If you spend most of your days outside of the privacy profession, the term “data governance” may not be familiar. Here’s a top-level definition of data governance:
“Data governance (DG) refers to the overall management of the availability, usability, integrity, and security of the data employed in an enterprise. A sound data governance program includes a governing body or council, a defined set of procedures, and a plan to execute those procedures.” (Source: TechTarget.com)
This is precisely the problem many privacy professionals, privacy attorneys and Chief Privacy Officers face within organizations large and small. Whether making the case to a non-profit or pitching compliance to an agile tech startup, persuading decision makers to adopt data governance and privacy compliance best practices can sometimes feel like an uphill battle.
The challenge, however, is not insurmountable. In fact, leading edge thinking in the design world may translate well when it comes to changing perceptions and influencing major change around data governance. In truth, data compliance is about more than regulatory adherence and legal protection. Embraced properly, it can create deeper bonds with customers, improve business efficiencies, and create an increasingly valuable competitive advantage in the market.
Let’s take a look at some of the “old regime versus new regime” practices and then take a page from the international design and consulting firm IDEO about how we can effectively create and maintain these new regime scenarios.
The Old Regime vs. the New Regime in Data Governance
We’re on the cusp of a sea change in data governance on par with a “flat earth” versus “globe” shift in thinking. The transition will require fundamental organizational, technical, and cultural changes. See how many of the following perspectives you’re familiar with:
New RegimeCompanies collect and use indeterminate amounts of data.Companies practice “data minimization” and use de-identifiable data when possible.Companies have an ad hoc data governance model with no formal organizational structure.Companies embrace a comprehensive data governance structure with a clear accountability for data governance. May or may not employ a full-time Chief Privacy Officer (CPO) or Data Protection Officer (DPO).Company culture lacks a sense of responsibility for privacy and data governance.Company actively promotes a culture of data governance and sees data as an asset which must be protected.Limited awareness of privacy and data governance issues.Comprehensive executive, employee, and board of directors’ awareness and training around security and privacy issues.No formal process for privacy review of new initiatives, products or business processes.Company incorporates Privacy Impact Assessments and embraces “privacy by design” principles.Company has a limited vendor management process with no thorough inventory of vendors responsible for processing customer and employee data.Company implements a formal process to review vendors that process personal data of customers and employees. This includes specific contract terms and periodic audits of vendors to ensure compliance with data protection requirements.
Suggested Tools to Influence Organizational Change Around Privacy
Translating the benefits of the new regime data governance for stakeholders at all levels requires a nuanced approach. Like any cultural change in an organization, holistic buy-in is the result of education, discussion, and understanding the needs and concerns of everyone who will be impacted by the change. No top-down push will create a lasting commitment.
The designers at IDEO recently shared their approach for persuading companies to accept change in an article for the Harvard Business Review. Their designers recognize they must “go beyond logic and engage the emotions inherent in the question “Why should we change?” Three tools they most commonly use are “Transformative Empathy” (experiences in which stakeholders are emerged in others’ perspectives), “Co-Design” (including stakeholders in the process of designing change), and “Shared Vision” (creating a visceral, tangible experience of what the future might look like).
Each seems ideally applicable to the privacy professional working towards the new regime future of data governance:
Transformative Empathy: Companies need to experience what it’s like for their customers to engage with their products – and imagine how privacy controls and user-centric, pro privacy design may enhance that experience. So often stakeholders make assumptions about experiences, but are not required to go through the steps their customers do. How well does the organization embody privacy? How solid is the customers’ sense of trust, or the perception that the company is responsible when it comes to gathering and protecting information?
Co-Design: Compliance is often viewed as the purview of a company’s legal and regulatory departments. Too often, the people responsible for engineering, implementing, and communicating privacy and data governance processes are excluded from the design of the product, service or business process itself. Building a bridge for input and creating opportunities for feedback about the design not only increases buy-in, but it may bring real-world benefits. Build momentum and increase trust by integrating a wider range of human experiences and ethical perspectives.
Shared Vision: The old regime view of data governance is vague and inefficient. There may be assumptions that someone, somewhere is handling data, though exactly who and how is unclear. The problem with old regime privacy compliance and data governance is that a lack of clarity prevents an organization from imagining future possibilities. How can you embrace change if you’re unaware where you stand? This is where shared vision helps. Using the question “What would it look like if…?” teams can explore the way privacy, security, and data governance may be supporting pillars for company goals, new business models, or expansion into geographic territories with enhanced legal requirements. Privacy and security are a team effort, and shared vision is a fundamental step in building partnerships which drive strong business results.
Data Governance as an Untapped Resource
Though the concept of data governance may not initially present itself as an exciting new opportunity for forward-thinking organizations, embracing a new regime perspective on the subject can have a profoundly positive influence.
In a culture where security concerns and privacy awareness are on the rise, those organizations that recognize the value in this paradigm shift will benefit the most in the years ahead.