In a world of an ever increasing volume of data, there is little room for businesses to be complacent when it comes to data governance and management. Organisations are increasingly becoming exposed and vulnerable to cyber-attacks which by their very nature compromise the security and integrity of the data an organisation holds. Key to managing this risk is understanding and addressing the risk, so as to respond most effectively in the event of a breach.

Whilst a conversation around 'governing and managing data' can be daunting, organisations must be proactive in how they think about data as an asset and as to how it is managed.

Implementing a data governance framework (framework) is a key first step in this process, and business should ensure that a strong data governance framework is applied for the regulation and organisation of their data.

What is data governance and why is it important?

Data governance refers to the process of organisation of an enterprise's data, involving an enterprise-wide system of policies, procedures and controls to ensure that data is properly monitored, stored and managed. Governance should be designed, implemented so as to follow the full life cycle of data from inception through to destruction.

As an asset, data can be used to identify new business streams and target markets and to leverage growth of an organisation.  Ineffective governance and management can lead to issues with data integrity, quality and security, which leads to data, as an asset, not being used in the most effective way possible.  To use data effectively, it must be managed efficiently.  A solid data governance framework will help organisations realise data's true potential.

Tips when considering a data governance framework

The following tips are useful to consider when implementing a data governance framework. Organisations should keep in mind that frameworks vary depending on the data held, the organisations structure, size and sector, as well as management's priorities as to data quality, privacy, compliance and security.

  1. Clearly establish the goals and purpose your framework

The overall vision and goals for the data governance framework must be clear, simple, and precise.  Before standing out, consider why your organisation wants a data governance framework.  What are the key goals and priorities?  Only put governance where needed.

  1. Identify your data

Organisations need to first understand what data they have before it can be managed. These may include personal information, financial data and/or business and employee records.  Again, consider priorities.  What information is more valuable; what information demands more protection from a legal/regulatory standpoint? What are the ramifications of not managing certain data effectively?

  1. Identify your stakeholders and accountabilities

Select sponsors, owners, and participants for different sets of data, and establish processes focused on results. Prioritise those selections based on business need.

Communicate the activities of the framework often, and to all of the business's stakeholders.

  1. Establish and monitor standards, policy and procedures

Keep the governance model as simple as possible and make sure that all tasks are adding value to the overall organisation. Organisations need to recognise that "one size does not fit all" when it comes to governance.  Design policies, standards, and processes for the entire organisation and try to incorporate or build around assessment policies.  Do not reinvent the wheel.

  1. Establish and monitor relevant laws and regulations

Keep an eye on evolving legal and regulatory obligations, which often expect good data governance and which are increasingly becoming more onerous in the event of a data breach. Both local and international standards continue to evolve as awareness as to privacy and data security increases.

Having a proper framework in place could assist in your compliance with Australia as new mandatory data reporting laws, which are due to become law on or before  22  February 2018.  Once implemented, organisations will need processes in place to consider whether an incident involving personal information is an "eligible data breach".  Building this process into a broader framework will ensure an organisation is ready to address the new laws, as and when they go live, will be more important now that mandatory data reporting is on the way for 'eligible data breaches'.1

  1. Establish a plan to implement in the event of a breach

Establish compliance breach response plan to assist your organisation in preparing and responding to data breaches.  To do so, you must understand the organisation's risks and obligations and how the organisation can mitigate loss through its implemented policies, procedures whilst maintaining compliance with laws and regulations. Employees should be effectively trained in privacy and security and this should be an integral part of business operations.

Establishing a data governance framework is extensive and daunting. However, being able to manage and implement an effective framework will present businesses with a competitive advantage and ensure that data is held securely and with integrity to realise its true value.

Clyde & Co advises clients on a broad range of privacy related matters, including in assisting businesses address their legal and regulatory obligations as well as in preparing for and responding to data breaches. We offer fixed price privacy packages to provide certainty and to help you effectively manage your legal costs.

We are proud to be a privacy partner of the Office of the Australian Information Commissioner's (OAIC) Privacy Awareness Week, which is being held from Monday 15 May to Friday 19 May. The week promotes awareness and discussion with business, government agencies and the broader community on how to protect and respect the privacy rights of Australian citizens.

We are sharing a series of updates on privacy throughout the week. You can see yesterday's here.


1. Privacy Amendment (Notifiable Data Breaches) Act 2017 introduced in February 2017; ASIC and APRA have also released reports: APRA: Prudential Practice Guide CPG 235: Managing Data Risk; ASIC: Release of report 429 Cyber Resilience: Health Check (March 2015), ASIC's Corporate Plan – emphasis on cyber resilience and gatekeepers (2016 and 2016), Assessment report on the cyber resilience of ASX and Chi-X companies (March 2016)

Have No Fear, Data Governance Is Here: Tips To Securing Your Organisation's Data

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.