Dear Laura: What About Data Governance Policies?

By on

Click to learn more about author Laura Madsen.

Last year I wrote the book “Disrupting Data Governance” because I firmly believe that poor Data Governance (DG) programs are getting in the way of data programs being as successful as possible.  As I’ve been working to challenge the status quo on Data Governance I get a lot of questions about how it will “really” work. I’m going to start sharing these questions and answers on this DATAVERSITY® Blog entitled “Dear Laura” (hey, I’m a data guru, not a marketing guru!).  I wanted to start with this question because I suspect that many people have this same question, I answer it a lot and it’s a good one!

“Hi Laura, I’m curious…in an Agile Data Governance environment, where do Data Governance policies fit in? I know you aren’t a big fan of committees and standing meetings, but it seems that policies are still a key piece? 


Curious in NY”

Hi Curious,

Great question, thanks for sharing it!  I can certainly appreciate a highly regulated industry, I have spent most of my career in healthcare.  I have been on the receiving end of audits, investigations, and confidential legal discussions.  I’d like to avoid those situations in the future and it is one of the key reasons why I started taking apart DG as we know it. 

First, without question, policies, and procedures to comply with regulatory standards are critical.  They don’t go away, they’re just not the job of DG.  I’ll repeat that for those in the back:  policies are not the accountability of the Data Governance team.  In the RACI (Responsible, Accountable, Consulted, Informed) model of Data Governance, we must flip the switch in terms of accountability for these efforts.  The reason this is so critical, and I assume this is true in many regulated industries as in healthcare, the rules and laws are so vast. The technology that solves these is also much more advanced and it turns out, data people are not experts in either one of those things!  For a long time though we have been expected to be experts because data teams are the closest to the data.  So in the “other” bucket of DG, we threw in policies and procedures, security protocols, audit prep, etc. because someone had to do it. 

Now, most organizations have privacy officers and information security professionals (at least one).  Those folks are accountable for the creation of the policies and procedures, your infosec group is responsible for the technology solutions that address privacy and compliance, and you, as the DG leader, are responsible to ensure that they are executed in the data environment.  Noticed I say “responsible” not “accountable”.  A small but important distinction.  The creation of the policies and procedures still does exist and follows all the standards we have come to expect of regulatory requirements, and Data Governance is just one of the recipients of those requirements.  Your job is to operationalize those efforts into your data environment.  Which, by the way, is hard.  This approach, from the policy to the execution creates operational integrity not just for your Data Governance efforts but also for the privacy, security, compliance, and risk functions in your organizations. 

Do you have a question you would like me to answer?  Email me at Laura at viagurus dot com for consideration in the next “Dear Laura” blog. 

Leave a Reply