Achieving Successful Data Governance is More Organizational Than Technical
Tom Papahronis
CIO Advisor
Many of our clients are trying to get a data governance program off the ground, typically in response to either compliance requirements or a desire to mitigate risk that Copilot and other AI tools may introduce as they make data easier to use or search.
Their first instinct is usually to jump right into deploying a tool to help with this, such as Microsoft Purview. While piloting Purview is a good idea, a widespread rollout can be premature if the organization does not already have the required organizational components in place first.
Like any other initiative, executive buy-in, written policy guidance, and resources need to be secured before the adoption of a data governance program and related controls can be successful. Here are the key roles that we recommend from a RACI standpoint so that the organization can be positioned to successfully launch a data governance effort.
Executive Sponsorship
A successful data governance program needs strong sponsorship from executives, typically from the Legal, Compliance, Privacy, GRC, or Risk Management groups. These sponsors best understand the data risks that the organization has and the authority to define and enforce data governance requirements across the organization. Their responsibilities typically include:
- Provide written data security and compliance requirements: Requirements documents should focus on what data needs to be secured and what the acceptable use is of sensitive data (not just the “how”).
- Ensuring adherence: These sponsors are the group that puts the teeth into policy enforcement. They must have the organizational span of authority to require all staff to follow these policies. This might involve regular audits, compliance checks, and disciplinary actions for non-compliance.
- Providing resources and support: They should allocate the necessary resources, including budget and personnel, to support the data governance program. This includes approving investments in training, tools, and technologies required for effective data governance.
- Metrics and KPIs: Define and track specific metrics or key performance indicators (KPIs) that they need to track and measure the success of the data governance program. This could include compliance scores, remediation costs, or reduction in data breach incidents overall.
Data Governance Program Ownership
The GRC lead, Chief Information Security Officer (CISO), Data Privacy Officer, or Chief Information Officer (CIO) typically own the data governance program. Their role involves:
- Developing written data governance policies: These policies should include data classification, retention, acceptable data use, and data sharing requirements. (Focused on the “how.”) They must be comprehensive and clear to ensure employees can understand their own data governance and security responsibilities.
- Define granular data types and protection methods: This includes specifying which data types need protection and the methods to be used, such as encryption, access control, or data masking. Detailed definitions help in implementing precise and effective protection measures.
- Ensuring policy integration: The program owner must ensure that data governance policies are integrated into the organization’s overall IT and security strategies. This involves collaboration with other departments and continuous monitoring for compliance.
- Address Regulatory Compliance: Align data governance policies with specific regulatory requirements such as GDPR, CCPA, or HIPAA. This would emphasize the necessity of compliance and the role of the program owner in ensuring adherence.
- Metrics and KPIs: Define and track metrics or KPIs related to policy adherence and controls, such as DLP policy violations, Insider Risk alerts, sharing metrics, and shadow IT detection.
Application Ownership
The person or team responsible for configuring and administering Purview typically reports up to the technology group, security, or GRC teams. They need to be knowledgeable about both Microsoft 365 and governance/compliance requirements. Their tasks include:
- Configuring Purview policies and settings: This involves setting up data classification labels, sensitivity labels, and Data Loss Prevention (DLP) policies. The configuration should align with the organization’s data governance policies.
- Administering sensitive information types: They need to define and manage sensitive information types within Purview, ensuring that all sensitive data is appropriately classified and protected.
- Continuous monitoring and updates: The application owner must regularly monitor the effectiveness of Purview configurations and make necessary updates to address new threats or changes in regulatory requirements.
- Maintaining Technical Skills and Certifications: Ensure the application owner or team develops and maintains technical skills to operate Purview effectively. This should include certifications like the Microsoft SC-400 (Information Protection and Compliance Administrator) and keeping up with ongoing Purview feature release documentation and training.
Line of Business Impact Ownership
This role involves liaising with data owners across different business groups to understand the uses of sensitive data and the impact of new controls like Data Loss Prevention (DLP) or sensitivity labeling on business processes. Often, this is a business or technical analyst who is familiar with company processes and data usage. Finding a balance between effective data governance controls and business processes is key to the success of any data governance program. In some cases, business processes or data governance policies may need to be modified to mutually satisfy the needs of both. Typical responsibilities include:
- Understanding business needs: The LOB impact owner must work closely with business leaders to understand how sensitive data is used in daily operations and the potential impact of new data governance controls.
- Balancing protection and efficiency: They need to negotiate with business leaders to find a balance between protecting sensitive data and maintaining efficient business processes. This might involve customizing Purview controls to minimize disruption.
- Facilitating change management: Implementing new data governance controls can be met with resistance. The impact owner should facilitate change management by helping to communicate the benefits of the controls and providing support during the transition.
Data Literacy and Purview Policy Training
Effective data governance requires comprehensive training communication and training. A dedicated training program should focus on:
- Data literacy: This training should educate employees on the types of sensitive data used, why they need to protect it, and the specific actions they need to take to comply with data governance policies.
- Providing practical guidance: The trainer should offer practical instructions on how to apply labels to data, follow DLP policies, and securely share data. This should include concrete examples, training sessions, and easy-to-follow guides.
- Reinforcing compliance: Regular training sessions and refreshers should be conducted to reinforce the importance of data governance and ensure ongoing compliance. The trainer should also be available to answer questions and provide support as needed.
Conclusion
When we work with clients to help establish the organizational requirements outlined above, it often includes the development of RACI charts, policies, or other documents to help record and communicate who is involved in data governance and what their specific accountabilities and responsibilities are, including who makes which decisions.
Implementing Microsoft Purview for data governance is a multi-faceted process that should have the needed organizational support and expertise in place before the deployment of the technical controls. Establishing the organizational roles is often more time-consuming than the technical deployment, but by ensuring these roles and responsibilities are clearly defined and supported, it really does help ensure success of the overall data governance effort and for effective data security controls to be put in place.
We Can Help!
If you have questions about data governance or Microsoft Purview, contact our team at info@eGroup-us.com or complete the form below.
Need Assistance with Data Governance?
Contact our team of experts today!
