Governance 2.0

Xperien CEO Wale Arewa.

---

Data governance of the past focused on two things ? the collection and aggregation (or storage) of data. Today, the situation is quite different.

According to Forrester's data governance expert, Henry Peyret, we have entered the era of data governance 2.0. We now get more feedback from our data and are better equipped to use this information to collaborate. Changes in how data is being generated, and how it is being used, also mean that the number of people who are accessing this data, using it in their day-to-day activities and governing data use policies has grown substantially. These people have to work together to establish the right rules for this information, continues Peyret. The new realm of data governance is concerned with issues of privacy, applicability, usage and sharing. These functions require an agile approach to data governance, which should focus on having just enough controls for managing risk, while enabling broader and more insightful use of data. This helps businesses to better handle the evolving needs of an expanding enterprise ecosystem.

Increasingly, decision-makers are realising that data is an asset, which can only be improved and protected from deterioration if it is managed effectively, stresses Juan Thomas, CIO of PBT Group. "This is what a good data governance strategy can help a business achieve."

This is all very well, but the problem is that very few companies take data governance seriously, says Gary Allemann, MD at Master Data Management. "The biggest pitfall by far is volume-driven complexity. The more data that comes in from various departments and product portfolios, the more complex it becomes to manage and govern," he adds. "Many businesses avoid governance due to the complexity of managing data, yet governance exists to help manage data efficiently and beneficially." In line with this, Allemann believes that many organisations are struggling with data governance because they are trying to manage all of their data in the same way, instead of prioritising data according to importance and value to the business. "Governance helps to address this issue," he says.

The South African legislative environment is constantly changing, says Karin Kruger, associate director in data and analytics at KPMG. These changes often occur before business has become completely comfortable with its obligations under the preceding legislation. This situation proves a real challenge for any company director. "Locally, the Protection of Personal Information Act (PoPI) is a framework aimed at securing/protecting customers' data.It affects all organisations that store, collect or process personal information." The aim of PoPI is to protect all personal information that is processed by both private and public bodies (including government), she notes.

The biggest pitfall by far is volume-driven complexity.

Gary Allemann, Master Data Management

While the industry may be aware of PoPI, Thomas is sceptical, pointing out that the compliance rate of SA's enterprises varies significantly. He cites the fact that companies often underestimate the amount of work required to meet PoPI guidelines as one of the biggest stumbling blocks around compliance. "PoPI is not a legislative project, in isolation, but rather, requires an enterprise-wide approach to not only deal with implications for systems or data management, but to also allow all employees to understand the guidelines and ensure PoPI is adhered to in work undertaken."

Martin Pretorius, a risk manager at e4, agrees.One of the essentials of PoPI implementation is providing your staff with the necessary training to understand the responsibilities and requirements that accompany the Act, he says. "Ensure your employees are made aware of their general responsibilities with regards to data and the handling of this data. Make sure you provide specific training to employees who have access to data and who are responsible for processing data."

Imagine that you're a customer of a certain brand and they call you several times about a service issue or bombard you with information about a product offering you are uninterested in? Chances are you'd get pretty frustrated. For Rudraksh Bhawalkar, practice manager and analytics head for Africa at Wipro, this type of scenario is caused by a lack of good data governance. When an organisation has to deal with a plethora of data streaming in from multiple departments and portfolios at high speeds, failure to manage this information effectively can waste time and money. "These issues mean that the organisation has no clear, 360-degree view of its customers, suppliers and product, which leads to poor decision-making, erroneous - and possibly unwanted - sales calls and costly errors."

Always remember if the data you store is not your own, you are but a custodian of that data.

Martin Pretorius, e4

The new governance landscape may seem overwhelming, but Cleo Becker, HitachiData Systems's regional counsel for Sub-Saharan Africa, Middle East, Turkey and Israel, believes that gaining a better understanding of your corporate information can be a great way to create efficiencies, respond to changes in the market, outdo your competitors and provide your customers with a better experience. To mitigate obstacles and create opportunities, Becker encourages modern CIOs to always assess the mood in their industry before they respond. A business cannot devise a data governance policy before it has consolidated information assets, identified possible risks and gained an understanding of what types of data they are dealing with and where this information is being stored. Once the policy is established, continues Becker, CIOs should consider who is eligible to have access to this information in order to safeguard themselves against fraud and possible data leaks.

The scope may be quite large, but by knowing what data you have and its purpose will start you off on the right path, concludes Pretorius. "Always remember, if the data you store is not your own, you are but a custodian of that data and must treat it the way you would like your data to be treated."

Governance and asset disposal

Traditionally, companies have disposed of IT equipment through non-secure methods to avoid costs. But this is no longer acceptable. For Xperien CEO Wale Arewa, data protection legislation is forcing companies to review their practices around equipment sales and donations to ensure they comply with the law. IT Asset Disposal (ITAD) is a new discipline that binds together various services that may occur at the end of the IT lifecycle, i.e. asset decommissioning, data destruction, reverse logistics, asset value recovery and environmental disposal. "If proper ITAD procedures are not implemented, executives will increase the risk of exposure to data loss, which is in violation of the Protection of Personal Information (PoPI) Act, which stipulates harsh penalties for continued violation. These penalties may include ten years imprisonment and/or R10 million fine." Arewa argues that the greatest risk is the potential reputational loss.

Most often, failure to comply is a result of ignorance, tight budgets and a lack of policing. ITAD presents unique challenges and costs that companies seldom consider. Very few companies understand the principles of ITAD and, often, cost is a driver of the fragmented approach to refreshing old assets. Arewa advises that organisations consult third-party specialist with deep experience in secure IT asset disposal. "Companies looking to retire technology assets wisely must ensure that a responsible party takes custody of sensitive data and delivers it to a professional ITAD specialist that will confirm this data has been erased, recover any residual if it exists and, if not, recycle it in compliance with environmental laws."

Effective data management - a 12-step programme

According to Antionette van Zyl, senior solutions manager for data management at SAS, poor data governance can cause poor customer service, limited upsell/cross-sell opportunities, an inefficient supply chain, an inability to automate key processes, poor operational planning and execution and, perhaps most importantly, exposure to fraud and other risks.

She believes that any business looking to establish a data governance programme should follow these 12 steps:

1. Obtain executive-level commitment to ensure data governance programmes support other strategic business objectives.
2. Identify a small, well-defined project with limited scope and real data. Also identify key business users and subject-matter experts in both business and IT.
3. Establish goals for the programme and draft a structure for both a business advisory group and a data governance committee.
4. Identify individuals at business, IT and executive levels who will participate in the data governance committee and the business advisory group.
5. Develop a comprehensive communications plan to determine the frequency and type of messages to assist with change management processes.
6. Collect and document formal business requirements from users and key information stakeholders and obtain signoff from business.
7. Build an organisation-wide data model (based on your requirements) that reflects relationships between data entities and allows for growth with any new requirements.
8. Ensure that security policies (for privacy, encryption and accessibility) are developed, documented and enforced.
9. Establish any exception-handling rules and audit standards.
10. Confirm your ability to execute; implementing decisions and policies means having the right capabilities in place.
11. Provide results of activities to users to get feedback.
12. Assess the successes and weaknesses of the pilot project and get the data governance committee to select (and prioritise) the next candidates for implementation.

This article was first published in the October 2016 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.