Janet Lichtenburger and Nancy Makos presented a terrific view of how Data Governance works at their company. They implement functional (small) data governance, with the exception of data sensitivity.
Here is my brain dump of the session today. You're welcome to it if you can make heads or tails of it. :-)
Some numbers that show the challenge of Data Governance there are:
- 5 people in Enterprise Architecture
- 3 people in Data Governance
- 130 people provide Data Stewardship support
- 350k total employees
Data Governance is about Policies and Standards and is typically independent of implementations, as part of the Enterprise Architecture or Finance groups.
To encourage adoption, Data Governance could be considered an internal consulting service to support projects ,that is not charged back.
- Enterprise Data Governance Executive Committee
- Meets only a few times a year
- Limited number of senior executives
- Data Governance Committees
- Each committee is chaired by Data Goverenance
- Divided into specific domains
- Meets as often as required by projects
- Up to 15 people on each Domain Specific Committee.
Data Steward Roles
- Executive Stewards
- Member of the Data Governance Executive Committee
- Strategic Direction
- Enterprise Stewards
- Member of the Data Governance Committee
- Development Support of Data Governance Policies
- Operational Stewards
- Communicates to promote policies
- Endorses Data Standards
- Domain Stewards
- Recommends canonical structures
- Endorses Data Standards
However the model is constructed, it must make sense for the business. All new policies should be considered from a Cost / Benefit analysis, the exception is with regulatory requirements. Regulatory and Legal compliance are critical to avoid jail.
The goal of policies is to drive behavior changes needed for Enterprise Information Management to succeed.
People generally don't like change, a way to get buy-in is to amend existing processes instead of creating new ones. These are smaller, less intrusive and stakeholders have already been identified. This also leads to more partnerships and shared endorsements of the changes.
There are typically a small number of extremely high value areas, policy should focus upon those.
Align with the Enterprise goals and other Enterprise ranging groups, there are a lot of shared concerns and ways that the teams can support each other.
Keep the policies easily accessible, do not hide them in a 500 page volume, instead keep them somewhere easily discoverable, such as a wiki on the corporate intranet.
Policies that are overly broad and not enforceable can quickly cause legal / compliance problems. In those cases, no policy is a better choice than an unenforceable one.
The source and type of data both define the data classification required. Similarly, data from several, more open sources can be combined to escalate the protection required.
- Financial information, such as credit cards
- Regulated information, such as HIPPA data
- Named Persons
- Business Data
- Everything Else
The data classification levels are combined with Information Security levels for systems to identify where the data is able to be transmitted.
Remove 18 identifying attributes from the data, which renders it fairly useless.
Expert certifies that the data available is too low of a probability to re-identify an individual.
There are tools out there, such as Parit(?) that are capable of doing this automatically after a survey and analysis of the data.
USPS Publication 28 specifies international address requirements
ISO15836 standards for tagging unstructured documents
ISO/IEC 11179 -4 and -5 has naming standards for business metadata