Introduction

Data governance function is the backbone of a successful data management (DM) initiative. Data governance is the process of setting standards, defining rules, establishing policy and implementing oversight. It is these steps that ensure adherence to DM best practices. Governance formalizes and empowers the DM initiative to ensure propagation and sustainability throughout the organization.

The purpose of data governance is to formalize DM as an established business function. Data governance establishes the rules of engagement, drives the prioritization of funding and enforces compliance. Data governance delineates the guidelines for data movement. These movement guidelines prescribe how data will be acquired, persisted, distributed, appropriately used, archived and/or defensibly destroyed. Data governance formalizes oversight by establishing control guidelines, approval processes and evaluation of adherence to policies and procedures. It identifies stakeholders and empowers them. Data governance ensures that DM principles are fully detailed and adoption is achieved. Business, data and technology functions are held responsible for the maintenance, quality and proper use of data throughout the organization as part of the Data governance function.

Definition

The Data Governance (DG) component is a set of capabilities to codify the structure, lines of authority, roles & responsibilities, escalation protocol, policy & standards, compliance, and routines to execute processes across the data control environment. This ensures authoritative decision making at all levels of the organization.

Scope

• Establish a data governance function within the Office of Data Management (ODM).
• Work with DM Program Management Office (PMO) to design and implement sustainable business-as-usual processes and tools for data governance.
• Define clear roles, responsibilities, and accountabilities for DM resources including those mandated by DM policy.
• Define and operate the data governance structure with clear lines of authority, responsibility for decision making, engaged stakeholders, adequate oversight, issue escalation paths and tracking of remediation activity.
• Develop and oversee adherence to comprehensive and achievable DM policies, standards and procedures, including leading the response to audits.
• Ensure data governance function is aligned with other relevant control function policies, procedures, standards, and governance requirements from information security, privacy, technology architecture etc.

Value Proposition

Organizations that build, effectively communicate, and enforce DM policies assure themselves of lower levels of enterprise risk when it comes to DM and data compliance assessments.

Overview

Governance is the key to successful DM. It establishes lines of authority and ensures that the principles of DM can and will be implemented. It establishes the mechanisms for stakeholder collaboration and defines the organizational structure by which the DM initiative will be governed. The governance infrastructure determines where the initiative resides in the corporate hierarchy, helps manage stakeholder expectations, aligns policies and standards to the organization’s mission and values, ensures the adoption of policies and standards, articulates the mechanism for conflict resolution, ensures adequate funding and sets the methodology for measuring DM progress.

Governance over the DM initiative is multidimensional and includes activities related to each of the seven DCAM components. And while the most appropriate structure for any individual organization will vary, a clear mission with links to tangible business objectives, as well as a mechanism for realignment, are essential for long-term success. For example, domain councils might exist to oversee the intersection of business, data and technology functions. Governing boards might be created to establish business data priorities and resolve conflicts. Tactical groups might exist to manage workflow, perform data reconciliation, address quality of critical data elements, perform business analysis and provide triage to resolve issues with defective data or outcomes that violate the organization’s ethical standards. All these aspects need to be linked into an overall framework if governance is going to embed DM concepts into the culture of the organization successfully.

The data governance framework establishes the mechanism by which authoritative decisions for data and DM are made across each of the DCAM components. To implement governance, the organization must ensure that the deployment plan will be effective within their business environment. The governance structure should define the in-scope data that is required by the business objectives and establish the DM initiative strategy and approach. It should give authority and required funding for the ODM, establish policies and standards, make authoritative decisions about DM and data. The governance structure should provide an issues management and escalation procedure. After the initial implementation, the governance framework itself needs to be evaluated, measured and adjusted based on business reality and to ensure that it is fully integrated into business-as-usual processes.

Core Questions

• Have the DM policies been defined, developed and validated with key stakeholders?
• Has a governance structure been established with the stakeholders identified, charters written and responsibilities assigned?
• Are there mechanisms in place for issue management, escalation and resolution?
• Are there mechanisms in place for establishing and resolving prioritization issues among stakeholders?
• Are the appropriate executives identified and engaged?
• Has the methodology to ensure compliance with established policies, standards and processes across the full data lifecycle been defined?
• Have the metrics been validated by stakeholder criteria, aligned with business objectives and collected in a timely manner?
• Are the metrics actionable and achievable within the organization to improve DM and meet business objectives?

Core Artifacts

The following are the core artifacts required to execute an effective Data Governance capability. Items with an ‘*’ link to published best practice guidelines.

• Data Code of Ethics
• Data Governance Operating Model
• Data Management Policy
• Data Management Principles
• Data Management Standards
• Data Sharing Agreement

The DG function strategy and approach, inclusive of the governance organization structure, must be defined and approved by stakeholders. Roles and responsibilities across the stakeholders must be established with operational processes in place.

Description

The strategy and approach for the DG function must be defined and reflect the related vision and objectives of the Data Management Strategy (DMS). Once established, it must be formally empowered by senior management and its role communicated to all stakeholders.

Objectives

• Formally establish the DG strategy and approach within the organization.
• Get approval of the DG strategy and approach from stakeholders.
• Ensure alignment of stakeholder plans and roadmaps with the DG strategy and approach.
• Obtain executive management support for the DG strategy.
• Communicate the role of the DG function across the organization through formal, organizational channels.
• Operate the DG function collaboratively with DM initiative stakeholders.
• Secure authority to enforce DG compliance through policy and documented procedures.

Advice

The data governance structure creates a mechanism for authoritative decision making about the data and DM initiative. There should be a single structure to govern all aspects of the DM initiative at all of the various levels of the organization. It is important to align decisions to the appropriate level for an authoritative decision while maintaining the required level of subject matter expertise. Resist over-engineering. Position governance as a mission control activity not a judge.

When establishing any governing bodies, limit the scope of their oversight to the expertise of the participants. This limitation will maintain engagement because of the native interest in the topics covered. The DG activity must also align to other governance control functions throughout the organization to ensure compliance. As appropriate, stakeholders from these other governing areas should be engaged in the DG activity.

DG focuses on the organizational requirements necessary to ensure that the objectives of the DM initiative can and will be implemented. It is critical that the organization understands what they are governing as well as the practical aspects of getting stakeholders to alter behavior before seeking to implement a governance structure.

Don’t lead with governance details too early in the DM initiative development cycle. DG follows the establishment of the DM initiative and the strategic engagement with the organization’s data objectives and challenges. At the strategy level, the primary goal is buy-in to the fact that data governance is a mandatory activity – and that it will change the way people operate. Early and interactive engagement with stakeholders will help reinforce buy-in. Think of this as crafting the governance deal with an appropriate balance between the concepts of governance (clarity on need), the value of governance (coordination and predictability) and the impact of governance (operational and cultural implications).

As an organization formalizes data ethics activities as part of their culture and governance imperative, if it is not fully integrated with the DM initiative, at the very least it must be aligned with the data governance function. Alignment of the DG strategy and roadmap to the DMS vision and objectives is achieved by agreement between the operating level data officer and the individual responsible for delivering the DG function. The operating level data officer is accountable for establishing priorities across each of the Framework Component requirements.

Questions

• Has the DG function been formally established?
• Is there a DG strategy and approach in place?
• Is the DG strategy and roadmap aligned to the DMS?
• Has the concept of data ethics been included in the DG strategy and approach?
• Has the DG function been formally communicated to business, technology, operations, finance and risk?
• How has executive management demonstrated its support?
• Has authority been granted to the DG function to implement and enforce best practice via policy and standards?
• Has authority been communicated to stakeholders?
• Is there a functional partnership in place with Internal Audit?

Artifacts

• The data governance plan
• Data governance structure documentation
• Charter for required governing bodies
• Description of the roles and responsibilities of the DG function
• Communication of specific support from executive management with distribution lists
• Policies and procedures associated with executing and enforcing DG
• Bi-directional engagement with stakeholders on the DG function authority

Scoring

Description

The governance structure must align to the operating levels of the organization. In addition to governance at the organization-wide level, Individuals must be appointed in business lines and control functions and given the responsibility of DM within those verticals, preferably, reporting into the Chief Operating Officer (COO) or business leader within that group.

Objectives

• The governance structure has been defined, documented and shared with relevant stakeholders.
• Operating governance structures have been implemented.
• Working committees are established with written and approved charters.
• Stakeholders have been appointed.
• Stakeholder roles and responsibilities have been communicated.
• Stakeholders are held accountable for their participation in the DM initiative via performance reviews and compensation considerations.

Advice

This is how the DG processes will work in reality, including the operating structure, roles, responsibilities and coordination mechanisms. There is no single correct way to define a governance structure. It is dependent on the size of the organization, the scope of the activity, the skill of the staff and the culture of the organization. Developing a new DG mechanism will likely require new skill sets. Collaboration with senior business stakeholders for appointment of stewards and with HR for recruiting will help facilitate implementation. Formal training such as DM strategic concepts will help with onboarding.

Questions

• Has the governance structure been defined and socialized to make sure it is appropriate for the organization?
• Have the roles, functions, and responsibilities been defined and verified?
• Have potential stewards been identified in collaboration with business stakeholders?
• Is there a succession plan in place?
• Is there an onboarding and training mechanism to support acclimation to new DM functions?

Artifacts

• Governance structure such as organization charts, operating structure, roles, and responsibilities
• RACI matrix, or equivalent, denoting accountability
• Operating procedures such as how appointments are determined, onboarding and training requirement evidence
• Working groups and committee designations, their charters and participant rosters, minutes and directives
• Bi-directional communication such as stakeholder rosters, internal memos, and distribution lists

Scoring

Description

High-level structure and the roles and responsibilities of the DM organization must be established. The roles and responsibilities of the operating units’ data executives and data stewards must be addressed in the DMS.

Objectives

• Define and communicate the roles and responsibilities of the DG function.
• Fund and staff the DG function.
• Ensure and enforce alignment of activities and projects to policy and standards through the authority of the DG function.
• Hold individuals accountable and reward excellence within the DG performance roles through annual reviews.

Advice

Think carefully about how the governance process will work in the real world. It is important to evaluate roles and functions from all perspectives including that of sponsors with executive authority, owners and other accountable parties. Both business stewards who manage data content and technology stewards who manage technical implementation also have roles that deserve evaluation.

With the addition of a data ethics review in the DG process, subject matter expertise will be required either through the addition of experts or appropriate training of the data governance team.

Questions

• Has the DG function been established?
• Is the DG function appropriately staffed and funded?
• Does the DG function have the authority needed to be effective?
• Have the roles and responsibilities of the DG function been defined, documented and socialized?
• Have the skills for data ethics review and execution of Machine Learning (ML) and Artificial Intelligence (AI) tools been added or developed within the stakeholders?
• Have milestones and metrics associated with DG execution been established?

Artifacts

• Evidence of stakeholder identification
• RACI matrix or other evidence of accountability assignment
• Description of the roles and responsibilities of the DG function
• Staff qualifications and assignments
• Evidence of accountability linked to reviews and compensation
• Gap analysis of skills needed and those in place
• List of stakeholders and evidence of bi-directional communication

Scoring

Description

Formal processes must be established for the activities of the DG function. These processes align with the DM policy and standards of the organization and include procedures, tools and routines. The routines are required for steady-state operations.

Objectives

• Establish formal DG processes in alignment with the DM policy and standards.
• Integrate the DG processes into the overall end-to-end processes of the DM initiative.
• Identify, schedule and maintain DG routines, meetings and working sessions required for operational support.

Advice

The DG subject matter experts should work with the business process design and optimization service within the Data Management Program (DMP) team. Together they will create and monitor the implementation of the DG processes in alignment to the end-to-end process across the full DM initiative.

Address up-front some of the more challenging organizational issues about how data governance will affect stakeholders. Don’t underestimate the difficulties associated with, or minimize the importance of, getting agreement on essential concepts like authority, policy, and control.

DG is not a project but part of a sustainable program of work that becomes part of the organizational DNA. A smoothly functioning DG function is defined by the routines that support it. The goal is to ensure that DM becomes adopted as business-as-usual across the organization.

Whether the data ethics activities are a direct accountability of the DM function or simply an aligned responsibility, additional steps in the DM processes will be required to execute the ethical management of the data.

Questions

• Have formal processes been defined and implemented?
• Are the procedures, tools and routines in place for implementing the processes?
• Has the review of data ethics been included in the DG strategy and approach?
• Are DG activities part of the normal operational routine of stakeholders?
• Are there standing meetings, planning sessions and regular communications about DG initiatives?

Artifacts

• Process design artifacts, procedure guides and published routines
• Process performance metric reports
• Meeting minutes, status reports and DG announcements

Scoring

DM policy and standards must be established for the organization and approved by stakeholders and executive governing bodies. The policy and standards must align with cross-control function policy and standards and be auditable.

Description

Policy and standards must reflect the basic principles of DM. Policy and standards must define how business, technology, and operations functions manage and control data. They address how data is acquired, managed, maintained and delivered throughout an organization.

Objectives

• Develop policy and standards in collaboration with business, technology, and operations stakeholders.
• Complete and verify policy and standards.
• Align policy and standards with the DMS.

Advice

The development and implementation of policy and standards take the DM initiative from conceptual to functional. These are the rules for the data with a rationale to ensure that data is trusted and managed. They need to be both practical and stringent enough to change the way the organization operates. They are to be implemented via data standards and based on core principles. They must be linked to strategy and integrated into the Software Development Lifecycle (SDLC) process. The development and implementation of DM policy should be viewed as the bedrock of the DG program.

Although they can vary, most policy and standards will contain rules and guidelines pertaining to data ownership, data definition, data lineage, metadata, data quality (DQ), data access, permissible use, data sourcing and controls.

Questions

• Have the DM policies and standards been created and published?
• Are the policies and standards complete and linked to control functions (e.g., cross-border issues, security, privacy), data acquisition processes (e.g., legal contracts, entitlements), data usage (e.g., authorizations, redistribution), data retention (e.g., Create, Read, Update, Delete–CRUD), quality control (e.g., business rules, logic checks, transformations), data meaning (e.g., identifiers, definitions, classifications), formats and messaging (e.g., schemas, metadata, ISO standards)?
• Are they linked to, and aligned with the DMS?
• Have they been developed and verified in collaboration with stakeholders?
• Are they aligned with the SDLC process?
• Have they been reviewed and approved by both Internal Audit and executive management?
• Is the organization able to comply with the DM policy, or is a defined burn-in period required?

Artifacts

• Definition of the areas that are covered by policy and standards
• Documented and approved policies and standards
• Approvals from Executive Committee and Board
• Evidence that policies and standards have been communicated
• List of stakeholders and evidence of bi-directional communication

Scoring

Description

Policy and standards must be shared and reviewed by stakeholders to ensure agreement, alignment, and buy-in. Policy and standards are vital for effective DG and should be subjected to a rigorous challenge process by stakeholders. DG must be aligned with and become integrated in the existing governance structures of the organization.

Objectives

• Develop policy and standards in collaboration with business, technology, and operations stakeholders.
• Submit policy and standards to the organizational governance mechanism for evaluation.
• Obtain approval of policy and standards.

Advice

The policy and standards need to be grounded in the real world. They must be developed collaboratively with stakeholders and approved through the authority of executive management. Without this verification and approval process, support and adherence will be difficult to achieve.

Questions

• Have the right stakeholders at the right levels of seniority been involved in the development process?
• Have policies and standards been verified and approved by stakeholders?

Artifacts

• A roster of stakeholders and communication trail
• Formal approval and associated communications

Scoring

Description

Policy and standards must be recognized and supported by senior executive management. DG must be aligned with and become integrated in the existing governance structures of the organization.

Objectives

• Policy and Standards have been submitted to the organizational governance mechanism for evaluation.
• Policy and Standards have been approved.

Advice

Policy needs to carry the authority of executive management.

Questions

• Do those involved in corporate-level review fully understand the DM imperative and challenges?
• Was the approval process formal with the right executives involved in the process and through established organizational approval processes?

Artifacts

• Distribution roster
• Evidence of evaluation like a Board of Director agenda and minutes
• Formal approval and associated communications

Scoring

Description

All data introduced into or delivered out of the data ecosystem must be subject to cross-organizational control standards to ensure organization-wide compliance. The types of control functions that may have policies impacting data are legal and compliance, information security, privacy, data usage and cross-border.

Objectives

• Formally recognize cross-control function dependencies.
• Ensure these dependencies are reflected in each groups’ policy and standards.
• Establish regular engagement between cross-control functions and the DM initiative.
• Apply cross-organizational data control policies and standards to all data introduced into or delivered out of the ecosystem.

Advice

The DM initiative is not accountable for legal and compliance, information security, privacy, data usage and cross-border control functions. However, for these control functions to be executed there are requirements for data and DM issues such as identification, classification and access control that are critical to ensuring their success. DM should be working with all control functions across the organization, identifying the touch points that impact the other control function objectives.

The goal is to ensure that the policies and standards of DM are aligned with those of the other, organization-wide control functions. Take advantage of existing, parallel rules and control function policies to integrate them into the DM policies, standards, and processes. Other control functions should also reference the policies, standards and processes of the DM initiative.

Questions

• Are the mechanisms in place to support cross-control function collaboration?
• Is there policy, standards and process alignment between organizational control functions?
• Is cross-control function coordination operational and being reviewed by Internal Audit?
• Are the mechanisms to support coordination with regulators defined and operational?
• Are formal meetings across control functions taking place?

Artifacts

• DM policies, standards and processes
• Other, intersecting control function policies, standards and processes
• Evidence that DM policies, standards and processes align with those of the other control functions
• Evidence of collaboration with cross-control functions such as communication, joint meetings, minutes, and agendas

Scoring

Description

Policy and standards must be supported by established audit processes and routines in partnership with Internal Audit. Lack of adherence to policy and standards must be elevated as a formal audit issue that requires resolution.

Objectives

• Authorize the ODM to examine and enforce adherence to DM policy and standards.
• Adhere to the DM policy and standards examined and enforced by Internal Audit.

Advice

Putting tollgates into production is a balancing act. They must be strong and effective in validating the access and use of data, while at the same time avoid being burdensome and bureaucratic. Establish the necessary review and approval processes along the DM lifecycle to ensure that decisions about the acquisition, use and distribution of data adhere to the DM policy and standards. Project review and approval processes will typically include such things as formal data design reviews, formal approvals to build, approvals to access and approvals to distribute.

Questions

• Are the appropriate first and second lines of defense in place to monitor controls?
• Are the criteria for tollgates transparent and easy to understand?
• How are stakeholders informed of expectations and reasons for any denials?
• How is the ODM collaborating with other control functions on tollgates?
• Are new processes incorporated into the SDLC process?

Artifacts

• Review and approval process documentation
• Evidence and evaluation criteria of alignment with existing application development processes
• Evidence of alignment with other control processes
• Compliance records and illustrations of consequences of non-compliance
• Evidence of the audit process

Scoring

Governing the DM program includes: 1) administering program funding; 2) approving program and project DM adherence; 3) enforcing standard DM business process adoption; and 4) implementing issue management.

Description

In order to achieve budget authority, alignment must exist between the DM initiative funding governance, the DM governance structure and the organization-wide funding model and process.

Objectives

• Get the funding model operational.
• Identify and empower the parties accountable for the DM initiative budget.
• Integrate governance of the funding model into the governance structure of the DM initiative.
• Align governance of the funding model to the overall funding governance of the organization.

Advice

An operational funding model means that budgets are secured and aligned to expected deliverables. It means that DM executives are empowered to support the funding commitments. Implicit in an operational funding model is that the DM initiative is included in the funding cycle of the organization to secure appropriate levels of funding moving forward. The funding approach must be formalized, ideally as a stand-alone budget.

Questions

• Does the ODM have the authority to spend?
• Is the funding model governance process and governing body authorized by the organization?
• Is the funding model incorporated into the organizational funding cycle and process?

Artifacts

• Funding model
• Formal approvals from stakeholders and budget owners
• Records of spending on DM expenses.

Scoring

Description

Change management policy and standards must exist in a controlled manner via checkpoints, formal review mechanisms and organizational approval boards. Data and DM requirements must be included in the change process to ensure that all new development as well as data access, usage and transmission of data adhere to established DM policy and standards.

Objectives

• Communicate to stakeholders the review and approval processes as well as responsibilities for data-related projects.
• Get review and approval processes operational such as approval to build, approval to access, approval to use, approval to send.
• Integrate review and approval of data, and the ethical management of data, into the organization’s technology development and SDLC process.
• Align review and approval processes with the control mechanisms of other cross-control functions including change management.

Advice

Establish review and approval processes as checkpoints along the DM lifecycle to ensure that decisions about acquisition, use, sharing, and distribution adhere to policies and standards. The implementation of program or project tollgates requires balance. They must be strong enough to be effective without being bureaucratic and burdensome. The objective is to facilitate business and enable data hygiene. If an approval request is denied, it is in the best interest of the DM initiative to help resolve the reason for denial.

Questions

• Are the appropriate tollgates in place at critical decision points?
• Are the review and approval processes structured to support business processes without being overburdensome?
• Are the criteria for tollgates transparent and easy to understand?
• Are project review and approval processes done collaboratively with other control functions?
• Have data control reviews been incorporated into the SDLC process?
• Is the review of data ethics part of the tollgate process?

Artifacts

• Documented review and approval processes
• Completed review and approval processes showing alignment between existing application development and other control processes
• Bi-directional communication with stakeholders

Scoring

Description

The DM governance structure must be applied to governing the standard DM processes in alignment with the organization’s standards and governance for business process operational excellence.

Objectives

• Integrate governance of the DM business process optimization into the governance structure of the DM initiative.
• Align governance of the DM business process optimization with the organization’s overall governance of the business process optimization function

Advice

Effectively governing the standard DM processes of an organization is critical to maintaining repeatable, sustainable and measurable processes. The data policy should require the use of standard processes, making use of the process subject to audit. The use of standard processes across the organization will enhance the data and DM interoperability between data domains throughout the data ecosystem.

Questions

• Is the governance of the standard DM initiative processes integrated into the overall governance of the DM initiative?
• Is the use of the DM standard processes enforceable by audit?
• Is the operational excellence function in the ODM aligned with the organization-wide operational excellence standards and governance?

Artifacts

• Evidence of use of a standard process optimization framework
• Evidence of use of standard process design tools
• Evidence of governance body approval

Scoring

Description

The issue management process includes issue identification, prioritization, resolution tracking and escalation as required. The process must support resolution of both DM initiative issues and data issues and leverage the established data governance structure. A critical aspect of the issue management process is the escalation procedure required when agreement cannot be achieved, and conflict resolution is required.

Objectives

• Get the issue management processes operational and documented.
• Define issue management routines.
• Align escalation procedures with the organizational governance structure.

Advice

The issue management process should be integrated with the DM initiative data governance structure. Issue management is required for both issues from the practice of DM and the governance of the data. Formality of how issues are managed is essential for both operational sanity and audit requirements. Make sure escalation procedures are reviewed by Internal Audit as well as endorsed by executive management.

An established escalation process is necessary to resolve conflicts, reconcile priorities and ensure efficient operations. These escalation procedures need to be formalized with clearly established roles and responsibilities as well as a defined escalation path.

Questions

• Is there a defined process for issue management?
• Have you made the distinction between DM initiative issues and data issues?
• Do escalation procedures exist for DM and data issues?
• Are the right people with the appropriate levels of authority involved in the decision-making process?
• Have issue management and escalation policies and procedures been reviewed and accepted by audit and senior management?

Artifacts

• Process design artifacts, procedure guides and published routines
• Issue log, Key Risk Indicators (KRIs) and other performance metrics
• Escalation criteria and policies
• Escalation procedures and communication about conflict resolution
• Defined escalation path

Scoring

Governing the data structure includes: 1) identifying and using authoritative data domains; and 2) enforcing the definition, approval, publishing and use of standard data models and definitions along with identification, classification and taxonomy schemes.

Description

Governance is required to enforce the identification, definition and ultimate use of the organization-wide authoritative data domains.

Objectives

• Apply governance to identification and verification of authoritative data domains by business subject matter experts.
• Apply governance to the use of authoritative data domains by upstream/downstream data consumers.

Advice

Governance must be in place to ensure data consumer use of the authoritative data domains that were created as part of the data architecture (DA) activities. The goal is to ensure the authorized data is consumed consistently by all data consumers organization-wide.

Questions

• Are governance processes in place to ensure the identification, maintenance and use of authoritative data domains?
• Are domain owners in place who are responsible for the quality and availability of the data?
• Has the business domain owner, as well as the DA function, been involved in the designation of the authoritative data domains?
• Have data domain taxonomies and conceptual and logical models been verified by business subject experts?
• Are all critical business functions represented in the discussion?

Artifacts

• Criteria for determination of authoritative data domains
• Inventory and declaration of authoritative data domains
• Listing of domain owners and responsibilities
• Business process definition and documentation
• List of stakeholders and evidence of bi-directional communication

Scoring

Description

Governance is required to enforce the definition, approval, publishing and use of standard data models and definitions along with identification, classification and taxonomy schemes.

Objectives

• Apply governance to the coordinated process to define, approve and publish data models, definitions, identifiers, classifications and taxonomies.
• Apply governance to the use of data models, definitions, identifiers, classifications and taxonomies for Business Elements and data elements.
• Apply governance to the alignment and cross reference of models, definitions, identifiers, classifications and taxonomies to industry standards.

Advice

Governance must be in place to ensure the creation, maintenance and use of standard data models, definitions, identifiers, classifications and taxonomies across the organization. The goal is to achieve a precise organization and access to the data by data consumers.

Questions

• Have standard data models, definitions, identifiers, classifications and taxonomies been defined, maintained and used across the organization?
• Have policies and standards been developed and approved to ensure standard data models, definitions, identifiers, classifications and taxonomies are used?
• Have standard data models, definitions, identifiers, classifications and taxonomies been published and cross-referenced to those used in any proprietary applications?
• Have business, data, technology, legal and compliance stakeholders been involved in the definition and verification process?
• Are standard data models, definitions, identifiers, classifications and taxonomies aligned with other cross-organization control functions requirements?
• Has governance over standard data models, definitions, identifiers, classifications and taxonomies been aligned with change management policies?

Artifacts

• Documentation on the process for defining, assigning and maintaining standard data models, definitions, identifiers, classifications and taxonomies
• Policy and standards on definition, maintenance and use
• Records of standard data models, definitions, identifiers, classifications and taxonomies as metadata
• Cross-references to other cross-organization control function requirements
• Alignment to change management policies
• Inventory of standards being used
• List of stakeholders and evidence of bi-directional communication

Scoring

Governing that the data is fit-for-purpose includes: 1) controlling the access and use of data; 2) enforcing the contractual restrictions of third-party data; and 3) establishing and monitoring adherence to the Data Sharing Agreement (DSA).

Description

Once the authoritative data domains have been established, governance is required to control the access and use of the data.

Objectives

• Apply governance to the controlled access and use of data from the authoritative data domains.

Advice

Once the authoritative data domains have been defined, declared and sanctioned, governance processes need to be established to ensure control over the identification, definition, and usage of data. Appropriate usage is based on an understanding of who is using data and for what purpose.

Questions

• Have authoritative data domains been established and sanctioned?
• Has intended use been defined and verified?
• Have business meaning and relationships been defined and verified?
• Are processes in place to control access to the authoritative data domains?
• Are processes in place to ensure appropriate usage?

Artifacts

• Authoritative Data Domain designations
• Metadata repository with required structural, descriptive and administrative attributes
• List of stakeholders and evidence of bi-directional communication

Scoring

Description

Governance is required to monitor and enforce the contractual restrictions of third-party data entering the organization.

Objectives

• Apply governance to monitoring the restrictions applied by purchase contract to the use of third-party data.
• Apply governance to the record of third-party data use restrictions as part of the metadata of the data.

Advice

How third-party data is managed should be no different than other data in the organization except for the addition of the contractual restrictions that are defined in the purchase contract. The metadata of the purchased data should indicate the restrictions on its use, ideally linked to a description of the restrictions. The data should be assigned to a data domain and access to the data in compliance to the contract should be controlled.

The third-party contracting process should include review of the DM practices applied to their data and the establishment of requirements on the vendor. To introduce external data into the organization’s ecosystem, the data should have had similar rigor applied to that of the internally created data. This rigor includes all the cross-organization controls and such topics as privacy and data ethics.

Questions

• Is the third-party data assigned to an Authoritative Data Domain?
• Are the restrictions of data use being recorded as flags in the metadata?
• Are the data use restrictions centrally captured for reference?

Artifacts

• Third-party data alignment to an Authoritative Data Domain
• Metadata model
• Central repository of third-party data restrictions

Scoring

Description

Governance is required to approve and monitor adherence to the Data Sharing Agreement (DSA) established between a data producer and data consumer and authorize data as fit-for-purpose for the data consumer’s intended use.

Objectives

• Apply governance to approve and monitor adherence to a DSA.
• Establish a process to routinely review and update a DSA.
• Create a routine for validation by the data producer that the data is fit-for-purpose for the data consumer’s intended use.

Advice

A DSA defines the data consumer business process requirements for data and the data producer’s terms and restrictions for use of the data. Formal governance is required to approve the agreement. Additionally, a method must be in place to monitor that the terms and restrictions are followed.

The DM policy and standards should require the DSA to include criteria for determining that the data is fit for purpose such as a defined data consumer’s intended use and an established minimum threshold of quality.

The governance activity should include the validation and authorization of data as fit-for-purpose. The formality of this will be determined by the governance culture of the organization. Data fit-for-purpose is not only achieving an established threshold of quality but includes the data producer understanding the data consumers intended use of the data and an agreement that it is the correct data for the use and for how it is being used.

Questions

• Are DSAs and adherence to the agreement required by DM policy and standards?
• Are DSAs in place?
• Are aspects of the agreement recorded as metadata?
• Are the agreements maintained in a centralized and accessible repository?
• Are the agreements reviewed routinely and updated to current-state data use?
• Is there a data producer and data consumer agreed upon threshold of DQ?
• Is there a documented data consumer intended use of the data?
• Is there a defined validation by the data producer that the data is fit-for-purpose for the data consumer’s intended use?

Artifacts

• DSAs between data domains
• Metadata record that the data is covered by a DSA
• Metadata record identifying the data consumer(s) of a data element
• Metadata record of quality threshold and intended use
• Evidence that the data producer routinely validates and authorizes that the data is fit-for-purpose

Scoring

Governing the data ethics includes: 1) establishing a formal data ethics oversight function; 2) adhering to the ethical access and appropriate use of data; and 3) monitoring whether the outcomes of data access and use are ethical.

Description

A formal data ethics oversight activity is required that includes establishing a governing body, a Code of Data Ethics and senior executive accountability with defined roles and processes for ensuring data ethics.

Objectives

• Create a formal body to oversee both the ethical use of data and the ethical outcomes of data use.
• Craft the Code of Data Ethics for the organization as mandated by the enterprise level senior management team.
• Identify stakeholders and form working groups to make the Code of Data Ethics operational.
• Define and communicate the roles and responsibilities of the data ethics senior officer at all levels of the organization.
• Invest in data ethics training at all levels of the organization.
• Communicate through training and reporting requirements that responsibility for enacting the Code of Data Ethics applies to each individual and is shared by all members of the organization.
• Authorize the executive responsible for the organization’s ethical DM to ensure and enforce adherence to the Code of Data Ethics.
• Establish a process to remediate ethical issues.

Advice

Collaborative, routine and transparent information practices lead to ethical data governance. The DCAM framework guides organizations through data practices that catalyze the contextual discourse needed to change organizational culture from data-driven to data-ethics-driven. The first step in this endeavor is to establish compliance with a Code of Data Ethics, mandated by the enterprise-level senior management team, and implemented at every level of the organization. To implement the Code of Data Ethics with accountability distributed throughout the organization requires operating governance structures that align with the organization’s overall governance structure. The data ethics senior officer at all levels of the organization is accountable for ethical data governance.

The role of legal and compliance in the DM initiative is to mitigate legal risk. However, as always, law lags behind technological change, and the vast and rapidly expanding data-industrial complex is facing civil and criminal challenges that must be addressed. Let’s also recall that legal compliance represents the least common denominator, an outdated and minimal level of compliance. There is a vast difference between following existing regulations and being a leader in ethical DM.

As described in the Introduction, data has meaning. Understanding how that meaning changes in different contexts is the crux of ethical DM. A Code of Data Ethics should articulate how the organization understands the meaning of the data it stewards—now, and in the future.

Codes of Data Ethics typically incorporate some variant of the following general principles:

1. Data elements are entwined with a real person – first do no harm.
2. The effects of DM are inequitable, including some and excluding others.
3. Ensure future data use is consistent with expectations & intentions of its originators.
4. Provenance & tools for analysis must be documented, because they affect how data is presented & used.
5. Be explicit about how the organization’s data practices do and do not align with context-dependent expectations.
6. Collect only the data required for the task at hand; less data is less open to misuse.
7. Data subjects have a right to know what data is collected and how that data is used and/or shared. Be open and transparent.
8. Aim to be a leader in data ethics for long-term success.
9. Prioritize design practices that promote and enhance transparency, configurability, accountability, and proactive interrogation of patterns in both training data and outcomes.
10. Welcome internal and external ethical review.

Much of what we hear from many organizations with respect to social responsibility is considered mere lip service. An authentic commitment to data ethics starts with a top-down mandate, which is supported throughout the organization by specific practices and empowered accountability. In other words, employees must be empowered to insist on data practices that are aligned with the data ethics mandate. Without empowered employee actions and established routines, data ethics will not permeate the organizational culture.

Early efforts to inculcate data ethics throughout the organization usually begin with the formation of a steering committee or working group. The group socializes the concept of data ethics among all stakeholders through activities such as large forums that bring stakeholders together to examine the importance of data ethics through the lens of the organization’s mission and values. Eventually, organizations committed to data ethics develop formal chartered governance aligned to the governance structure of the organization. Alternatively, if data ethics governance remains separate from data governance, alignment routines are required.

Questions

• Has the organization established and socialized a Code of Data Ethics?
• Has the organization allocated resources to appropriately staff, train, and socialize Code of Data Ethics governance?
• Have milestones, metrics, and measurements associated with adherence to the Code of Data Ethics been established?
• Is the concept of ethical DM understood by all stakeholders at all levels of the organization?
• Is ethical DM embraced across the full organizational ecosystem?
• Does the data ethics senior officer at all levels of the organization have the authority needed to be effective?
• Have the roles and responsibilities of the Chief Data Officer or Chief Ethics Officer been defined, documented and socialized?

Artifacts

• Evidence of enacted Code of Data Ethics
• Staff assignments and qualifications
• Gap analysis of skills needed and in place
• List of stakeholders and evidence of bi-directional communication
• Description of the roles and responsibilities of the DG function for data ethics
• Regular schedule of training and reporting on data ethics implementation
• Written and approved charters of working data ethics committees
• Individuals are held accountable for their adherence to the Code of Data Ethics via annual reviews and compensation considerations.
• Demonstrated hierarchy of responsibility and reporting for ethical DM
• Evidence of events to socialize the data ethics commitment organization-wide

Scoring

Description

Explicit governance of ethical data access and use is required. The ethical evaluation of access and use must include both the actual access and use as well as the data subject’s perception of how their data is being accessed and used. Furthermore, this governance must provide processes and protections for personnel who raise concerns about data access and/or use that runs counter to this perception.

Objectives

• Ensure the access and use of data adheres to the Code of Data Ethics.
• Provide a mechanism for personnel to raise concerns about ethical data access and use.

Advice

While 6.5.3 mandates adherence to the Data Sharing Agreement established between a data producer and data consumer and authorizes data as fit for purpose for the data consumer’s intended use, 6.6.2 establishes a higher bar for data governance. Again, this is the difference between legal compliance and ethical governance of DM. A significant aspect of data ethics governance is the empowerment of personnel at all levels of the organization to question the legal agreements that pertain to data access and use. For example, a data sharing agreement may contain boilerplate stipulations that don’t do enough to preserve the trust placed in the organization. Personnel should have a channel through which they may raise concerns about suspected violations of and/or potentially risky data access and/or use.

Some best practices that support the ethical access and appropriate use of data include:

• Embedding provenance information in the metadata to enhance transparency of data collection and practices
• Providing individuals the on-demand (or periodic) opportunity to access to the corpus of data the organization holds about them
• Revisiting consent
• Communicating both legal and perceived consent to third parties
• Proactive disclosure of the organization’s DM plan with specific provisions for data disposition
• Resolving to collect only that data which are necessary for the task at hand

Questions

• Are the Code of Data Ethics used as a guide for evaluating ethical data access and use?
• Is there a mechanism for personnel to raise concerns about ethical data access and use?

Artifacts

• Metadata schema that includes fields for provenance and consent history
• Survey and/or interview responses demonstrating perceived access and use of data
• Training and internal promotional materials describing a channel for reporting concerns about data access and use
• Communications disclosing the organization’s DM plan
• Communications providing people with their data corpuses
• Statistics relating to reduced extraneous data collection over time

Scoring

Description

Explicit governance of ethical outcomes of data access and use is required. The evaluation of ethical derived outcomes must exist within the operating governance structures of the organization in alignment to a socially acceptable code of ethics.

Objectives

• Ensure the derived outcomes from the use of data align with a socially acceptable code of ethics.
• Define and implement operating governance structures which guide and enforce adherence to the Code of Data Ethics.
• Align the data ethics governance structure to both the data governance and the organization-wide governance structures.

Advice

Ethical outcomes are those results of data access and use that meet the business needs of the organization without infringing on the human dignity of others. Human dignity can be thought of as what a society tolerates—what is considered, generally, “fair.” Organizations have a moral imperative to interrogate the patterns not only in the data used to train their models, but also in their outcomes. To ignore such patterns is unethical. To govern the ethical outcomes of data access and use requires long-term scenario planning and research into the social effects of these practices. This accountability is more complex and involved than legal compliance, but also more directly tied to the organization’s values as captured in its Code of Data Ethics.

There are two types of unethical DM: nefarious and unintentional. Nefarious unethical data practices are deployed by people who aim to manipulate decision making to benefit some and disadvantage others. This type of activity is relatively rare in comparison with unintended unethical data practices. Even the most well-intentioned data professionals may inadvertently cause harm, especially if they are not aware of the ways in which algorithms replicate societal inequities. In other words, “Good data can create bad outcomes.” For example, in the AI context, it’s unethical to train your machine on data without conducting ongoing scenario planning and research on potential negative unintended consequences. By embracing the Code of Data Ethics as an instrumental part of the organizational culture, ethical DM becomes a priority for employees at all levels of functional responsibility. Typically, it is the responsibility of the Chief Data Officer or Chief Ethics Officer to ensure the Code of Data Ethics is embraced, prioritized, and operationalized throughout the organization.

Questions

• What is the relationship between data ethics and broader ethics activities in the organization?
• What are the long-term implications of data access and use decisions?
• What stakeholders should be consulted to better understand the implications of data decisions?

Artifacts

• Records of consultations with stakeholder groups pertaining to the potential for unintended consequences of data and access decisions
• Training curricula that reinforce the organization’s approach to ethical DM with case studies highlighting unethical outcomes

Scoring