Creating data governance policy documents
A policy is an agreed-upon approach for guiding decisions to reach certain outcomes. Policies steer day-to-day actions in support of an organization’s philosophy, strategy, and the requirements of the marketplace, including laws and regulations.
Policies are more than just rules; they communicate an organization’s values and culture.
Some basic data governance policies may include:
- Data access policy: This policy describes the organization’s approach to managing data security and the conditions in which a team member is granted access to data. It includes areas such as approval and security requirements.
- Data usage policy: This policy describes the manner in which the organization expects data to be managed. It includes descriptions of what it considers data mishandling, unethical use, and the requirement to adhere to privacy laws and regulations.
- Data provenance policy: This policy describes the expectation that certain data, such as that used in clinical trials, can be traced back to its original source and creation. It includes what business functions and data types are in scope, documentation requirements, and the necessity to record access information since data creation.
A seven-step process to developing a policy
The following process can help your organization develop policies that are meaningful, helpful, and consistent:
- Understand: Fully analyze and document the drivers and goals of the policy. Seek approval of requirements by the right stakeholders before proceeding.
- Research: Explore what other organizations are doing. Determine if a similar policy exists in your organization.
- Create: Draft the policy and procedures. Collaborate with others to ensure diverse and detailed input. Be clear and concise. Avoid jargon.
- Review: Circulate the policy widely for review and validation. Incorporate feedback.
- Approve: Seek appropriate approval.
- Implement: Communicate the policy. Offer training on the policy.
- Review: Perform regular reviews and updates of the policy and procedures.
Creating the data governance policy document
Once a policy has been identified for creation, you need to produce the actual policy (Step 3). I suggest that the data governance office agree on a standard template, working in collaboration with other stakeholders.
Consistency in documentation elevates predictability and as a result reduces the burden on policy stakeholders to have to decipher different formats.
Here are the minimum suggested items to include in a data governance policy template:
- Document ID: Using a unique identifier supports search and referencing.
- Policy name: Use a name that is meaningful. For example, Data Quality and Integrity.
- Date created: Knowing when the policy was created is useful for historical and reference purposes.
- Last updated: This date lets the user know how current the policy is.
- Owner: This could be the data owner, the business function, Chief Data Officer (CDO), or other. Don’t use an actual name. Instead refer to the role.
- Purpose: This describes the reason for the policy. It should include how the policy supports the goals of the organization.
- Scope: Here you include who and what is impacted by the policy.
- Rules: This is a description or list of the rules that guide the policy.
- Roles and responsibilities: This section lists specific stakeholders and their obligations.
- Procedure: If appropriate, here’s where you list the specific steps that must be taken in support of the policy.
- Definitions (optional): I suggest including this as a way to explain any jargon that’s unfamiliar to the user.
- Resources: This section lists resources such as the laws and regulations that are driving the policy. It can also be links and citations to resources where users can learn more about the broader context of the policy. For example, it could include a link to understand the penalties of non-compliance.
- Review process (optional): This section outlines details on the review process, such as how often and by whom it is updated.
Responsibilities of a data governance council
On any given day, at any given moment, data responsibility is in the hands of data users. These are team members who handle data in the course of their work. Consider anyone who enters data, creates a report, submits a query, or builds an application. It could be anyone from an intern right through to a senior executive.
With the implementation of a data governance program, the data responsibilities of team members take on importance and urgency.
These obligations are the result of teams that are created to deliver and support the goals of the data governance program. These teams have responsibilities that include deploying and overseeing strategy, creating standards, enforcing rules, and operating and maintaining the program.
One of the most important leadership teams that provides strategic oversight for an organization’s data governance program is the data governance council.
The purpose of a data governance council
A data governance council (DGC) — also referred to as a data governance board or data governance committee — is an organization’s overall governing body for data governance strategy and support. Its priorities include approving policies and standards, prioritizing data efforts, enforcing policies and standards, and communicating value up and down the organization.
The DGC empowers the entire organization to create value with data while also ensuring compliance with security, privacy, and other regulations.
The DGC is comprised of a variety of participants who appropriately represent the organization. The team should reflect available resources, capacity, and need. If the DGC is overstaffed, people will criticize it as overkill. If it is understaffed, it won’t have sufficient capacity to provide effective oversight.
The council can be run by a nominated executive, although if that is the approach, data skills and experience should be a consideration. Often, the Chief Information Officer, Chief Data Officer, or data governance manager is assigned to lead the team.
Members of the DGC, sometimes referred to as data governors, often include one or more of the following:
- Representatives from each major business function
- Enterprise data steward
- IT manager
- Security analyst
- Legal analyst
- Auditor
- Representative for data users
- Depending on who is running the council, the CIO, CDO, CISO, or data governance manager
Specific responsibilities of the DGC include:
- Approving standards, procedures, and policies. Smaller organizations may require the DGC to create these too
- Approving funds for data governance efforts
- Reviewing and approving data tools
- Establishing data governance goals and overseeing progress
- Prioritizing data projects
- Providing guidance and actions to the data stewardship council (DSC) — the team made up of the organization’s data stewards
- Resolving enterprise-wide data issues that can’t be resolved by the DSC
- Communicating and promoting the value of data governance across the organization
- Enforcing the data governance program
- Evaluating the effectiveness of the data governance program and initiating course corrections as necessary
- Overseeing the ethical use of data