Data governance: How to take control of your data

February 2021

Over the last year and throughout the Covid-19 pandemic, the needs of business to collect and use personal data to drive successful outcomes have continued to grow.

We live in a time of increased collection and sharing of personal data for public health reasons, employee health monitoring and remote working.

At this time of uncertainty, the need for organisations to have robust controls over the personal data they handle is increasingly important.

Making sure we have the right fundamentals, policies and practices in place, builds confidence that we’re ‘doing the right thing’ and not exposing the business to unnecessary risks.

What is data governance all about?

Data governance is rather hard to pin down, as anyone you ask appears to have a slightly different interpretation!

Speaking as a data protection adviser and former practitioner on marketing data, I see data governance as a holistic approach to data privacy and security. Addressing all aspects of data management from transparent data collection and use, through to its timely disposal.

In essence it’s a framework of management practices which makes sure data is used properly, in line with organisational aims, law and best practice.

Think of it as embedding Privacy by Design and by Default across the organisation. Business objectives can be met without taking unnecessary risks with data when we work together.

Data governance can help you to:

  • protect the business and those whose data you process: customers, employees, etc.
  • reduce your organisational risk profile
  • educate your people: provide policy & guidance them on how to use data in the safe and appropriate ways
  • build in an ethical approach
  • build your reputation, customer trust and enhance the value of your data assets
  • support your teams’ innovation with use of data

Forward-thinking organisations recognise good data governance can build strong customer trust. Good privacy and transparency credentials can be leveraged as a real brand asset.

The first steps

Before you get going, you’ll need senior management buy-in. If the bosses don’t care why should anyone else! Then you can work through these six steps.

1. Data discovery

It’s vital to identify data assets held across the business – understanding how personal data is being gathered, stored, used and shared. Map where the data is located on your systems and document it.

Most medium to large businesses will need to do this anyway to create & maintain their Information Asset Register (IAR) and Records of Processing Activity (RoPA).

2. Policies & standards

Are your policies and procedures all up to scratch? If you’re not sure, find out what good looks like. The importance of well-crafted easy to use policies can’t be underestimated.

3. Accountability

You’ll also need to identify your businesses’ key data stakeholders – which are likely to be heads of key functions, such as HR, Operations, Sales & Marketing, and so on.

Establish data roles and responsibilities, so key people are clear what aspects they and others are responsible for. Who has the authority to make decisions about certain data?

4. Risk assessment process

Businesses should have a risk assessment procedures to discover, assess, prioritise and take action to mitigate compliance risks. A governance programme helps your teams to identify and assess both existing and emerging risks, so they can be efficiently assessed and mitigated.

Think of data like a balance sheet: it has great potential to create value but also carries risks and liabilities.

The aim of a data governance programme is to protect both the business and those whose data we process from harm which may arise from things like inaccurate data, unlawful or unfair processing or processing personal data in ways the individuals would not expect.

5. Technical and organisational measures (TOMs)

Once you have identified any privacy risks you’ll need to ensure you put appropriate measures in place to tackle them. You may choose to mitigate them internally with new procedures or security measures, or perhaps work with a third party to adopt technical or operational measures.

6. Board-level oversight

Risks should be reported up the line to ensure your Board has proper oversight and the opportunity to take appropriate action. If your organisation has a Data Protection Officer (DPO) this reporting will be part if the formal accountabilities for their role.

Overcoming cultural challenges

Data protection and privacy professionals face a cultural challenge to win hearts and minds. I have sometimes heard Legal or Privacy teams described as ‘The department of no’. That’s not how we want to be seen and smart businesses are realising the value of taking privacy seriously.

We should help our business colleagues to balance the needs of commercial and operational functions with legal & ethical requirements.

We shouldn’t just explain the law – we must go further and help them our colleagues to find practical solutions. Collaboration and mutual understanding are essential ingredients for successful data governance.


Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.