Data governance: 5 tips to optimize your strategy

What is data governance?

Data governance is the set of processes, rules, and standards that aim to ensure the collection, processing, and protection of data at all stages of its lifecycle, right up to its destruction (this is referred to as the data lifecycle). Within organizations, data governance affects many areas, from security to analysis.

In addition to the CISO, many positions are responsible for data management: DPO (Data Protection Officer), Data Scientist, Data Manager, Big Data Developer, Data Miner, Data Analyst, Big Data Architect, Business Intelligence Manager, etc.

It is through these so-called "Big Data" professions that data governance ensures the proper use of data by all departments within the company. By being data-driven, the company can thus inform its decision-making.

For Jocelyn Montjaux, Cybersecurity Product Manager and DPO at Tenacy, the goal of data governance is to " ensure that all data handled within the company is properly collected, protected, and destroyed at the end of its useful life. Depending on the type of data, its availability and confidentiality will vary. That's why data mapping is essential to determine the appropriate levels of protection and security."

Indeed, every company has its own needs in terms of data governance and mapping. Some data will be non-confidential but must still be available for the organization to function properly. Other data, however, will be confidential and have a lower degree of availability than usual.

Data governance is therefore essential to ensure your organization's compliance and improve its performance. Here are five tips to implement an effective and efficient data governance strategy.

1. Integrate business lines into the data governance strategy

Who is responsible for data? This is a common question within organizations. And since many professions and stakeholders are involved, it is important to clearly redefine the role of the CISO. They are responsible for implementing protective measures (once the data owner has identified the protection requirements to be applied) and monitoring their proper functioning. However, they are not responsible for data collection or processing.

Every profession generates an increasingly large volume of data. Here are a few examples:

• customer data;
• sensitive data for the organization (technological patents, strategic decisions, etc.) or sensitive data as defined by the CNIL (including health data);
• personal data;
• reference data;
• collected data;
• business or operational data;
• raw data;
• data produced.  

In terms of the strategic aspect of data governance, all of the company's business lines are therefore stakeholders.

Who could be better placed to catalog data than those who handle it on a daily basis? Jocelyn Montjaux emphasizes the importance of breaking down silos for a data governance strategy to be effective: " You have to treat company data holistically, not just IT data. The CISO cannot be alone in this project. That's why it's important to involve the business units in this process and engage them in the strategy."

Don't overlook the various professions and involve the different departments in your organization to identify all the data sets!

2. Perform a risk analysis on each dataset

Risk analysis will inevitably be necessary at some point in your data governance strategy!

Jocelyn Montjaux confirms: " There is a kind of synergy between risk analysis and data governance. Those responsible for data governance are led to ask themselves the same questions as during a risk analysis, with a focus on data."

Once the data sets have been identified and a classification determined to decide which protection mechanisms should be put in place, it is necessary to understand the threats to this data, particularly in terms of confidentiality. Data analysis carried out from the perspective of the inherent risks to the organization must therefore be an integral part of your governance strategy.

3. Remember to include the aspect of data confidentiality.

Generally, data governance is associated with data availability.

What is the maximum acceptable interruption time for data? What is the acceptable time frame for recovering data without jeopardizing an organization's activities? The concepts of recovery time objective (RTO) and recovery point objective(RPO) are taken into account in data governance strategies. However, the criterion of data confidentiality is not systematically considered.

Jocelyn Montjaux advises not to overlook this aspect: " Don't just think about data availability when implementing data governance. Be sure to include elements related toprivacy. This is required anyway when it comes to the GDPR, for example, since this regulation mainly concerns data confidentiality. "

4. Integrate the concept of sovereign cloud into your hosting requests

Big Data solutions, data warehouses (or relational databases), DMPs (data management platforms), data visualization tools or decision-making tools, ERPs (enterprise resource planning software systems), CRMs (customer relationship management tools), MDMs (master data management)... An entire data management ecosystem has emerged over the last decade.

Increasingly, companies are required to manage services rather than infrastructure. Deployment time is generally faster than installing the corresponding infrastructure in a data center and finding people to install and configure servers.

Hosting data in the cloud is therefore becoming increasingly common. Did you realize that choosing a SaaS hosting provider means choosing the legislation to which your data will be subject?

Let's take the example of the leaders in the cloud computing market. These are American companies, and therefore subject to US law, particularly two major pieces of legislation:

• the Patriot Act, which, following the attacks of September 11, 2001, allows government agencies such as the FBI, the NSA, and even the CIA to obtain information in the context of an investigation relating to national security;
• the Cloud Act, which, since 2018, requires US cloud companies to disclose data to US or foreign law enforcement agencies or governments (depending on agreements), even if it is stored outside the United States.

But data confidentiality is a fundamental aspect of governance!

When applying the General Data Protection Regulation (GDPR), for sensitive areas or even for local authorities, it is easier to require from the outset of the project that the hosting provider have servers in France or at least in Europe. This avoids data confidentiality issues.

ANSSI, in collaboration with CNIL, offers the SecNumCloud standard for cloud hosting providers, which includes requirements relating to data protection. The confidentiality of your data also depends on your choice of cloud hosting provider!

5. Remember that your subcontractors also manage your data

Responsibility for data processing is sometimes delegated to subcontractors. With the entry into force of the GDPR, regulations on personal data apply to both the data controller and the subcontractor (acting on behalf of its client).

According to Jocelyn Montjaux, " we must ensure that suppliers include data processing requirements. We must specify what needs to be done and check that it is done properly!"

Audits, questionnaires, specific clauses in contracts with suppliers, security assurance plans... these are all tools you can use to ensure that your subcontractors are managing data properly.

By adopting these five tips, you will be ready to effectively define your data governance strategy and ensure the security of your company's data.