THE COMPREHENSIVE GUIDE

TO DATA GOVERNANCE
THE CASE FOR DATA GOVERNANCE
Data is the lifeblood of an increasingly digital economy. Emerging technologies have helped
streamline and optimize processes with new and innovative uses of data, but they also
expose businesses to significant risk across a continually shifting landscape of threats and
vulnerabilities. With increased implementation of artificial intelligence, machine learning,
the Internet of Things (IoT) devices, robotic process automation and more, there has never
been more information to harness—and to insulate from risk.

Whether they like it or not, companies large and small find themselves awash in data
from many different sources, with increasingly varied formats and levels of quality and
completeness. There is no choice but to confront Big Data, and the broad swath of
challenges it creates, with a comprehensive data governance strategy that extends across—
and, ideally, beyond—the enterprise.
2 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

SPOTLIGHT:
What Is Data Governance?

Data governance is the overall management of data availability,

usability, accuracy, integrity and protection across the enterprise.
The fundamental goal is to ensure that enterprise data maintains
a certain level of quality to make informed decisions while
ensuring that companies remain in compliance—not only for the
business, but also for partners, customers, regulators and other
key stakeholders.

VISION Powering actionable insights via the

optimal use of information assets

PURPOSE Understand and govern information,

its accuracy and reliability while
adhering to policies and procedures
and regulations.
OBJECTIVES Ensure the data is available,
catalogued and protected to be
utilized for business intelligence and
operations while following regulations
and legal requirements.
REQUIREMENTS Develop and adopt an enterprise-
wide program that holds data
custodians accountable for managing
data and information to ensure that
knowledge workers understand their
responsibilities in protecting and
leveraging data and information
throughout the organization.
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 3

PRIVACY AND SECURITY IN THE FACE OF IMPROVING ENTERPRISE VALUE AND

INCREASED THREATS AND REGULATIONS BUSINESS INTELLIGENCE
Because of the potentially grave consequences of a security Effective governance is the key to unlocking the value of data.
incident, concerns about data protection are often top of mind. Everyone understands that data can be an asset when exploited.
Escalating cyber-attacks, including sophisticated nation-state It can have a direct impact on company profitability and top-
attacks and insider threats, have shown time and again that threat line revenue growth, yield a competitive advantage and foster
actors are adept at exploiting vulnerabilities, costing businesses market differentiation. Proper governance is equally essential to
trillions of dollars each year. Notable privacy breaches affecting increasing revenues, mitigating risk and reducing costs.
hundreds of millions of people have occurred at a number of
major companies. According to research from Forrester, “insight-driven”
organizations are sustaining an average of more than 30% growth
From a compliance standpoint, sophisticated data governance annually, eight times faster than global GDP. But converting data
can protect the privacy of personal data and increase security to actionable insights is easier said than done. The challenge
to reduce the likelihood of a data breach, as well as reduce the comes with managing the sheer amount of information as Big
possibility of regulatory fines associated with the EU’s General Data gets bigger.
Data Protection Regulation (GDPR), the California Consumer
Privacy Act (CCPA) and pending legislation at the state, national Businesses can acquire data easily, but determining how to
and international levels. wrangle it into some semblance of order presents a significant
hurdle. In an era of smartphones and IoT, data not only proliferates
However, avoiding a breach is only one aspect of data governance. at exponential rates, it’s increasingly unstructured—meaning the
Big Data also raises a litany of ethical concerns that demand information format doesn’t fit within conventional databases.
a data ethics program to protect the rights and freedoms of
data subjects. The ethical concerns include the need to reduce A significant portion of enterprise data collected is either trivial,
bias; provide notice; limit collection to adequate, relevant and irrelevant with no business value or cannot be read by the systems
proportional information; increase processing transparency and in place. Extracting insight from data is also constrained by
understandability; and prevent misuse or abuse of data. inconsistent naming conventions, duplicate data and incomplete
records—problems that adoption of standard information models
Beyond the ethical considerations, if organizations don’t know and schemas through Master Data Management can address.
what relevant data they have or can’t find the data they
need, then it can’t be used for its intended purpose or even According to a 2019 IDC infobrief, data workers waste 44% of
properly protected. their time each week on data preparation alone—time that
could be better spent on analysis to yield insights. Streamlining
the insight discovery process starts with getting your data house
in order. Harnessing analytics more effectively can also help
bring dark data into the light, yielding significant insights from
information that otherwise might grow stale or
remain unanalyzed.

So, data governance programs must be designed to both leverage

data as an asset and fortify its protection. To accomplish this,
each organization must assess its unique governance needs to
determine which policies, procedures and practices are required
to ensure harmonization with regulatory frameworks, while also
providing the ability to build a holistic governance program to
address those obligations and business needs.
4 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

BUILDING A HOLISTIC PROGRAM WITH BDO’S

SPOTLIGHT: DATA GOVERNANCE FRAMEWORK® (DGF)
The Benefits of Sound Data Governance How do you build a world-class data governance program
to increase agility and insight, while bolstering data privacy,
cybersecurity, compliance and litigation readiness? The solutions
Time to Market: will vary, depending on the level of sophistication of your current
X Increased throughput due to program, the complexity of systems throughout the organization,
data minimization the nature of how you consume and use data, and the applicable
rules and regulations. For some organizations, it’s the Wild West,
X Reduced time needed to design, test and where harnessing disparate data assets could take significant time
implement new data-driven solutions and financial investment. For others, data governance has long
X Greater value derived from solutions due been a priority, and it’s just a matter of updating and refining.
to enterprise-wide data integration While there is no one-size-fits-all approach, you can generally
follow four basic steps to build and maintain strong data
Business Value: governance: Assess, Design, Implement, and Monitor & Govern.

X Decreased complexity of
business solutions
Assess
X Efficient use of capital as investments
are coordinated X Assess business priorities, data
opportunities and risks
X Ability to leverage leading practices and
solutions between teams X Build prioritized data governance roadmap
and compliance path

Cost and Efficiency:

Design
X Lower risk of project failure/
cost overruns X Design data governance blueprint and
foundational elements such as people,
X Increased resource flexibility process, technology, and controls
across projects
X Lower support and maintenance costs Implement
due to standardization and consolidation
of redundancies X Roll out quick wins
X Build and roll out new technologies, and
business and governance processes
X Train resources

Monitor & Govern

X Establish metrics
X Assess and audit compliance to govern and
continuously improve
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 5

BREAKING DOWN THE DATA GOVERNANCE FRAMEWORK TO DEVELOP A CULTURE OF ENTERPRISE

INFORMATION GOVERNANCE (EIG)
All organizations want strong and effective data governance, but building this requires following specific steps to ensure success. Technically
speaking, the term data governance typically refers to an IT responsibility, whereas the ability to extract business insights from your
organization’s data falls under the larger term of enterprise information governance (EIG). The 12-step framework detailed here lays out the
requirements for building an EIG program that encompasses data governance as a key aspect.

BUSINESS INTELLIGENCE ENTERPRISE CONTENT

MASTER DATA MANAGEMENT
DATA WAREHOUSE MANAGEMENT

1. Organization (authority, structure, accountability)

2. Policies and standards

3. Data architecture (data models, information architecture, data quality)

4. Data privacy and protection (by design and default)

5. Data classification, retention and disposition

6. Technology and security architecture, tools and controls

7. Risk monitoring and control

8. Intracompany and third-party accountability

9. Incident management, legal holds and discovery readiness

10. Communications, training and change management

11. Legal/regulatory obligations and compliance

12. Business continuity and resilience

6 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

1. ORGANIZATION
Authority & Structure
Establishing effective enterprise information governance begins Forming an executive committee to lead this process helps set
with a holistic program mandate that addresses data integration a vision from the top down, which encourages buy-in from all
and compliance, and articulates the purpose, scope and goals levels. This integrated initiative draws on numerous departments,
of the program. It should detail the impact on productivity, and it should outline costs and expectations for the program
operational efficiency and risk mitigation, and how these efforts that will require internal resources and technology expenditures.
align with IT practices. Specifying problems that impact your The executive committee should empower a working group with
organization, how EIG will address these problems and what representatives from applicable business functions, and have a
actions need to be taken to accomplish this will make the efforts primary executive advocate to champion the effort in order to
concrete and measurable. create and maintain momentum across the organization.

DATA GOVERNANCE
Ensure that data is managed as an enterprise asset

Sponsorship & Strategy

Commitment by the leadership team to follow and support the data governance model

Organization
Dedicated organization is established to administer program

Ownership
Accountability
Data ownership is assigned to the appropriate
Data owners are held accountable for data quality
business function

PROCESSES

Data Quality Monitoring Issue Management Change Control

Data Maintenance
Quality is monitored Issues are tracked and Changes to data structures
Maintenance processes are
within and between managed through are managed through a
integrated and coordinated
applications prioritization structured process

Policies Standards
Policies are developed/enforced and compliance is tested Data standards are mandated and compliance tested

Technology
Technology architecture that defines the required data tools and system linkages to fulfill the enterprise
data management objectives

Compliance

Change Management & Training

Role-specific training and change management
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 7

Accountability
Accountability throughout the process also helps keep the efforts
on track to succeed. The structure of the governance program
should assign responsibilities to different roles in your organization
for completing various tasks in the process.
The RASCI (Responsible, Accountable, Support, Consulted and
Informed) responsibility assignment matrix helps to specify
these duties and details the relationship between the executive
committee, working group and coordinator network. This sets
a common vision to align data with current and future business
objectives, which maximizes enterprise value in terms of
operations and outcomes. The four parts of the RACI matrix are:
X Responsible: Assigned to those who do the work to achieve
a task.
X Accountable: Assigned to the person in charge of ensuring
the proper completion of a task or deliverable. They may
delegate work to those at the “Responsible” level but
need to confirm and approve that the task has been
completed correctly.
X Support: Provides support during the implementation of the
activity, process or service.
X Consulted: Assigned to those who provide input about a task
or review completed work, often a subject matter expert in
the applicable area.
X Informed: Assigned to those who do not have specific duties
to complete a task but who should be updated as the work
progresses or is completed.
8 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

2. POLICIES & STANDARDS

After outlining a clear EIG program mandate and designating teams to drive and implement it, policies and standards must be developed
that incorporate business requirements, best practices and regulatory obligations into the strategy. These will help to ensure data
protection, as well as standardize the use of data and technology by aligning controls and guiding processes that optimize data.
Several industry frameworks enumerate security and compliance requirements for business controls, which vary to some degree based
on industry sector. These are managed by independent groups, including the American Institute of Certified Public Accountants (AICPA),
Data Management Association (DAMA) and National Institute of Standards and Technology (NIST), the last of which falls under the U.S.
Department of Commerce.
When evaluating the appropriate policies that your organization Some key policies that are essential for an EGI program include:
should implement, consider whether the policies consistently
X Privacy: The entity provides notice about its privacy
meet these primary standards:
policies and procedures, and identifies the types of personal
X Framework: Ensure that there is a policy about the policies. information and the purposes for which personal information
Develop a policy about how policies should be organized, is collected, used, retained and disclosed.
managed and governed, an acceptable format and when new
X Records Management: The entity must maintain accurate,
policies should be developed and updated.
complete and relevant personal data, and it should ensure
X Governance Structure: The policies clearly address the that the policy outlines specific uses for personal data along
governance, compliance and regulatory requirements of the with retention, destruction and change control requirements.
organization, are not created in a vacuum. Once policies are
X Acceptable Use: The organization maintains certain
created, they need to be socialized across appropriate teams.
standards as it relates to how its employees, contractors or
X Uniqueness: Ensure that policies do not overlap and that others are required to handle, manage and use data and
they are unique to one another. Reference other policies when information assets.
they complement one another but ensure that policies are
X Mobile Device Use: The entity implements a policy that
not redundant in nature.
mandates the use of mobile devices (either corporate or
X Clear and Consistent Language: When developing your personal devices), establishes reimbursement policies and
policies, terms should be well defined. Clear and plain ensures that it references the Acceptable Use Policy.
language should be used to make the policy easy to
X Data Classification: The entity should establish practices
understand for the user.
around how data is to be classified and apply those
X Exceptions: Whenever necessary, include an exception in the classifications to all types of data across the organization
policy for circumstances when the policy might not apply or (either new or existing).
when an escalation process is required to bypass the policy.
X Records Retention: The organization should require that all
data types are assigned a records retention period to ensure
that data is managed accordingly throughout its lifecycle and
destroyed appropriately at the end of its life.
Other policies and plans that should be considered include
business continuity, disaster recovery, incident response, and asset
management. Taken as a whole, a set of policies and procedures
that complement regulatory and industry frameworks will help
establish clear processes that enable management and governance
while eliminating any potential blind spots for your business.
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 9

3. DATA ARCHITECTURE
Data architecture encompasses all aspects of how data assets are collected, stored and managed throughout the organization, as well as the
policies and standards governing this. The data architect, typically a designated IT professional, oversees the architectural rules, policies,
standards and models to have a complete understanding of how the systems in place are linked and managed, and how these systems are
constructed on the technology infrastructure.
The architect can advise about the benefits, drawbacks and limitations of using different technologies, such as Cloud storage. They should
also stay up to date about new advances in the field to control how any changes to the architecture—such as those prompted by organic
growth or restructuring—could introduce potential problems and vulnerabilities or other downstream effects.

Data Model Information Architecture

An enterprise data model provides the foundation for key practices Information architecture helps maintain consistency of data in
like master data management, and it can inform initiatives such both storage and retrieval. To manage enterprise data effectively
as data integration. Developing the enterprise data model requires requires developing models for associated metadata, search and
making an integrated visual representation of the creation taxonomy. This enables business teams to find and access relevant
and use of information in all databases, as well as the rules data when and where they need it. Informed by the data model,
governing them. This model shows concepts and definitions for information architecture helps align the use of data for business
applications to provide an understanding of how data is systems across the enterprise.
distributed across systems.
A metadata model promotes consistent and complete values for
The goal is to create a resource that facilitates communication associated data to systematically label accurate attributes and
between stakeholders on business teams and the IT staff, who relationships for all entities, which will produce better search
are responsible for the technical and physical implementation results for business teams. An effective taxonomy model allows for
of the model. Creating this requires a level of abstraction from easy navigation of this information by grouping and classifying it
application models, which are more complete, such that the data to facilitate business needs. This taxonomy can extend and change
model illustrates key concepts without obscuring these with too as your business grows, but the data architect will need to monitor
much detail. this to ensure it continues functioning properly.
So, the model will show what data the architecture contains at Data Quality
the conceptual level of data entities, their attributes and their
According to research by Gartner, poor data quality is estimated
relationship with other entities. Through this, the enterprise data
to cost organizations an average of $15 million in losses per year,
model helps identify and minimize redundancy and errors, while
and for some businesses that figure is much higher. In order to
also enabling effective analytics and lifecycle management.
help safeguard data quality, your organization should designate
a data owner for each domain (e.g., sales, marketing, financial
reporting). This owner acts as the primary contact who defines and
communicates requirements, as well as assigns access rights for
ACCURACY INTEGRITY data stewards and users within the domain.
Ensuring quality data requires establishing processes and
checking them for accuracy (correct and precise for the
intended use), integrity (valid and free from collection bias),
accessibility (available to those with permission), completeness
(comprehensive and without gaps in necessary information),
RELEVANCE ACCESSIBILITY
DATA timeliness (informative during the timeframe of use) and
relevance (needed for a business purpose).
QUALITY
In addition to these processes, determining the metrics to confirm
data quality will help to monitor these critical efforts and see
that the data effectively serves its business purpose. The data
TIMELINESS COMPLETENESS owner should work with the data manager—who is often an IT
professional that oversees the infrastructure and confirms access
protections—to check the established metrics for consistency and
confirm that quality is maintained.
10 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

4. DATA PRIVACY & PROTECTION

The public outcry from big-headline data breaches and scandals 7 PRINCIPLES OF PRIVACY
has forced regulators’ hands around the world. More than a year
into the EU’s GDPR legislation, and with CCPA looming, the era
BY DESIGN
of indiscriminate collection and manipulation and distribution of
personal data is ending. One aspect of GDPR, Privacy by Design,
has helped make consumer privacy a priority in systems that 1. Proactive not Reactive; Preventative not Remedial
collect and store personal data. While industry privacy regulations, Anticipate and prevent data privacy incidents and
such as the Health Insurance Portability and Accountability Act address privacy risks before they materialize.
(HIPAA), are well established, stakeholders on every side of 2. Privacy as the Default
GDPR and the upcoming CCPA are still working out the details Privacy is built into the system by default, requiring
and nuances. no action on the part of the individual to protect
As companies and regulators continue to determine how personal their privacy.
data can be used, a parallel conversation has emerged about 3. Privacy Embedded in Design
how it should be used. Compliance with industry standards Embed privacy in the design and architecture
and regulations is arguably the bare minimum. Privacy and of IT systems and business processes as a core
cybersecurity initiatives need to go beyond what a company is functionality.
required to do. Your organization should also adopt a mindset of
thoughtfully measuring the business need for consumers’ data to 4. Full Functionality: Positive-Sum, Not Zero-Sum
support operations. Taking a “how would I feel” approach to this Privacy protections should not and do not need to
can provide consumers with reasonable expectations as to how come at the expense of security or functionality.
their data will be used, processed and shared. 5. End-to-End Security & Lifecycle Protection
To help safeguard data privacy and install proactive protections, Embed strong security measures throughout the
best practices include: information management lifecycle, from cradle
to grave.
X Records: Develop a Records of Processing (ROP) register and
rank associated risks, safeguards, retention and data flows. 6. Visibility and Transparency
Provide assurance to all stakeholders—users and
X External Notice: Update external notices to include details on providers—that data is being used in accordance
collection, use, retention, disclosure and disposal of personal with stated principles and objectives, subject to
information categories. independent verification via a compliance and
X Internal Privacy Policy: Develop internal-facing privacy policies redress mechanism.
incorporating proportionality, adequacy, minimization, 7. Respect for User Privacy
purpose or use limitation, storage limitation, accuracy, Take a user-centric approach to data privacy,
completeness, security, confidentiality, integrity and prioritizing individual privacy interests and
accessibility requirements. communicating effectively.
X HR Policy: Develop job applicant and employee policies
that include details of the lawful basis, data processing and
individual rights.
X Choice & Consent: Establish policies and mechanisms for
opting in and opting out of data processing, sale, marketing
contact and cookies.
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 11

5. DATA CLASSIFICATION, RETENTION & DISPOSITION

Data Classification Key records management principles to consider include:
Overall, effective data management can be realized by X Determine who is accountable and responsible for
establishing consistent practices to ensure data quality throughout maintaining retention schedules.
the lifecycle, while maintaining processes for minimizing data in
X Align records schedules with business and operational
accordance with privacy and retention requirements. To prepare
practices, as well as legal obligations.
for this, data should be standardized in a consistent format, to
help with classification and collaboration across business lines X Ensure that the record keeping program protects personal
as needed. records and data.

Key elements of data classification include: X Identify and articulate potential legal concerns due to
non-compliance.
X Establish a standard syntax or “data glossary” for cataloging
structured and unstructured data (e.g., metadata). X Document organizational practices and ensure that data is
properly categorized, including public, private, confidential
X Establish rules and policies for how data is accessed, stored,
and company secrets.
retained and disposed.
X Determine safeguards when required during the disposition
X Set metrics for measuring the quality and usability of
processes—including shredding documents and destroying
data assets.
electronic assets in the proper manner.
X Diagram current data flows and track data lineage.
X Update and maintain current retention schedules and
X Have a clear understanding for current and future data and policies, and ensure that retention is enforced across
analytics use cases. the organization.
X Develop an adaptable data reference architecture. X Ensure that there is transparency about the organization’s
data retention practices, both internally and externally.
X Determine data storage needs to facilitate information
sharing and data integration. “Data hoarding” of files that provide no business or historical
value, duplicative information, and “dead” data that hasn’t been
To maximize the full value of enterprise information, you
used or accessed in years do not just increase data security risks,
need to be able to extract insights from both structured and
these also make identifying and accessing relevant information
unstructured data, in combinations that are seldom predefined.
much more time-consuming.
More sophisticated analytics and machine learning initiatives
will require a cohesive architecture that integrates both data and Implementing a data reduction strategy as part of the ordinary
analytic applications. course of business is essential to reducing data volumes to
manageable levels. Organizations will need to leverage a mixture
Records Retention & Disposition
of data minimization, deduplication, and more sophisticated AI-
Every organization has distinct statutory and regulatory driven data analysis to limit data collection and retention to only
requirements relating to records management. Organizations the most pertinent and useful information.
must view their data disposal policies and procedures not just
in terms of these requirements, but also in the context of their
broader EIG program, with an eye toward increasing efficiencies
and data protection.
The journey of data from creation to disposition requires careful
handling and monitoring. The data life cycle has numerous steps
and varies depending on industry, but it can be summarized
generally as: collect, process, store, use, share, archive, destroy.
And responsible data management must implement quality
control measures across each step of the life cycle.
12 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

6. TECHNOLOGY & SECURITY ARCHITECTURE, TOOLS & CONTROLS

In monitoring data risks, a threat-based approach to cybersecurity helps identify the vulnerabilities that a cyber-attack would likely try
to exploit, and outlines measures to secure those vulnerabilities. This takes a forward-looking view and uses predictive analysis of your
organization’s unique threat profile to identify at-risk areas and protect against the most likely types of cyber-attacks that could occur.
This threat-based approach requires a multipronged strategy and a range of proactive steps, including independent assessment and
penetration testing, software encryption and multi-factor authentication, a security patch management program, and managed detection.
An independent firm can assist with these advanced diagnostics and help patch any vulnerabilities. They can also perform a red-team
security test that mimics a threat actor and searches for any holes in an organization’s upgraded cybersecurity defenses. Ongoing
cybersecurity training for staff helps keep these practices top of mind as well.

TO OUTSOURCE OR NOT TO OUTSOURCE

Outsourcing data governance and privacy responsibilities, whether short-term or long-term, can provide significant savings and value for an
organization, while also ensuring security and minimizing risk. But it is crucial to determine if and how such a solution fits your organization
needs. Some key questions to consider include:
Do you currently have an automated internal system for data Are you applying data governance to all facets of your
analytics and processing that is designed by a data scientist? organization (marketing, customer service, et al.)? Leveraging
Optimizing such a system without experience in the area data in a secure and consistent manner can yield significant
presents significant challenges that can consume time and results across multiple initiatives.
money unnecessarily.
Is the data management program set up to account for
Is this system accessible and optimized for business users, or privacy compliance? Online reporting and automated
does it require additional processing, training and/or some work-ow help ensure your organization can fulfill current and
data management background? It is inefficient if business upcoming regulatory timing requirements.
personnel need to coordinate with IT for access and analysis.
For organizations that lack the in-house expertise and resources
Do you currently have data management experts on your for robust data governance, outsourcing presents the opportunity
team, or is the work of maintenance and quality control being to enhance security, mitigate risk, reduce costs and harness the
executed by untrained personnel? Leveraging outsourced full power of that data across the entire business.
expertise can increase efficiency and quality while making
internal resources available for more tasks.

7. RISK MONITORING & CONTROL

Assessing your organization’s data protection risk profile involves numerous aspects, including determining which employees have access to
which systems and whether tighter restrictions need to be placed on employee access controls. It is estimated that 43% of all data losses
occur at the hands of internal actors, so limiting access to data can be a basic but effective method to mitigate risk. Overall, a cybersecurity
risk assessment must review all current policies and operations, identify potential issues and then prioritize remediation initiatives.
Some data breaches that affected tens of millions of people continued unnoticed for months or even years, such as with Yahoo! (2013-14)
and the U.S. Office of Personnel Management (2012-14). Because valuable data records are stored across numerous systems, organizations
must establish effective controls and continuously monitor risk 24/7/365. Otherwise, they leave themselves vulnerable to threats and
intrusion on an ongoing basis, and they may not even know when a breach occurs.
As part of your organization’s processes, create a mechanism to see a “single view of risk” through consolidating data and establishing key
risk indicators (KRIs), which can be just as important as key performance indicators (KPIs). Considering the drastic effects of a breach, these
are vital tactics to help strengthen monitoring and mitigate risk. New technology makes monitoring and trend analysis an easier practice to
implement as well.
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 13

8. INTRACOMPANY & THIRD-PARTY ACCOUNTABILITY 9. INCIDENT MANAGEMENT, LEGAL HOLDS &

DISCOVERY READINESS
Organizations need to have a clear understanding of all third-party
vendor relationships, and then map those relationships against In a world where attempted cyber-attacks are not a question of
data flows to understand what level of access vendors could have “if” but “when,” every organization must be prepared to respond
to their data and information systems. quickly and limit the impact of a breach. The handling of data
breaches is now closely monitored by regulators at the state,
Vendors’ data governance policies and procedures should be
national and international levels. Failure to contain the threat and
closely examined, as should their compliance practices. The
notify customers and regulators in a timely manner can result in
vendors then must demonstrate a thorough understanding
significant financial penalties.
of their direct requirements, as well as your organization’s
responsibilities—and the consequences of running afoul of those Critical aspects of developing sound incident response and data
rules. Existing contractual obligations may need to be modified to breach notification processes include:
include all compulsory details and terms.
X A consistent and current incident response program that
The vendor management process does not end after the contract includes policies, procedures, roles and responsibilities, as
is signed. Successful vendor risk mitigation is a continuous well as communications plans
process—not something that is simply conducted upfront and
X Consistent definitions across the organization that includes
then forgotten. Your organization must diligently monitor risk
the definition of an event, an incident or a breach
and review internal controls with service providers to ensure
they remain compliant and prepared for new threats in an ever- X Direction to teams that an incident has occurred, and
changing environment. the steps required if they suspect this warrants
further investigation
X Contracts with outside counsel, forensic and cyber-
investigative experts, as well as PR firms that specialize in
Third-Party Assurance via this area
SOC Attestation X Internal training to identify suspicious activities
Undertaking System and Organization Controls (SOC) X Steps to minimize further threats or exposures, and a process
attestation provides numerous benefits. It can help build to remediate the current situation
trust with current customers and prospects, as most large
X Notification practices, such as outsourced data breach
organizations partner with hundreds or even thousands of
notification companies or credit monitoring contracts after a
outside service providers, so auditing each vendor one by
breach has occurred
one would be time-consuming and inefficient.
X The ability to recover systems back to their functioning state
SOC attestation also validates the risk management model
to minimize impact to the operations of the business and
and proves business value, because company stakeholders
its customers
and prospective investors look for it as a good measure of
corporate health when they contemplate investing or plan Beyond sound practices for incident response and breach
an exit strategy. Moreover, it can help to find and close the notification, your business must ensure it is prepared for litigation
gaps in controls. In 2017, the AICPA developed description and discovery before these needs arise. Many organizations
criteria for a new SOC attestation, SOC for Cybersecurity, mistakenly view information governance and e-discovery as two
further enhancing the value and scope of SOC reports. distinct functions, but in fact they are two sides of the same coin.
If data sets are too vast and disorganized, it becomes tedious and
costly to process and analyze them—or they could be missed
altogether during the discovery process. Implementing a data
retention and destruction strategy as part of the ordinary course
of business prior to when the duty of preservation kicks in is
essential to reducing data volumes to reasonable levels.
14 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

10. COMMUNICATIONS, TRAINING &

CHANGE MANAGEMENT
Training and change management are critical to performing a
successful roll-out of any program, and EIG is no exception. Firm-
wide communication detailing key aspects of the governance
strategy and program helps ensure understanding and adoption of
the necessary practices.
Unfortunately, many EIG initiatives struggle with implementation
and are met with resistance, so the initial planning steps
are crucial. The strategy should set clear goals supported by
consistent communication, which helps convince senior managers
across the organization about the value of implementing an EIG
program. It should also plan the implementation in stages to avoid
change fatigue for staff, and set up processes to support the tools
that will be leveraged.
Although implementation plans vary widely, standard steps that
can be employed in any organization include:
X Pilot: Test the process, policies or procedures with a
small group.
X Roll-out: Once you conduct the pilot, begin to roll out the
program to all employees.
X Training: Immediately following your roll-out, ensure
employees are trained in a timely manner with
ongoing testing and positive reinforcement to instill
behavioral change.
X Governance: Monitor progress against the program, adjust as
needed and update accordingly. This will help to ensure that
the program is fluid and can meet the organization’s business,
regulatory and legal needs.
Ultimately, every employee must understand that they are a
steward of organizational data and accountable for its
proper handling.
 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE 15

11. LEGAL/REGULATORY OBLIGATIONS & COMPLIANCE

Businesses are in new regulatory territory as U.S. and international National Security and CFIUS Compliance
lawmakers create a governing framework for emerging digital
From a national security standpoint, U.S. organizations that
risks. Today, there are more than 100 federal and international
own, maintain and operate components of U.S.-based “critical
data privacy and protection laws, each with their own set of
infrastructure”—defined as “a system or asset, whether physical
requirements regarding how data is collected, used, retained
or virtual…vital to the United States”—must ensure their assets
and safeguarded.
are protected from ongoing physical and cyber-related threats,
However, data privacy is just one facet of the current regulatory in order to meet national security compliance requirements
environment. From financial regulation, such as Dodd-Frank developed by the National Industrial Security Program (NISP).
and the Bank Secrecy Act, to environmental health and safety Avoiding a national security letter, or complying with one, requires
reporting rules, to industry-specific frameworks, organizations face an intricate knowledge of an alphabet soup of regulations,
a barrage of disparate compliance requirements regarding records including FOCI, ITAR, DFARS and more.
retention and information assurance. So, sound data governance
The complexity of navigating these regulatory processes will
must remain responsive and align with all relevant legislation.
continue to increase in tandem with international investment. A
Under the Federal Rules of Civil Procedure (FRCP), once a critical element of national security compliance is the involvement
party “reasonably anticipates litigation,” it has a duty to of the Committee on Foreign Investment in the United States
preserve electronically stored information that may be relevant (CFIUS). Chaired by the U.S. Department of the Treasury, this
to a discovery request and place it under a litigation hold, interagency task force is responsible for the review of foreign direct
requiring the suspension of routine data deletion or destruction investment that could result in the control of a U.S. business or
procedures. Failure to preserve relevant data may result in claims U.S. critical infrastructure. CFIUS is also responsible for reviewing
of intentional destruction of data or allegations of a lack of the impact these transactions could have on national security.
cooperation that could lead to court-mandated sanctions.
Companies brokering a deal with a foreign entity must be
cognizant of how the transaction may impact the reliability,
availability and integrity of their resources, as well as
Data Divestitures in transmissions and underlying protected information, and the
potential applications of their technologies by their acquirer.
CFIUS Mitigation
Data divestitures have become a frequent component of
transactions subject to CFIUS mitigation terms. Exactly what 12. BUSINESS CONTINUITY & RESILIENCE
is to be divested is unique to each deal, but usually it must In order to minimize the potential effects of a data breach or
be done in a manner that it is irretrievable. cyber incident, your business must develop and test plans for
Businesses have many sources of data that may be captured business continuity and disaster recovery. Establishing a data loss
in one system and disseminated within the organization in prevention (DLP) program is a key component of this. Comprised
various ways, including through automated backups, and of administrative, technical and physical controls to protect an
by employees via email systems, personal network share organization’s data, a DLP program forms an essential component
locations and local computers. This can create a cascading of EIG and takes an umbrella approach to guarding against data
effect in that multiple systems, not just the data input loss.
system, need to be considered when divesting protected Beyond just automated backups, an effective DLP program can
data. A holistic, top-down approach to data governance is monitor all systems, apps and databases for data use patterns,
recommended to examine both the source of data origin and threats, vulnerabilities and privacy violations. This becomes much
an exhaustive trail of every possible location the data could easier to implement if measures have been taken to ensure data
exist, which helps ensure compliance with requirements for quality and records management as part of the EIG program.
all applicable data being irretrievably deleted.
16 THE COMPREHENSIVE GUIDE TO DATA GOVERNANCE

LOOKING FORWARD CONTACT

Eventually, every business process should be data-driven, with analytics and robotic
process automation embedded throughout. This includes core processes (e.g., customer KAREN SCHULER
service, purchasing), management processes (e.g., budgeting, risk management) and Principal, National Governance, Risk
support processes (e.g., HR, accounting). The journey to operationalizing these analytics & Compliance Leader
across the enterprise starts with holistic data governance. After all, insights are only as 301-354-2581
good as the information they’re based on. kschuler@[Link]
As businesses become increasingly data-driven, striking the right balance between data
security, data access and data quality is more important than ever. Those who figure out MARK ANTALIK
how to get it right will find themselves a step ahead of the competition. Managing Director, Information
Governance & Privacy Leader
617-378-3653
Developing mature data analytics capabilities to supplement data governance initiatives mantalik@[Link]
can help your organization by:
NEBIAT KIDANE
X Identifying customer and market trends accurately and more efficiently Director, Governance Risk
X Enhancing internal audit functions and fraud prevention & Compliance
703-336-1522
X Bridging departmental data into cohesive dashboards
nkidane@[Link]
X Strengthening the overall enterprise’s information governance program with improved
data quality
X Allowing for modifications in regulator reporting as requirements change
X Strengthening privacy and data protection through the identification and masking of
protected data

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a
wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through
the active involvement of experienced and committed professionals. The firm serves clients through more than 70 offices and
over 750 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO
serves multi-national clients through a global network of more than 91,000 people working out of more than 1,650 offices across
167 countries and territories.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by
guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO
network and for each of the BDO Member Firms. For more information please visit: [Link].
Material discussed is meant to provide general information and should not be acted on without professional advice tailored to
your needs.
© 2021 BDO USA, LLP. All rights reserved.