Data governance: 5 tips to optimize your strategy

Partage

Regulatory obligations, organization designed around data, optimization of storage costs, valuation of data… whatever the objectives that your company pursues, it’s all a question of data

.
De la collecte à la destruction, l’entreprise est responsable des informations et des données qu’elle détient.
C’est pourquoi il est indispensable de définir une stratégie de gouvernance des données efficace.

What is data governance?

Data governance is the set of processes, rules and standards which aim to ensure the collection, processing and protection of data at all stages of their life cycle and until their destruction (we then speak of data cycle). data life). Within organizations, data governance touches many areas, from security to analytics.

In addition to the CISO, many positions are responsible for data management: DPO (data protection officer), Data Scientist, Data Manager, Big Data developer, Data miner; Data Analyst, Big Data Architect, Business Intelligence Manager…

It is through these so-called “Big Data” professions that data governance guarantees the proper use of data by all of the company’s departments. Driven by data (or data-driven), the company can thus inform its decision-making.

For Jocelyn Montjaux, Cybersecurity Product Manager and DPO at Tenacy, the objective of data governance is to “

ensure that all data handled within the company is collected, protected and destroyed at the end of its use. Depending on the type of data, the availability and confidentiality of the data will be different. This is why data mapping is essential to determine appropriate levels of protection and security.

»

Indeed, each company has its own needs in terms of data governance and mapping. Some data will be non-confidential but must always be available for the proper functioning of the organization. Others, on the other hand, will be confidential data with

a degree of availability lower than usual need.

Data governance is therefore essential to ensure the compliance of your organization and improve its performance. Here are 5 tips to implement to establish an effective and efficient data governance strategy.

  • 1. Integrate business lines into the data governance strategy

    Who is responsible for the data? This is a common question within organizations. And as many professions and players are involved, it is important to clearly redefine the role of the CISO. He is responsible for implementing the means of protection (when the data owner has identified protection requirements to apply) and for monitoring their proper functioning. But it is neither responsible for the collection processes nor the processing of the data.

    Each profession produces an increasingly large volume of data. Here are some examples:

    • customer data;
    • sensitive data for the organization (technological patents, strategic decisions, etc.) or sensitive data as described by the CNIL (including health data);

    • personal data ;
    • reference data;
    • data collected;
    • business or operational data;
    • raw data ;
    • data produced.

    In the strategic aspect of data governance, all the company’s professions are therefore stakeholders.

    Who could be better placed to catalog data than those who handle it on a daily basis? Jocelyn Montjaux highlights the importance of breaking down silos for a data governance strategy to be effective: “

    Company data must be processed entirely and not just IT data. The CISO cannot be alone in this project. This is why it is important to involve the professions in this reflection and to involve them in the strategy.

    »

    Don’t ignore the professions and involve the different departments of your organization to identify all the data sets!

  • 2. Perform a risk analysis on each dataset

    Risk analysis will inevitably be necessary at some point in your data governance strategy!

    Jocelyn Montjaux confirms: “ Between risk analysis and data governance, there is a form of synergy. Those in charge of data governance are asked the same questions as during a risk analysis, with a focus on data.

    »

    Once the data sets have been identified and a classification determined to decide on the protection mechanisms that must be put in place, it is necessary to understand the threats to this data, in particular the confidentiality aspect. Data analysis carried out through the prism of their inherent risks for the organization must then be an integral part of your governance strategy.

  • 3. Consider including the data privacy aspect<br>

    Typically, data governance is associated with data availability.

    What is the maximum admissible interruption duration of data? What is the acceptable time frame before recovering data without jeopardizing the activity of an organization? The notions of recovery time (RTO for Recovery Time Objective) and recovery point (RPO or Recovery Point Objective) are well taken into account during the data governance strategy. But the criterion of confidentiality of data is not systematically.

    Jocelyn Montjaux advises not to neglect this aspect: “ Don’t just think about data availability when implementing data governance. But remember to include elements related to the confidentiality of your data. This is anyway required when we talk about the GDPR for example, since this regulation mainly concerns the data confidentiality part.

    »

  • 4. Integrate the notion of sovereign cloud into your hosting requests

    Big Data solution, data warehouse (data warehouse or relational database), DMP (data management platform), data visualization tool or decision-making tools, ERP (resource planning software system), CRM (resource management tool customer relations), MDM (reference data management)… An entire data management ecosystem has emerged over the last decade.

    Increasingly, companies are required to manage services rather than manage infrastructures. Deployment time is generally faster

    than that of installing the corresponding infrastructure in a data center and finding people to install and configure servers.

    Hosting your data in the cloud is therefore increasingly common. Did you have in mind that choosing a SaaS mode host then means choosing the legislation to which your data will be subject?

    Let’s take the example of the Cloud Computing market leaders. These are American actors, therefore subject to US law, and particularly to two major pieces of legislation:

    • the Patriot Act which, following the attacks of September 11, 2001, allows government agencies such as the FBI, the NSA or even the CIA to obtain information as part of an investigation relating to national security;

    • the Cloud Act which, since 2018, provides that American cloud specialist companies must communicate data to law enforcement or the American or foreign government (depending on the agreements), even if it is stored outside the United States.

    However, data confidentiality is a fundamental aspect of governance! As part of the application of the general data protection regulations (GDPR), for sensitive areas or even for communities, it is easier to require from the start of the project to work with a host with servers in France or at least

    in Europe. This avoids data privacy issues.

    ANSSI, in collaboration with the CNIL, offers the SecNumCloud repository for cloud hosts which includes requirements relating to data protection. The confidentiality of your data also depends on the choice of your cloud host!

  • 5. Remember that your subcontractors also manage your data

    Responsibility for data processing is sometimes delegated to subcontractors. With the entry into force of the GDPR, the regulations on personal data apply to both the data controller and the subcontractor (acting on behalf of his client).

    According to Jocelyn Montjaux, “
    it is necessary to ensure that suppliers understand the data processing requirements. We need to tell them what to do and check if it’s done correctly!

    »

    Audits, questionnaires, specific clauses in contracts with suppliers, security assurance plan… so many tools to use to ensure proper data management by your subcontractors.

By adopting these 5 tips, you are ready to effectively define your data governance strategy and thus enable the security of your company’s data.