Data governance beyond POPIA
Data governance plays a key role in privacy and management.
The Protection of Personal Information Act (POPIA), which came into effect on 1 July 2021, put a spotlight on the way that South African organisations collect, process and store data.
Grant Long, Practice Lead for Data Privacy at Altron Security, says although global privacy laws such as POPIA have accelerated the adoption for good data governance, there is a lot more that can be achieved in organisations when it comes to an overarching data strategy.
“One main objective of data governance is to leverage and understand your organisation’s data by defining clear policies, practices and procedures. Combined with the correct supporting technology and people, a well-defined data governance framework will greatly benefit your organisation as it promotes data transparency and provides valuable data-driven insights,” he explains.
More than a tick-box exercise
Long shares that some could potentially view the legislative drivers of data privacy such as POPIA and the GDPR as ‘tedious’ and compliancy as nothing more than a ‘tick-box exercise’. While implementing and managing policies, processes and procedures may seem this way from the outset, this negative mindset could prevent organisations from realising the full benefits of data governance.
“Data governance needs to be part of an organisation's culture for it to be effective, and buy-in needs to come from the top-level down to ensure that it forms part of the organisation’s strategic intent.”
He goes on to say that while organisations with the best intent do begin their journey to proper data governance by drafting policies, these policies are often never fully implemented and are instead relegated to a filing cabinet somewhere.
Benefits of proper data governance
A potential benefit of holistic data governance other than compliance is ROI by having clear insights into a valuable company asset, which is data. “Most organisations have a plethora of information, and while their primary objective in managing that information may currently be privacy drivers such as POPIA compliance, the data governance process reveals valuable insights into an organisation that they may not have accessed otherwise,” says Long.
An important exercise for organisations is understanding what data they have and where it is located, looking at both structured and unstructured data. This allows you to identify and classify information, while reviewing policies, processes and procedures around the identified data. Understanding the type of data you are dealing with will also allow you to start putting in remediation actions which is best approached through evaluating the risk of the data discovery results.
Long shares that the discovery process can be beneficial in revealing information that organisations should not be managing, data that he terms ‘ROT’: redundant, obsolete and trivial.
“Most organisations actually don’t know what’s residing on their file shares. Irrelevant data not only takes up unnecessary space and costs to manage that extra storage (for example, an employee’s iTunes library), it also exposes organisations to unwanted reputational and security risks.”
Following best practice when building a data governance framework ensures that an organisation has measures in place to avoid security and reputational risk.
Building a data governance framework
On the topic of best practice for building a data governance framework, Long emphasises the importance of education and user adoption. “Every person in the organisation who comes into contact with data needs to adopt the data governance framework. The responsibility cannot solely lie with information regulators and C-Suite.”
“Data governance and data privacy education needs to be prioritised and it should become part of the culture,” he adds.
A clear strategy for data governance needs to be defined by the executives, and once defined, needs to be implemented holistically throughout the organisation.
He recommends that organisations begin by identifying their high-risk and high-impact environments as this will give them a good starting point for what they want to achieve through data governance.
“Not all data needs the same level of security, and data governance policies can help you to define and determine what data is at risk, and what processes should be in place to secure and manage sensitive data,” Long adds.
Choosing the best partner for this journey
While the benefits of data governance are clear, the prospect of policy drafting, implementation and management may be a daunting prospect for some organisations. Long understands this hesitation and emphasises the importance of choosing an experienced partner to guide your data governance journey.
“Altron Security has extensive experience in the data governance space, and we’ve lived the journey ourselves so to speak. We’ve worked with many large organisations – locally and abroad – and have a good understanding of both the benefits and pitfalls,” says Long.
The Altron Security data governance service offerings is comprehensive in that we’re able to offer both consulting services and technology solutions to help with getting the best out of your data while implementing overall data governance framework implementation and management both in the long and short term,” he concludes.