Many analysts believe that between 60% and 80% of all stored data has only been looked at once or twice. In other words, the majority of data is never used again after it has been created. However, users rarely delete their unused data – and storing it alongside the more useful stuff comes at a cost.
First, there is the cost of the storage media. Although relatively cheap these days, more storage is inevitably needed as data volumes grow.
Second, there is the cost of managing the data and ensuring that users can find relevant information when they need it, that the level of data integrity required to provide the desired business value is supported, and that the data is protected from loss due to IT failure or some other disaster.
Third, there is the cost of security to prevent the data being compromised – and the unknowable cost should such a compromise actually occur.
Companies can address these issues by adopting a comprehensive data governance policy and programme, but the degree to which businesses in the UK have done so varies. Here are five resolutions for the new decade that can help any organisation, large or small, to review how it approaches data governance in the light of 21st century IT capabilities and best practice.
1) Make sure ownership of the data governance process is clear.
Who is responsible for data governance in your organisation? Having a governance point-person or team not only makes sense, it’s a legal requirement in many countries if a company is storing personal data. For example, the EU Data Protection Directive mandates that a ‘data controller’ within an organisation “determines the purposes and means of the processing of personal data”.
Data protection law has a narrow interest in personally identifiable data, but it makes sense to hand such legal responsibilities to the people within an organisation who are tasked with the overall job of managing data governance. In addition to securing personal data, it should be the data controller’s job to protect intellectual property and ensure that data is in a fit state to provide high-quality business intelligence to the organisation.
In a large enterprise, a team of employees may be assigned to the task. But in small organisations, a single individual may oversee the data governance policy and procedures as part of a broader raft of responsibilities. Either way, the data controller needs to be aware of what data is being stored by an organisation and formulate data usage policies based on both business needs and regulatory requirements.
2) Understand the regulatory environment and how it affects your data governance policy.
First, certain laws and regulations must be obeyed. These include core laws such as the European Convention on Human Rights (Article 8 of which enshrines the right to personal privacy); various data protection acts at the EU and national levels; industry regulations such as PCI DSS for businesses handling credit cards; and the laws of any other country in which your organisation transacts business (the US Sarbanes-Oxley Act being one of the best-known).
Then there are industry standards, many of which are designed to help ensure compliance with regulations. One of the most widely adopted is ISO 27001 for information security (implemented by 60% of European enterprises, according to Quocirca research). The UK Data Protection Act recognises ISO 27001 as the source of appropriate advice for data governance and security.
3) Know where data is being stored, and keep control of it.
To successfully govern data, you need to know where it is so you can protect the information and ensure that users can access it when needed. This was relatively easy in the days when most data was stored centrally, but two things make the job harder today: mobility and on-demand IT services.
Many employees can create data on, and copy it to, mobile devices. This is might be great for their personal productivity, but it is a security nightmare and can also mean that the most current data is not available to other users who might need to access it.
Companies can lock down devices and place limits on what users can create and store locally, and rigorous data backup regimes can be put in place. However, it is becoming increasingly common for all user environments to again be maintained centrally, regardless of the access device, through the use of virtual desktop computing.
These days, it also is easy for data to end up being stored off-site by third parties, either at external storage services or through the use of Software as a Service (SaaS) applications. Companies need to identify and limit ad hoc uses of these on-demand services. And when they are adopted as part of an IT delivery strategy, data governance teams need to pay proper attention to regulatory requirements. For example, a service provider storing data in the US for an EU-based organisation should have appropriate ‘safe harbour’ certification that qualifies it as compliant with EU data laws.
4) Ensure the integrity of data as part of the data governance process.
Data will only be useful to the business if it has integrity. That means keeping it as ‘clean’ as possible to ensure the accuracy of business intelligence and data-driven communications. Data integrity can be applied across different data stores through the implementation of master data management (MDM) techniques designed to guarantee that a single set of core data is being used enterprise-wide.
Data de-duplication tools also can help maintain integrity by ensuring that data only exists once in its primary form (plus backup copies). In addition, de-duplication software can cut down on the amount of required storage space as well as the use of network bandwidth when data is being backed up from one location to another.
5) Make sure your data is fit to be shared securely with third parties.
Companies often have to share data in a controlled way with other organisations. All the controls detailed above can help to ensure that data is in a good state to support cross-organisational business processes and that your company isn’t the weak link in the chain. For example, clean customer data and up-to-date inventories with accurate part numbers are crucial to driving efficient business processes, and companies can achieve them through proper data governance.
There is, of course, a danger here: networks need to be somewhat porous to enable data sharing with external partners. If you want to prevent employees sending out the wrong data, or customers coming into your systems via the Internet and finding they have access to more data than they should, you need to put appropriate data security in place and spell out the rules to both internal and external users.
That requires clearly defined data usage policies and thorough end-user education, backed up by the use of data leak prevention (DLP) tools. However, only about 25% of European enterprises currently have such tools in place, according to a recent Quocirca report. Organisations that have yet to deploy DLP software should take a serious look at the technology for potential use in shoring up their data governance policy and procedures.
Bob Tarzey is an analyst at Quocirca, a UK-based research and analysis company. His main area of coverage is route-to-market issues for ICT vendors, but he also has a specific focus on IT security, network computing, systems management and managed services. Prior to joining Quocirca in 2002, Tarzey spent 16 years working for US-based technology vendors. For more information on Quocirca, or to download any of its freely available research reports, go to www.quocirca.com.