Data Governance and Data Protection Policy

Data have become a key factor for any organisation. The skill to process data to build value is a fundamental element of increasing the efficacy and efficiency of the decision making process. Data governance is the strategy for the correct administration and management of data policy in the organisation. Much of this policy should be made up of the data protection policy as established in Article 24 of GDPR and the need to adopt such policies as expressed in recital 78.


I.    What is Data Governance?

The rapid evolution of technology and globalisation have seen new challenges arise in relation to data management in organisations. The extent of the collection and exchange of information, including personal data has increased significantly. Technology now allows for the use of data on an unprecedented scale in a global delocalized and decentralized way.

In this scenario, it is fundamental for an organisation to manage information in an effective and efficient way. It could be a complex task if the information is distributed across different systems that cannot be integrated; if the data are gathered, maintained and processed by the different levels of the organisation separately; if there are inconsistencies between the different data repositories or if the systems in which the data are collected do not incorporate data quality assurance as a requirement. This problem can be exacerbated where data are processed by multiple controllers or processors.

Data governance is the process that defines the policies and procedures for guaranteeing proactive and effective data management. Furthermore, the adoption of a data governance framework allows for collaboration between all levels of the organisation at strategic, tactical and operational level to manage the data of the entire organisation and to align data with its objectives.

Data and their correct exploitation can generate great value, but this cannot be the only objective of data governance. When it comes to personal data, natural persons must have control of their own data and their rights and freedoms must be guaranteed in accordance with the GDPR. Personal data processing must be supported by the effective implementation of the principles of data protection, with the adequate measures taken and sufficient guarantees provided.

Article 24 of the GDPR establishes that the controller must apply the appropriate technical and organisational measures to ensure and to demonstrate that processing complies with the regulation, taking into account the nature, scope, context and purposes of the processing activity and the risks to which it may be exposed. It also identifies the implementation of adequate data protection policies as a pertinent measure. Data governance facilitates the appropriate working framework to establish those policies, integrating them into the organisation in such a manner to ensure efficient and relevant control, fostering compliance with the GDPR.

II.   The Importance of Data Governance

Data are valuable when their quality is ensured, which guarantees that the information obtained is really useful for feeding the organisation’s decision-making processes. Data quality is measured by accuracy, opportunity, relevance, integrity, reliability and contextual definition. Good data quality requires effective data management. To promote the effective management of data, it is important to have in place a data governance process that ensures that the organisation has an adequate information management procedure in place.

Data governance is, inherently, an integration challenge, as it obliges organisations to take a holistic approach. The data that exist and are exploited in one single department or group only generate value within that part of the organisation. Once data are shared they become a business asset that must be governed to be protected and to maximise the value for the entire organisation.

The Objectives of Data Governance

The objectives of data governance must be aligned with the objectives of the organisation. In general, the principal objectives of data governance are:

  • Facilitate better decision making.
  • Enable the management and the organisation in general to adopt common approaches in relation to data.
  • Establish repeatable procedures and processes.
  • Reduce costs and increase the coordinated efficiency of efforts.
  • Reduce operational friction.
  • Protect the data needs of data subjects.
  • Ensure transparency in processes.

When personal data are being processed, data governance should be committed to the protection of the privacy of natural persons, their rights and freedoms, applying the appropriate guarantees. It must, therefore, be integrated into the data protection policy of the organisation.

Where processing activities include personal data, the following objectives must be added to the governance objectives:

  • Comply with the principles of data protection (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability).
  • Ensure that data subjects can exercise their rights (rights to access, rectification, erasure (“right to be forgotten”), restriction of processing, notification, data portability, object and automated individual decision-making).
  • Guarantee data protection by design and by default through the management of the risks posed to rights and freedoms.
  • Comply with any other legal requirements and obligations imposed in data protection regulations.
Critical Factors for the Success of Data Governance

The critical factors for the success of data governance can be determined by addressing the following ten principal controls:

  • Responsibility and strategic responsibility. Executive leadership is necessary to drive the data governance process. To successfully implement data governance, the roles and responsibilities of those involved in the data governance process in the organisation must be clearly defined. This is in line with the application of the principle of “accountability” established in the GDPR.
  • Standards. The definition of data standards is important as corporate data must be defined and it must be ensured that they are “appropriate for the purpose”. In personal data processing it must be possible to identify the type of data and their category, with special attention on special categories of personal data (Articles 9.1 and 10 of the GDPR).
  • Management blind spot. It is necessary to align data, privacy, technology and the processes of the different departments with the organisation's objectives. Generate a culture of the importance of data and their correct management, considering the commitment to respect privacy of natural persons and their rights and freedoms at all times, in accordance with the regulation.
  • Embracing complexity. Managing all the stakeholders involved in the data is complex as data must be gathered, enriched, distributed, consumed and maintained by different stakeholders. If personal data is involved, it is essential the they are managed and processed in accordance with the GDPR, guaranteeing the rights and obligations of the data subjects.
  •  Full participation. The structure of data governance must be designed in a manner that includes participation at all levels of the organisation to reconcile priorities, streamline conflict resolution processes and foster support for data quality in processing activities and the protection of privacy. That commitment must start with senior management.
  • Metrics. The definition of specific data quality metrics, processing activities and the effectiveness of privacy measures is important in order to measure the success of data governance and establishing a continuous improvement process.
  • Commitment. When an organisation shares data with other organisations, these organisations must be responsible for the quality of their data and processing, ensuring privacy so that the efforts of the organisations are not undermined. The communication of personal data to third parties must comply with the data protection regulation.
  • Selection of strategic control points. Controls should be established to determine where and when the quality of data and processing shall be assessed and addressed.
  • Monitoring of compliance. The policies and procedures for the management of data and privacy must be assessed periodically to ensure that the policies and procedures are followed.
  • Training and awareness. The controller, data processors and their personnel must be conscious of the value of data governance and the need for personal data protection. The importance of the quality of data and the benefits of quality data, and the importance of protection the rights and freedoms of data subjects and preservice their privacy, must be communicated to all those involved in processing.

Finally, we would advise following the recommendations drafted by the Spanish Data Protection Agency (AEPD) to apply the principles of accountability, which can be found on the Innovation and Technology microsite, especially those relating to privacy policies and data protection.