Practical Tips for Establishing a Data Governance Program

Judy Macior is VP of Regulatory Compliance and Information Practices at Experian, making her the perfect go-to for all matters Data Governance!  Below, she leads us through a thoughtful outline that will have you establishing a solid Data Governance program in no time. Thanks for the tips, Judy!

A sound data governance program within a company is a necessary component of a corporate information practices program for ensuring that:

  • Data is adequately protected;
  • The accuracy of the data is being appropriately monetized;
  • Compliance with law and  industry self-regulations is maintained;
  • The company brand is built through trust with customers and business partners; and,
  • Responsible data stewardship is projected to policymakers and media

A BASIC “values” based approach to information practices can include policies, procedures and processes that implement a Data Governance program and can be achieved through the following steps:

Adopting a value that Balances the needs of the consumer against the needs of the business can result in:            

  • minimizing risks of data being used in a way that may harms an individual;
  • supporting the development and launch of products that can benefit the consumer;
  • practices that include balancing interests of different stakeholders and building consumer trust; and,
  • ensuring consumers adequate notice and choice for consumers.  

An Accuracy value makes certain that a Data Governance program maintains accuracy by requiring:

  • the company to analyze the data and review the type and manner of use;
  • that the data comes from a reputable source;
  • the establishment of data quality control checkpoints to maintain accuracy; and,
  • that the data steward periodically audits and updates data to maximize accuracy and freshness.

A Data Security value is a critical pillar of any Data Governance program because it:

  • maintains physical security and limits access to the data;
  • requires classification of data (i.e. public, confidential, restricted) and an analysis of how data is stored and shared depending upon the classification;
  • assures the entire lifecycle of the data is considered as part of the security and privacy program; and,
  • includes data incident management so consumers are appropriately notified under defined circumstances when data security may be breached.

An Integrity value indicates the company’s commitment to following both the letter and the spirit of the law along with any industry self-regulatory guidelines such as the DMA Guidelines for Ethical Business Practice.  Adherence to an Integrity value requires:

  • an inventory of all laws and industry self-regulations to ensure data collection and use is appropriate ;
  • a data flow analysis reflecting the lifecycle of the data to enable the company to consider privacy and security issues from collection through deletion;
  • an assurance  that the data was acquired legally and is only provided for specific intended use(s); and,
  • compliance with data source contracts and client contracts. 

A Communication value allows for open discussions about the data a company maintains, how the data is used and informs consumers of the use of the data and their ability to opt out of marketing offers.  Data Governance processes enable communication through:

  • a clear privacy policy that states, at a minimum, how the data is to be used and how consumers can opt-out; and,
  • an employee, consumer and client education program. 

In addition to an ongoing review of processes to adapt to shifts in the marketplace, new laws or industry best practice, the written policies implementing a Data Governance program must be accompanied by a proactive risk assessment conducted prior to a product launch or acquisition of a type of data.  During the initial risk assessment the following areas should be covered, at a minimum:

  • understand the anticipated privacy impact the new service or data will have on the marketplace; 
  • review privacy expectations that a reasonable consumer  would have for this service or data;
  • rate the probability that the new product or data will result in financial harm, damaged reputation, litigation or other perceived harm for each constituent – consumers, customers, data providers  and the subject company;
  • consider whether the direct and indirect benefits of the product or data outweigh any legitimate privacy concerns;
  • ensure that the data is supplied by a reputable supplier and the sourcing of data and the data elements are legitimate;
  • ensure that the data collection and use is allowed by law and complies with any supplier agreements, as well as vendor or customer contracts;
  • establish an ongoing quality control processes to ensure the accuracy and correction of the data needed for the project;
  • affirm that the new product or data would not negatively impact any  existing company policies;
  • assure that the use of the data is consistent with notice/choice previously communicated to consumers;
  • account for any additional considerations, controls, and processes regarding sensitive data (i.e., health, children, financial, or data concerning the elderly);
  • ensure risk mitigation steps have been taken; and,
  • identify any laws, self-regulatory codes governing the product or data and ensure compliance.

Companies seeking to ensure appropriate Data Governance should also at a minimum, ensure that the Seven (7) elements of an effective compliance and ethics program have been followed (as adopted by the US Sentencing Commission):

  • have a  designated  Compliance Officer to manage the compliance program for your organization;
  • maintain  written policies and procedures  that clearly communicate your compliance program;
  • ensure appropriate training for your employees;
  • ensure employees can readily report issues (i.e. whistleblower hotline);
  • conduct adequate internal monitoring and audits;
  • respond to violations and take appropriate corrective action (issue management); and,
  • enforce employee disciplinary policies. 

These are just some of the tips to help ensure you have an adequate Data Governance program in place.  It is also recommended that each company appoint a Data Governance Subject Matter Expert (SME) to conduct a gap analysis after attending a program such as the DMA Marketing Data Governance Certificate Program.

This column includes general information and is not to be construed as legal advice.  You should consult your own attorney for interpretation and matters related to the law.

Judy Macior is Vice President of Regulatory Compliance and Information Practices at Experian supporting Marketing Services in the U.S. among other responsibilities.  Judy received her B.A. from Northeastern Illinois University, and her J.D. and her LL.M. (Real Estate Law) from the John Marshall Law School.  She holds the following certifications:  Certified Information Privacy Professional (CIPP/US), (CIPP/G)(Government), (CIPP/IT)(Information Technology)  and (CIPP/C)(Canada) from the International Association of Privacy Professionals, and Certified Regulatory Compliance Manager (CRCM) from the Institute of Certified Bankers.  She is also designated as a DMA (Direct Marketing Association) Certified Marketing Professional in Marketing Data Governance. Judy is also active in the Direct Marketing Association (DMA) and she currently serves on the DMA Ethics Policy Committee.

 

Your Comment