential information, private information and public information. Each tier of data has its own requirements to handle the information. Information such as an employee’s social security number would fall under confidential information. Thus, would require the highest level of security controls. Is your organization ensuring data is classified appropriately according to its sensitivity?
- 3.) Compliance with Regulatory Obligations – Regulations surrounding data privacy and security have increased over the years. With new regulations, come new areas to assess within your organization to ensure that your organization is complying with federal and state regulations. Violations of regulations, such as GDPR and NY SHIELD Act, can result in pricey fines. When approaching your data governance program, it can be helpful to understand which regulatory obligations your organization must comply with. This can help to steer the direction of your data governance program. In doing this, the organization can uncover risks and gaps that can be addressed timely and appropriately. Has your organization fully understood what regulations it must comply with and addressed all aspects of these regulations?
Connect with our Data Governance Consultants
At Freed Maxick, our data governance team works with you and your company to understand your process from requirements through deployment to understand the complete picture, not just one area.