To help develop a more rigorous approach around data governance, we recommend three areas of board focus.
Today we are seeing the convergence of cybersecurity and data governance. An array of business forces is impacting companies’ risk posture and causing greater complexity in protecting their data assets. These forces include technological advances and the leveraging of big data, new privacy laws and regulations, customer expectations for privacy, the global extension of business, and more advanced cyberattack scenarios.
In our conversations with directors, we often hear that while companies and boards are making progress in their cybersecurity efforts, for many, there needs to be a more rigorous approach to data governance—the processes and protocols in place around the integrity, protection, availability, and use of data.
Cybersecurity has long been a top priority for boards. Based on our conversations with directors, it appears that boards have made significant strides in monitoring management’s cybersecurity effectiveness. We are seeing, for example, greater information technology expertise on the board and relevant committees, company-specific dashboards that highlight critical risks, and more probing conversations with management on critical cybersecurity risks, operational resilience, and the strategies and capabilities deployed to minimize the duration and impact of a serious cyber breach. Despite these efforts, given the growing sophistication of cyberattackers, cybersecurity will continue to be a key challenge for companies and boards.
While data governance overlaps with cybersecurity, it is broader and includes a number of issues that should be top of mind for boards today, including compliance with data privacy laws and regulations, data ethics, and data hygiene.
Compliance with data privacy laws and regulations. In addition to industry-specific privacy laws and regulations, a number of new laws and regulations govern how the personal data of customers, employees, or vendors is processed, stored, collected, and used. Examples include the European Union’s General Data Protection Regulation, which took effect in May 2018, and the California Consumer Privacy Act, which will take effect in January 2020. We can expect more privacy laws and regulations to follow, both in the United States and internationally.
Data ethics. Beyond technical compliance with privacy laws and regulations, companies need to manage the tension between how they legally use customer data and customer expectations about how that data is used. This tension poses significant reputation and trust risks for companies.
Data hygiene. As one director suggested, the company should regularly ask: Are we collecting or holding data that we don’t really need? If yes, get rid of it and perhaps stop collecting it. Who has access to the data, including vendors and third parties?
The convergence of cybersecurity and data governance presents a significant challenge for executive teams and boards. As one director said, “If data is such a critical asset, don’t we need a more rigorous governance approach around that asset, similar to governance around financial reporting, which has clear roles for the chief financial officer and finance team; internal and external auditors; audit committee oversight; and audit committee financial experts, assessments of controls, etc.?”
To help develop a more rigorous approach around data governance, we recommend three areas of board focus:
This article was originally published in the November/December 2019 issue of NACD Directorship magazine.