Depending on whom one asks, data governance has always occupied a central locus in data management unrivaled by any of its other dimensions. Regardless of the use case, application, or deployment, the need to formalize the roles, rules, and responsibilities for sustaining data’s enterprise worth has always taken priority for shrewd organizations.
Because of its preeminence among other facets of data management, data governance has had myriad definitions indicating the most pressing concerns of the times. The current cliché is it’s the people, processes, and technology for maintaining data’s value. Not long ago, it was defined as a means of reducing risk while increasing the value of long term data use.
Despite these changing definitions, a more profound—and deceptively subtle—transformation has almost silently wrought data governance into something markedly different than what it was as little as even five years ago.
Traditionally, data governance was synonymous with the particulars of data modeling, data quality, metadata management, data provenance, business glossaries, lifecycle management, and data stewardship. It was about devising enterprise wide policies and using these different realms to act on them.
Today, however, data governance has become synonymous with access control mechanisms, security, and regulatory compliance. Although the above realms haven’t been forsaken, they’ve either shifted into other aspects of data management (for example, data modeling is considered part of data preparation or data science) or been re-envisioned in relation to access control, security, and compliance.
“Data governance is a spectrum and still involves the aspect of having the right consistency of data, which is quality, and definitions around what data is, which is metadata,” commented Privacera CEO Balaji Ganesan. “But there’s a big part of data governance that’s around making sure the right people have the right access to data for the right purposes.”
With the demands for data privacy and regulatory compliance more vociferous than ever before, more organizations, their customers, and regulators are focusing on this latter part of data governance, which is what this term primarily denotes today.
The Traditional View of Data Governance
The initial conception of data governance was that it was a discipline to rigorously define most facets of data: from a macro (enterprise wide policy) perspective to a micro (formalizing terminology, business glossaries, semantics, etc.) perspective. Normalizing these and other concerns gave organizations “standards around how the data should be treated and who can access the data,” Ganesan mentioned. “Part of that is establishing standards around taxonomies and metadata.” Ironically, despite this discipline’s focus on formalizing these and other facets of what data mean to firms and how they use them, there was a decided dearth of formality in what data governance itself initially meant.
“Data governance has always been defined by vendors,” Ganesan pointed out. “It’s never been [where] the industry has gotten together a consortium and said, ‘hey, here’s data governance’. It’s always been vendors shaping it and when you have vendors shaping it, it’s always been around the shape of products they’re selling.” Thus, data cataloging solutions and other governance tools honed in on aspects of metadata management and data quality measures. When coupled with some of the foregoing aspects of data modeling, lifecycle management, and data stewardship, data governance had some security implications, few privacy ones, and modest regulatory connotations.
The Regulatory Effect
Moreover, data governance was widely considered the actual policies determined by C-level executives, data governance councils, and data stewards for establishing the standards Ganesan articulated. The shift towards its current perception as a means of controlling access to data for privacy and security ostensibly began with the present focus on regulatory compliance, created by horizontal mandates for consumer rights around data. “Making sure right people have access to right data according to the right purpose is where privacy and the security part comes in,” Ganesan explained. “Traditionally, there was not regulations around it. It was fairly loose; that part of data governance always existed as a more passive one.”
Therefore, when policies were created about data access, they likely remained on paper with some data stewardship efforts to verify they were followed. Nonetheless, the consumerization of IT, the advent of data privacy regulations (begat with the passage of the GDPR), the increasing instances of data breaches, and a couple well known public scares around data privacy has ineradicably altered this reality. “What has happened because of privacy and security in the last few years is these things have become board level topics,” Ganesan affirmed. “The board and the CEOs are now saying, ‘hey, we don’t want to be like Facebook with their data coming out. We have to adhere to GDPR and California privacy; there’s some fines associated with that’.”
Data Access Agenda
There’s nothing more galvanizing to an organization’s board of directors—or the C-Level executives who directly answer to it—than stiff monetary penalties for noncompliance to regulations. Zoom reached a settlement for almost $100 million dollars for such issues. Even before this particular example, data governance was inexorably advancing to its current conception as a means of facilitating access control, data privacy, and security. “These are big ticket fines that are coming up,” Ganesan remarked. “Boards are saying we need to have guardrails around our data. Now, what has changed in the last few years is that part of governance, which is security and privacy, is going from being passive to more active.”
Such activation not only entails what data governance focuses on, but also what the specific policies it’s comprised of focus on, too. The regulatory, risk mitigation side of data governance is currently being emphasized. It’s no longer adequate to have guidelines or even rules about how data are accessed on paper—top solutions in this space can propel those policies into source systems to ensure adherence when properly implemented. Many of the vaunted benefits of automation, a distributed architecture, and cloud computing have been adopted so organizations can control data access as one of the central themes of governance programs everywhere. “It’s not just, put this in a document and say you should not use this data for marketing,” Ganesan specified. “It’s about how do you make that happen, because that part is important to make sure things are done in the right way.”
Governance Goes Forward
Moreover, that part is so important that, when most vendors describe their data governance capabilities today, they start and finish with constructs for data access, security, and data privacy. The specialists, of course, still tout the broader, more traditional characteristics of data governance around data profiling, data catalogs, metadata management, and semantic consistency. But unless one specifically asks most other vendors about features for these particularities, data governance conversations almost exclusively focus on security and access control—which is what the very term has come to mean.
For the moment, at least.
“Data governance includes policies, procedures, standards, mandates, and how you deal with data,” Ganesan reflected. “And, there’s a technology piece around quality, metadata, security, and privacy. The space is big enough that it’s hard for anyone to go and solve the entire thing comprehensively, even though we all wish we could do that.”
About the Author
Jelani Harper is an editorial consultant servicing the information technology market. He specializes in data-driven applications focused on semantic technologies, data governance and analytics.
Sign up for the free insideAI News newsletter.
Join us on Twitter: @InsideBigData1 – https://twitter.com/InsideBigData1