Covering everything about how an organization deals with data, a data governance policy is a challenging — but essential — document to create. For those preparing to tackle this process, this article breaks down the complex endeavor into three straightforward steps that anyone can use to write a data governance policy.
Jump to a section…
How to Write a Data Governance Policy
Step 1: Gather Feedback
Step 2: Draft Your Document
Purpose
Scope
Rules
Classifications
Roles and Responsibilities
Review Process
Glossary
Resources
Step 3: Incorporate Final Revisions
Implementation: The Next Step
Learn more about how to keep you and your business’ information secure with the Symmetry Systems’ guide, What Is Data Governance?
How to Write a Data Governance Policy
Step 1: Gather Feedback
The first step in writing a data governance policy is strategically collecting feedback on core topics like data access, security, etc. This process involves gathering your program’s senior stakeholders and asking them to provide you with their key data governance principles. During this conversation, you want to boil down their contributions to a single list of high-level points that everyone can agree on.
After the meeting, create a formal list and open it up for comments. Once you’ve updated your set of principles to reflect any necessary revisions, you can begin writing a policy document.
Step 2: Draft Your Document
Many organizations structure their data governance policy using some form of the following eight sections.
We describe the purpose of each section below, including examples from real-world policy documents to provide guidance. The examples covered come from a variety of organizations — from educational institutions to government agencies. While some of these examples might not come from organizations in your sector, the form and function of each hold true regardless of the space.
Purpose
Usually located at the very beginning of the document, the policy purpose statement explains what the data governance policy is trying to accomplish and how it will be accomplished.
For example, here’s the policy purpose statement from UTS’s data governance policy:
The Data Governance Policy (the policy) establishes a framework for effective data management at UTS by:
- establishing the principles and practices for the effective management and use of the university’s corporate data
- developing a data conscious environment to provide secure, well managed and reliable data that supports university decision-making, planning and reporting, and
- articulating responsibilities for the stewardship of corporate data and information systems supporting the implementation of this policy.
Scope
Another section usually included towards the front end of the document is the scope, which describes the people, information, and infrastructure that fall under the data governance policy.
Here’s an example from Arcadia University’s data governance policy:
This Data Governance Policy (“Policy”) applies to all faculty, staff, and students of Arcadia University (the “University”), as well as contractors, consultants, and all personnel affiliated with third parties with access to or use of University Data (“University Community of Practice”). This Policy applies to all University data, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information. This includes data processed or stored and applications used by the University in hosted environments in which the University does not operate the technology infrastructure.
Rules
The rules or principles section is, in many ways, the heart of your data governance policy. This portion of your document needs to explain how data is handled within your organization — from standards to security.
Here’s a data governance policy example from Hutchison Telecom Hong Kong Holding’s data governance policy:
The Group shall at all times process Personal Data in line with the following Data Privacy Principles.
3.1 Lawful, fair and transparent processing
(a)Personal Data will only be used in a way that is lawful, fair and transparent.
(b) Use of Personal Data should be in compliance with Applicable Data Protection Laws within each of the jurisdictions in which we operate. BUs are to be transparent about when, how and for what purpose they process the Personal Data of Customers and Employees, and what choices and rights individuals have in that jurisdiction in relation to the processing of their Personal Data.
(c) Access to Personal Data should be restricted to Employees who need to know the information to fulfil their role within the company and Sensitive Personal Data (including access thereto) requires the highest level of protection.
Classifications
Many organizations group their data into classes. These classifications will help everyone understand how to properly treat each type of data within your organization.
Here’s an example from Arcadia University’s data governance policy:
Identification and classification of University data are essential for ensuring that the appropriate degree of protection is applied to University data. Protecting University data is driven by a variety of considerations including legal, academic, financial, and other business requirements.
All University data must be classified and can have only one (1) classification. Any data element that is not classified will be assumed to be of the highest classification level until another classification level is otherwise determined. All University records prepared for archival and business purposes will be classified based on the data element in the record that has the most restrictive classification level.
Classification levels descend from highest risk and most restricted access to least risk and least restricted access, as follows:
- Level 1, Restricted: University data that is protected by international, federal, state, or local laws and laws and regulations, industry laws and regulations, or provisions in government research grants or other contractual arrangements, which impose legal and technical restrictions on the appropriate use of institutional information. Examples of restricted data include but are not limited to: Personally Identifiable Information or Personal Data (PII), non-Directory Information student educational records, Social Security numbers, credit card numbers, health records, and some combinations of personal information (e.g. the combination of name and financial account information).
- Level 2, Sensitive: University data that may not be protected by law, regulation, or contract, but which is considered private and is subject to special treatment. Examples of Level 2 data include but are not limited to: any information that the University has agreed or decided to keep private.
- Level 3, Internal: University data that is proprietary or produced only for use by Data Users who have a legitimate purpose to access such data. Examples of Level 3 data include but are not limited to: financial and budget information of the University prior to publication.
- Level 4, Public: University data and institutional information that has few restrictions and/or is intended for public use. An example of public data includes the University’s website.
Roles and Responsibilities
This section of the document categorizes various stakeholders and explains how they will contribute to the program. Each category needs to succinctly outline each group and their purview, including any relevant operational standards. Few documents omit this section, as it is essential for accountability.
Here’s an example of a roles and responsibilities section from Oklahoma’s Office of Management and Enterprise Services’ data governance policy:
Executive Sponsor
An executive sponsor is a member of senior leadership who has planning and policy responsibility and accountability for major administrative data systems within their functional areas. By understanding the planning needs of the state, they are able to anticipate how data will be used to meet state and organizational needs.
Data Owners
Data owners are appointed by the executive committee. They are typically directors or managers who have authority to determine business definitions of data, grant access to data, and approve the secure usage of those data, for the functional areas within their delegations of authority. By understanding the information needs of the agency, data owners are able to anticipate how agency data can be used to strategically meet the agency’s mission and goals.
Data Custodians
Data custodians are responsible for the operation and management of technology and systems that collect, store, process, manage, and provide access to agency data. Data custodians typically are associated with technical functions of the agency, but may also include systems administrators within all functional areas.
Data Stewards
Data stewards are responsible for implementing data policies. Additionally, data stewards have responsibility and authority for the day-to-day management of one or more types of agency data. Data stewards authorize and monitor the secure use of data within their functional areas to ensure appropriate access, accuracy, classification, privacy and security.
Data Users
Data users are authorized individuals who have been granted access to agency data in order to perform assigned duties or functions within the agency. When individuals become data users, they assume responsibility for the appropriate use, management and application of privacy and security standards for the data they are authorized to use. As such, data users must work with data stewards and data custodians to ensure that they understand any use of agency data beyond the initial scope requires approval by the appropriate data steward.
Data Governance Office (DGO)
The DGO facilitates and supports data governance and data stewardship activities, including:
- Keeping track of data stakeholders and stewards.
- Collecting and aligning policies, standards and guidelines from stakeholder groups.
- Arranging for the providing of information and analysis to IT projects as requested.
- Facilitating and coordinating data analysis and issue analysis projects.
- Facilitating and coordinating meetings of data stewards and data owners.
- Collecting metrics and success measures and reporting on them to data stakeholders.
- Providing ongoing stakeholder care in the form of communication, access to information, record keeping and education/support.
- Articulating the value of data governance and stewardship activities.
- Providing centralized communications for governance-led and data-related matters.
- Maintaining data governance records.
Review Process
A data governance program is a living document that must be consistently edited and updated to keep pace with changing technology, threats, regulations, etc. To make sure it does, consider including a section that describes how the document will continue to evolve.
Here’s an example of a review process entry from Oklahoma’s Office of Management and Enterprise Services’ data governance policy:
This Data Governance Policy shall be maintained by the manager of the Data Governance Program, approved by the OMES Data Governance Committee and the OMES division directors and published and communicated to all relevant parties. At a minimum, this policy shall be reviewed and/or updated annually.
Here’s another example from Dixons Academies Trust’s data governance policy:
The Executive will monitor the application and outcomes of this policy on an annual basis to ensure it is working effectively and conforms to current legislation and advice. Any revisions will be presented to the Trust Board for approval.
Glossary
Most data governance policy documents include a glossary that unpacks important terms, ensuring that policy readers are never confused by an unfamiliar word or concept. Some examples of commonly defined terms are data, database, data user, custodian, access, and metadata.
Here’s a glossary entry from Hutchison Telecom Hong Kong Holding’s data governance policy:
Biometric Data means Personal Data which contains or links to the behavioural and physiological characteristics of an individual which can be used to identify, label or describe that person, including, but not limited to DNA, fingerprints, facial shape, retina and iris patterns, hand scans and measurements, and voice files.
Resources
It’s best practice to include a list of sources, often at the very end of the document. These resources are typically additional definitions, guiding principles, other policy documents, and relevant regulations that provide the reader with valuable context.
Here’s an example of a resources entry from Oklahoma’s Office of Management and Enterprise Services data governance policy:
Reference
The Data Management Association International (DAMA) Data Management Body of Knowledge (DMBOK).
Step 3: Incorporate Final Revisions
After creating your draft, you need to return to your initial stakeholders to gather their final feedback. While this stage of the process tends to take longer than you’d hope, the fact that this group formed the document’s core will help keep late-stage edits to a minimum.
Implementation: The Next Step
From gathering initial ideas to making your final adjustments, this article has covered the entire process of developing a data governance policy. As you move from drafting your document to implementing your program, you will need a solution that can give you a comprehensive picture of your organization’s data landscape.
Symmetry Systems DataGuard is a Data Security Posture Management solution that gives you complete visibility across all your data assets — no matter where they are. DataGuard lets IT teams know where their sensitive data is, who is accessing it, and what’s at risk, allowing them to quickly and strategically fix policy gaps before they lead to breaches. Contact our team today to see how DataGuard could enhance your data governance program.
Share this entry