A data governance data playbook can be challenging to define generically one of the main reasons being the diverse nature of industries, frameworks and the relative maturity of a given organization.
Data Governance platform purveyors suggest that generic data governance playbooks are of great utility but at best, like Microsoft Office templates and the various accelerators available in a plethora of technologies, my view is that they are not much more than examples and probably not that useful for immediate selection and use, but rather they seed technical and conceptual thinking and can inspire but likely cannot be used, out-of-the-box. If you’ve had great success using such things, I would love to hear how aligned they have been from your experience.
Looking at a playbook, such a thing typically outlines activities or tasks, overarching policies, regularised or standardised processes, role definitions, and tasking responsibilities that may be required in various data governance activities. It may also include deliverables in the form of reports, metrics, measures and controls.
Sunil Soares‘ presentation at the DATAVERSITY Enterprise Data Governance Online 2017 Conference, outlined a 16-step Data Governance Playbook for better data privacy. Soares emphasized the challenges posed by evolving privacy regulations, diverse data types, and the need for collaboration among Data Privacy, Information Security, and Data Governance offices.
You can read a summary of the session by Amber Lee Dennis in her Dataversity piece The Data Governance Playbook: Sixteen Steps to Better Data Privacy.
Soares’ Playbook as covered, suggests various aspects of a DG playbook such as developing policies, creating a data taxonomy, confirming data owners, identifying critical data elements, and establishing standards for data collection, masking, and acceptable use. The importance of ethical considerations and compliance controls is something that he believes needs highlighting throughout the process.
The goal ultimately, is to integrate Data Governance with the daunting privacy compliance expectations of regulators and ultimately create a foundation for effective data management and protection.
A matter of diversity
Because organizations vary widely in terms of size, industry, structure, and goals you’ll likely find that a playbook that works well for a large multinational corporation may not be suitable for a small startup or a non-profit organization.
The diversity in organizational contexts thus makes it challenging to create a one-size-fits-all playbook. For this very reason, even mainstream applications like Microsoft Dynamics, SAP and Salesforce have formulated industry-specific offerings, often termed “industry solutions”. Such offerings tie directly into the notion that there are enough variations in various industries and sizes of organizations, that there needs to be more diversity in the offerings for supposedly ubiquitous and standardized business operations.
Data governance is also potentially heavily influenced by regulatory requirements specific to different industries and regions and any playbook under consideration needs to account for and comply with differing regulations or industry-specific standards. The legal expectations and compliance rigours of a given organizational context and the surrounding landscape may prove to be so dynamic and subject to change that this further complicates generic playbooks.
The Sensitivity in Data Types
The types of data an organization deals with, and the sensitivity of that data, also varies significantly. Financial data, personally identifiable information (PII), Payment Card Industry (PCI) regulated data, healthcare data, and intellectual property all have different governance requirements.
Just considering the nuances of this small subset of divergent data types, trying to converge on a generic playbook may be challenging and will likely not address the anticipated nuances of handling these diverse data types.
Just the consideration of the concept of customer data, for example, will see variations in commercial and consumer real estate where some of the data elements associated with customer entities will require extreme controls and measures for PII handling for consumers yet for commercial entities much of the data is public data and the policies associated with data protection are perhaps a little less stringent.
A generic DG playbook would likely not differentiate much between a consumer customer and a commercial customer and would expect you to apply the same policies, procedures and controls to either data. Applying such a playbook without giving due consideration to the data context would encounter resistance where employees and business partners might have raised eyebrows when having the strictures of a generic DG playbook overlaid on their existing DG practices due to an evident misalignment with the actual requirements of the organization, the industry and the data as a whole.
Technology Stack and Infrastructure
Organizations of course use different technologies and a variety of tools to manage and process their data. Any playbook needs to have some kind of awareness of how to deal with these existing technology stacks and infrastructure, including databases, ETL tooling, cloud platforms, and analytics and reporting tools.
Integrating data governance practices with some specific technologies will add complexity to a generic playbook and some of the expected rigours and controls for example, may not be able to be generically overlaid on certain kinds of technologies. Exceptions and concessions will need to be made and introducing these variations will then lead to further specialism and focus on aspects that are most appropriate to the data landscape at hand. The consequence is that more time may be spent on realigning something generic rather than building afresh from a technology or industry-specific DG framework.
A great example here is public utilities, where IoT technology is becoming pervasive. One of the critiques of generic approaches in the past, and still relevant today, is that the sheer scale and characteristics of some of these technologies do not lend themselves particularly well to more mainstream information technology approaches to managing, monitoring and controlling such technologies. The focus instead, needs to be targeted at industrial use cases with specific markers and monitors. The same story may well apply to the DG playbook for such scenarios.
Organizational Culture
DG initiatives are often driven by industry regulation, risk programs and a top-down approach to implementing more rigorous management of organizational data.
It goes without saying that although the board of directors and executive leadership of an organization may be acutely aware of the industry and market pressures being brought to bear on the organization to ensure compliance and good data stewardship, the practical understanding on the ground may be fundamentally different.
The culture of any given organization plays a crucial role in the success of data governance initiatives in general. Any data governance playbook under consideration needs to meet industry expectations but also align with the existing culture, values, behaviour, and practices of a given organization.
Factors such as the level of data literacy, the organizational commitment to data quality, and the general appetite for risk can vary widely. For example, what works for Brokerage, Insurance, Banking and Finance, may be excessive when viewed in the light of say real estate or manufacturing which will have their industry models and slightly different frameworks to align to.
Data Lifecycle Variability
The lifecycle of data, from its creation to archiving and potentially even deletion, can differ based on the nature of the business. In the case of non-financial or transaction-bound PII for example, you likely want to dispose of unused, out-of-date or redundant consumer data annually. HIPAA dictates that records are retainable for six years from the date of creation or the date last in effect.
The NHS in the UK suggests ten years from the date of discharge. Insurance policy records must be maintained depending on the type of policy and the state regulations. For example, in New York, an insurer must maintain a policy record for each insurance contract or policy for six years from the date the policy is no longer in force, or until after the filing of an examination report, whichever is longer.
According to the UK’s Data Protection Act 2018 and UK GDPR, schools should only keep data for as long as they need it which of course doesn’t help with policy setting. For your customer’s financial records, the FCA handbook states different retention requirements depending on the type of data that you keep, and this could be anywhere between 3 to 10 years.
A generic playbook may struggle to provide the specific guidance that many that would use a playbook crave, on managing data throughout its lifecycle, especially when industries and sometimes even the data have unique processes and requirements.
The Interconnectedness of DG and DG’s Evolution
The technology landscape and best practices in data governance are continually evolving and what we may consider as a best practice today might easily become outdated or superseded by new technologies or policies tomorrow. Generic DG playbooks will likely struggle to keep pace with these changes.
In the early 2010s, companies began to recognize data as a valuable asset that can be used to drive business results through data optimization and data-driven insights, midway through the decade the focus had shifted to how we handle the data. More recently, in the wake of high-profile data breaches and consumer security concerns, companies have shifted their focus almost wholly to the handling and treatment of data.
Data Privacy, Data Security, and Data Governance have become top priorities since the introduction of GDPR. The three distinct ideas are all tightly intertwined, and each must be executed properly to achieve business success.
Of late, data governance has been mostly considered as no longer optional because it underpins data security, compliance, and privacy. While regulatory compliance and risk mitigation are key drivers, the reality is that data governance should be viewed as a strategic component of an organization’s digital and business relevance and any associated business transformation journey.
The next evolution of data governance is likely to be around data intelligence wherein there will be the ability to transform data into better knowledge. This has always been the goal, the distinction between data and information is now the distinction between data and knowledge. But in this context, Data intelligence connects all the elements of data management and data governance to deliver more than information and insights to help improve things like customer experience, and product and service innovation.
Data governance is also often interconnected with various other organizational processes, such as risk management, information security, project management, markets and the industry as a whole. A generic playbook may not adequately address the intersections and dependencies between these processes and requires such frequent updating and change as to be burdensome to maintain.
If you’re a fan of playbooks, consider these potential sources that go beyond the applications and software vendors:
In 2019, Gartner Research defined a data governance playbook toolkit. The Toolkit as described by Gartner “uses client templates to define a data governance model that establishes governance processes, stewardship roles, and information health metrics to improve data quality. Data and analytics leaders can use the Toolkit as a roadmap to help them build out their data governance program.”
There is also a version of the Gartner playbook focused on auditing data inventories. Something that may be particularly relevant today in the context of increasing global data security and regulatory demands in particular, around privacy.