On the Business Value of a Conceptual Data Policy Definition

By on

Click to learn more about author Daniele Gianni.

Concerns on the collection, use, and dissemination of data are central to many enterprises that directly deal with customer data to provide information services. These concerns originated from an increasing awareness of the value of privacy as well as recent government regulations, not only aiming to protect the privacy of individuals but also aiming to limit the possibility of data abuse to create unfair information-based competitive advantages. This is particularly true for enterprises that have a business model that is directly (e.g., through information services) or indirectly (i.e., by using the information to deliver their services) based on data.

To address these concerns, enterprises define and publish data policies as (often long) contracts in legal (natural) language to which they commit and which they required the users/customers to agree in exchange for the (free or paid) consumption of the enterprise’s services. The problem of an unambiguous interpretation of the contract, as well as the proof of the compliance of the organizational assets, still remains despite legal and auditing/quality means to address them.

Traditionally, in systems engineering, conceptual models are used to represent complex concepts and to unambiguously specify requirements. [1] Particularly, modeling methodologies enriched with or based on verbalization facilities, such as the ORM or SBVR, are often used to reach an unambiguous interpretation of requirements and data concepts with a business audience or with a technical audience in international projects. [2, 3, 4] Specifically, the former group may not have the understanding of technicalities of modeling languages; the latter group may be affected by the misinterpretation of natural language expressions by non-native speakers.

Business Value of a Conceptual Definition

Leveraging on these experiences, we argue that applying a similar approach (i.e., based on conceptual modeling and verbalization using a controlled natural language) to the definition of data policies could bring business value in the form of the following benefits:

  • Definition and Interpretation: a higher level of clarity by means of a standardized format and lower level of ambiguity due to modeling structures and concepts verbalization
  • Compliance: a digital format that can be deployed as digital format and traced to the enterprise architecture and potentially throughout the data item lifecycle, therefore becoming an important part of the enterprise architecture governance [5]

In turn, these benefits have the potential to provide the adopting enterprise with and strategically enable trust among stakeholders (specifically the data owner, data providers, data consumers, and regulators). Particularly, the enterprise would gain more trust as:

  • Data policy requirements are unambiguously specified and are verified (internal consistency)
  • Data policy requirements can be verified (external consistency) by tracing them onto the Enterprise and Data Architecture, and potentially also on the physical implementation (through software-defined networking and virtualized network function technologies).

Moreover, this approach does not introduce any knowledge or skills barrier as many conceptual modeling languages, such as ORM, are also provided with verbalization facilities that can be used to describe a constrained natural language, both the data policy format and the respective instances.

Data Policy Concept (Example) Identification

It’s key for the business enabler to gain trust by formally agreeing on an unambiguous definition of a data policy. Therefore, the key is (a) to identify the concept of data policy and (b) to provide the structure for an unambiguous data policy definition.

  1. This point can be addressed in two steps: By using Bono’s thinking tools to identify the possible questions and to speculate on the possible range of answers to these questions. Our preliminary set of questions is in Figure 1.
  2. It depends on the specific domain and context for which the data policies are to be defined. Example of possible answers are listed below for domains such as space data, for instance. [6]
Figure 1: Data Policy — Concept Identification
Image Source: “SSA-DPM: A Model-based Methodology for the Definition and Verification of European Space Situational Awareness Data Policy”

The ORM conceptual model can be derived from (a) and (b) by using the ORM conceptual schema procedure. For the sake of conciseness, the appendix shows two simple excerpts, which are to be further linked to other sub-diagrams to detail the definition of concepts such as data authority, data producer, metadata, etc.

Excerpt of An Example Data Policy

For the sake of conciseness, we defined a simple example data policy by using the above questions, the identified possible range of answers, and the structure defined by the data policy conceptual model in the appendix. Below is an excerpt of a data policy verbalization using an SBVR-like style for the provisioning and use of personal identification data by an enterprise. The following convention is adopted:

For example, for Enterprise ABC, the data policy for Personal Identification Data would appear as (simplified):


In this article, we argue that a conceptual definition of data policy can become a strategic business enabler for enterprises to more easily gain stakeholder trust to collect, use, process, and disseminate data. It enables based on two benefits that stakeholders would receive:

  • Clear, standard, and unambiguous data policy definition
  • Easier enterprise auditability by means of traceability links to the data policy (as digital object)


[1] Wayne Wymore, A., Model-Based Systems Engineering, 1993, CRC Press

[2] Halpin, T, and Morgan, T (2008). Information Modeling and Relational Databases, 2nd edition, Morgan Kaufmann. ISBN: 978-0123735683.

[3] Lemmens, I., Sgaramella, F., Valera, S. “Development of Tooling to Support Fact-Oriented Modeling at ESA,” On the Move to Meaningful Internet Systems, OTM Workshops, 2009: 714-722.

[4] Valera, S., “Automatic Generation of Database MMI from a Domain Ontology AuGeMMI,” International Workshop on Fact-Oriented Modelling, ORM 2014, September 2014

[5] Gianni, D. (2015). Data Policy Definition and Verification for System of Systems Governance. In Modeling and Simulation Support for System of Systems Engineering Applications (eds L.B. Rainey and A. Tolk)

[6] Gianni, D, et al., “SSA-DPM: A Model-based Methodology for the Definition and Verification of European Space Situational Awareness Data Policy,” Proceedings of the 1st European Space Surveillance Conference, June 2011.

[7] Curland, M. and Halpin, T., “The NORMA Software Tool for ORM 2,” “Information Systems Evolution,” 2011, Springer Verlag, pp. 190-204

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept