Pharmaceutical model
Janet Lichtenburger and Nancy Makos presented a terrific view of how Data Governance works at their company. They implement functional (small) data governance, with the exception of data sensitivity.
Here is my brain dump of the session today. You're welcome to it if you can make heads or tails of it. :-)
Some numbers that show the challenge of Data Governance there are:
- 5 people in Enterprise Architecture
- 3 people in Data Governance
- 130 people provide Data Stewardship support
- 350k total employees
Data Governance is
about Policies and Standards and is typically independent of implementations,
as part of the Enterprise Architecture or Finance groups.
To encourage
adoption, Data Governance could be considered an internal consulting service to
support projects ,that is not charged back.
Organizational
Model
Overall
Model
- Enterprise Data Governance Executive Committee
- Meets only a few times a year
- Limited number of senior executives
- Data Governance Committees
- Each committee is chaired by Data Goverenance
- Divided into specific domains
- Meets as often as required by projects
- Up to 15 people on each Domain Specific Committee.
Data
Steward Roles
- Executive Stewards
- Member of the Data Governance Executive Committee
- Strategic Direction
- Authority
- Enterprise Stewards
- Member of the Data Governance Committee
- Development Support of Data Governance Policies
- Operational Stewards
- Communicates to promote policies
- Endorses Data Standards
- Domain Stewards
- Recommends canonical structures
- Endorses Data Standards
However the model is
constructed, it must make sense for the business. All new policies should be
considered from a Cost / Benefit analysis, the exception is with regulatory
requirements. Regulatory and Legal compliance are critical to avoid jail.
Policies
The goal of policies
is to drive behavior changes needed for Enterprise Information Management to
succeed.
People generally
don't like change, a way to get buy-in is to amend existing processes instead
of creating new ones. These are smaller, less intrusive and stakeholders have
already been identified. This also leads to more partnerships and shared
endorsements of the changes.
There are typically
a small number of extremely high value areas, policy should focus upon those.
Align with the
Enterprise goals and other Enterprise ranging groups, there are a lot of shared
concerns and ways that the teams can support each other.
Keep the policies
easily accessible, do not hide them in a 500 page volume, instead keep them
somewhere easily discoverable, such as a wiki on the corporate intranet.
Policies that are
overly broad and not enforceable can quickly cause legal / compliance problems.
In those cases, no policy is a better choice than an unenforceable one.
Data
Classification
The source and type
of data both define the data classification required. Similarly, data from
several, more open sources can be combined to escalate the protection required.
- Restricted
- Financial information, such as credit cards
- Protected
- Regulated information, such as HIPPA data
- Private
- Named Persons
- Internal
- Business Data
- Public
- Everything Else
The data
classification levels are combined with Information Security levels for systems
to identify where the data is able to be transmitted.
Anonymizing
Data
Safe
Harbor
Remove 18
identifying attributes from the data, which renders it fairly useless.
Expert
Determination
Expert certifies
that the data available is too low of a probability to re-identify an
individual.
Automation
There are tools out
there, such as Parit(?) that are capable of doing this automatically after a
survey and analysis of the data.
Standards
Examples
USPS Publication 28
specifies international address requirements
ISO15836 standards
for tagging unstructured documents
ISO/IEC 11179 -4 and
-5 has naming standards for business metadata