Data governance: 5 tips to optimize your strategy

Who is responsible for data? It's a question often asked within organizations. And with so many businesses and players involved, it's important to clearly redefine the role of the CISO. He or she is responsible for putting in place the means of protection (when the data owner has identified the protection requirements to be applied) and for monitoring their proper operation. However, he or she is not responsible for data collection or processing. 

Each business generates an ever-increasing volume of data. Here are just a few examples:

• customer data ;
• sensitive data for the organization (technological patents, strategic decisions, etc.) or sensitive data in the sense described by the CNIL (including health data);
• PERSONAL DATA;
• reference data ;
• data collected ;
• business or operational data;
• raw data ;
• data produced.  

When it comes to the strategic aspect of data governance, all the company's business lines are therefore stakeholders.

Who could be better placed to catalogue data than those who handle it on a daily basis? Jocelyn Montjaux stresses the importance of breaking down silos for a data governance strategy to be effective: "You have to deal with the whole company's data, not just IT data. You have to deal with all the company's data, not just IT data. The CISO cannot be alone in this project. That's why it's important to involve the business units in this reflection and to engage them in the strategy. "

Don't overlook the business side of things, and involve the various departments in your organization to identify all the data sets!

Risk analysis is bound to be necessary at some point in your data governance strategy!

Jocelyn Montjaux confirms: " There's a kind of synergy between risk analysis and data governance. The people in charge of data governance have to ask themselves the same questions as in a risk analysis, with a focus on data. "

Once the data sets have been identified, and a classification determined in order to decide on the protection mechanisms that need to be put in place, you need to understand what the threats are to this data, particularly in terms of confidentiality. Analyzing data from the point of view of the inherent risks to the organization must then form an integral part of your governance strategy.

Data governance is generally associated with data availability.

What is the maximum acceptable duration of data interruption? How long is it acceptable to recover data without jeopardizing an organization's activity? The notions of Recovery Time Objective(RTO) and Recovery Point Objective(RPO) are well taken into account in data governance strategy. But data confidentiality is not systematically taken into account. 

Jocelyn Montjaux advises against neglecting this aspect: "Don't just think in terms of data availability when implementing data governance. Don't just think in terms of data availability when implementing data governance. But don't forget to include elements relating to the confidentiality of your data. This is required anyway when we talk about the RGPD, for example, since this regulation focuses mainly on the data confidentiality part. "

Big Data solution, data warehouse (relational database), DMP (data management platform), data visualization tool, ERP (enterprise resource planning), CRM (customer relationship management), MDM (master data management)... A whole data management ecosystem has emerged over the last decade.

Increasingly, companies are called upon to manage services rather than infrastructures. Deployment time is generally faster than than that of installing the corresponding infrastructure in a datacenter and finding people to install and configure servers.

Hosting your data in the cloud is therefore becoming increasingly commonplace. But did you know that choosing a SaaS hosting provider means choosing the legislation to which your data will be subject? 

Let's take the Cloud Computing market leaders as an example. These are American players, and therefore subject to US law, and in particular to two major pieces of legislation: 

• the Patriot Act, which, in the wake of the September 11, 2001 attacks, allows government agencies such as the FBI, NSA and CIA to obtain information as part of a national security investigation;
• the Cloud Act which, since 2018, requires US cloud companies to share data with law enforcement or the US or foreign government (depending on agreements), even if stored outside the US.

Data confidentiality is a fundamental aspect of governance!

In the context of the application of general data protection regulations (RGPD), for sensitive domains or even for public institutions, it's easier to demand from the outset of the project to work with a hosting provider with servers in France or at least in Europe. This avoids problems of data confidentiality.

The ANSSI, in collaboration with the CNIL, offers politique SecNumCloud for cloud hosting providers, which includes data protection requirements. The confidentiality of your data also depends on your choice of cloud hosting provider!

Responsibility for data processing is sometimes delegated to subcontractors. With the entry into force of the RGPD, the regulations on personal data apply both to the controller and to the processor (acting on behalf of its customer).

According to Jocelyn Montjaux, " you have to make sure that suppliers include data processing requirements. You have to tell them what needs to be done, and check that it's done properly! "

Audits, questionnaires, specific clauses in contracts with suppliers, security assurance plans... these are just some of the tools you can use to ensure that your subcontractors manage your data properly.