Cloud computing: the governance of data, data governance/management and data classification
Theo Watson, Corporate Attorney for Microsoft, lends us his expertise in the following article regarding cloud computing and data governance.
In recent months I have increasingly been asked to assist cloud customers with thinking around how they manage their data and classify same within a broader legal framework of legislation [such as POPI], says Theo Watson, Corporate Attorney for Microsoft. The issue of data classification rightly falls into a wider set of considerations regarding how businesses should be managing their data and the all up governance of such data.
It is therefore appropriate to address the three tiers around issues in this space, namely:
(1) Governance of Data,
(2) Data Governance/Management and
(3) Classification of Data (the latter two matters being a subset of consideration of the former).
Since the subject matter is fairly broad I have decided to address each separately in a series of articles, focusing on the specific topic matter.
This article will address the first tier responsibility that organisations need to put in place around the governance of data.
A. The governance of data - where we find ourselves
It is not uncommon to hear talk of and the related value and benefits of the "Internet of Things, Big Data, Data Analytics, Machine Learning".
To quote Marc Benioff:
"The world is being re-shaped by the convergence of social, mobile, cloud, big data, community and other powerful forces. The combination of these technologies unlocks an incredible opportunity to connect everything together in a new way and is dramatically transforming the way we live and work."
Nowhere is this transformation more apparent than in cloud-based services. By their nature cloud services offer a rich and near endless source of data for us to manage and if correctly managed, from which we can extract value.
While one sees cloud service providers securing their environment to offer a more reliable and trusted service, users of cloud services may find daily management of data and relate extraction of value and benefits, an increasingly complex aspect of their businesses.
B. The matter of managing data, and does it matter?
Data is a key asset within business, yet a number of issues face businesses in the current data rich cloud environments. One such difficulty is extracting value from data - it's almost as if we have more data than what we know what to do with!
As Daniel Moran puts it: "You can have data without information, but you cannot have information without data."
Another area businesses may have difficulty in managing data, is compliance - new laws, regulations and even basic industry risk considerations are not always well understood. The reality is that these two critical, and difficult data management areas, can work harmoniously and if approached correctly deliver real data value in a compliant manner. Getting these right will offer a positive data value return for businesses.
C. The governance of data - a framework for extracting value
The diagram below is a suggested basic structure for an approach to the Governance of Data and Data Governance/Management (the latter to be considered in a later article).
As depicted, the Governance of Data falls in the top tier of a business's organisational responsibility. It will be the Governing Body (usually the board of directors, executive management or managing partners) that will be responsible for determining the overall strategy, applicable policies and accountabilities for data within their organization.
At this first tier level, organisations should to be focused on the strategy and policies surrounding the Governance of Data. The aspect of Data Governance/Management is a second (next) tier that focuses on implementation and execution under established Governance of Data (but more of that in the next article).
While it may seem confusing, there is logic and value in ensuring that the overall strategy and policies around data are in place before moving into an operationalising of those strategies and policies - by analogy: "having a map is the starting point". As such, before starting the journey around managing data, a "map" should be in place.
To better understand the practical distinction, a few examples of Governance of Data considerations vs. Data Governance/Management considerations, is provide below:
Governance of data
Will we be sued if hacked
Legal and business process to follow if hacked
Do we really need to process all personalinformation
Operational & technical measures for storing selecting personal information securely
Should we follow an "IOT" approach
Are we producing reporting that the business can use to extract true value
Should we buy or sell data
Is the data we collect accurate
To further assist, a diagram "mapping" specific areas of data accountability that should fall for consideration as part of Data Governance is set out hereunder.
The diagram depicts the likely areas of data accountability points within an organization. In summary, the data is collected as it enters the organization's environment and from there a feedback loop ensures that as new context, strategy or business requirements evolve same is considered across the business spectrum. As data is added, the organisation is able to refine its collection and improve the overall value proposition of that data viz-a-viz the business' benefits, risks and/or limitations.
For any organisation, the data processing map identifies areas that should be core in relation to Governance of Data. The arrows ought to be seen not only as a "flow" but equally as a "gating" process around which governing bodies ensure appropriate policies and strategies are built and from which accountabilities can be measured.
D. The governance of data - principles for the framework
The framework described above is fairly broad (as it ought to be), so it is worth considering some guiding principles that would help drive the framework of Governance of Data and the practices required to give effect thereto. The Principles that underpin the Governance of Data and as expressed in the ISO/IEC 38500 are:
1. Responsibility: the board or similar body must accept fullest responsibility for the Governance of Data.
2. Strategy: the board or similar body determines the overall strategy for data, be that its collection, use storage or destruction. The strategy should align to the overall business strategy.
3. Acquisition: the governing body should evaluate, direct and monitor acquisition of data and its use within the organisation.
4. Performance: The governing body should evaluate, direct and monitor the performance of how the data use within the organisation is meeting the needs of the business.
5. Conformance: The governing body should evaluate, direct and monitor the extent to which the data use of the organization satisfies its external and internal obligations.
6. Human Behaviour: The governing body should evaluate, direct and monitor the use of data such that human behaviours are identified and appropriately considered.
The practices described in the ISO/IEC 38500 are not exhaustive but provide a starting point for discussion of the responsibilities of the governing body for the governance of data. That is, the practices described are suggested guidance and not a closed or limited list.
In an environment where technology and data are essentially ubiquitous, it is unlikely that any organisation or governing body will find itself in a static position as regards the Governance of Data. Governing bodies will be almost certainly faced with assessing and weighing-up risks around their data.
Aspects such as "control" will need to re-evaluated. Long considered security and control over one's on-premise environment may need to be re-evaluated when one accepts that an IT Manager can download sensitive data, delete same and walk away with all that a company holds dear.
The fallout following the Ashley Madison hack provides us with a good case study. While the company did not directly derive revenue from, and its business was not primarily about data, data was a material asset in its business.
Protecting its data (a key asset) should perhaps have been given a higher priority in light of the obvious risk around a possible hack. While only a full investigation will reveal whether Ashley Madison was in any way at fault for allowing the hack, we can nevertheless draw on the fallout to motivate governing bodies to be thoughtful in putting in place appropriate policies that will lead to constructive measures to understand the value of their data assets and ensure adequate protection of same.
It is the responsibility of each organisation, individually, to identify the specific actions required to implement the principles, giving due consideration to the nature of the organisation, and appropriate analysis of the aspects referred to above.
And this leads us into the next tier of consideration, Data Governance/Management - but more on that next time.