Three Things To Consider When Creating A Data Governance Plan

Published on Jun 15, 2021

It’s no exaggeration to say that data rules the world. On average, 2.9 million emails are sent every second, the same time that it takes for 72.9 items to be purchased through Amazon. Meanwhile, the average household consumes 375 megabytes of data every day. As far as the commercial world goes, a staggering 81% of UK organisations told a government survey that they handle digitised personal data, digitised non-personal data, or both, and the use of data increases considerably as businesses become larger.

This includes employee data (for example, for HR or payroll purposes) and data collected from elsewhere (such as customer data). With so much data being accumulated, public authorities and businesses of all sizes need a data strategy to ensure that customers’ privacy is being protected and to also maximise the commercial opportunities the collected data supplies. This can be achieved with a robust data governance plan (DGP).

If you are a regular reader of our blog, you may be thinking “great, another strategy/plan I need to implement”. However, other plans such as a privacy management programme will help you put a data governance plan (DGP) in place as much of the information required is the same. Furthermore, and this cannot be stressed enough, the best customers, suppliers, and investors want to know they are dealing with a well-organised business that will not compromise their data or be at risk of a multi-million pound fine for an avoidable data breach. Although these strategies require an investment in time and resources, in the long term, they will help generate revenue and investment.

What Is A Data Governance Plan?

A DGP is a collection of policies, procedures, and responsibilities that support the quality and security of data collected, used and held throughout the business. Regarding the organisation’s data, a DGP sets out who can take action, in what circumstances, and using what methods.

One of the key differences between a DGP and a privacy framework is that business drivers and goals dictate what data needs to be regulated in your DGP. Furthermore, your DGP sets out the benefits from controlling the data in line with the framework. Therefore, a DGP is directly connected with how data can and will be used to achieve your organisation’s commercial ambitions.

It’s important to note that a DGP is not a Data Management Plan or Data Stewardship; these strategies and tasks flow from the DGP framework.

What Should I Consider When Developing A Data Governance Strategy?

Knowing you need a DGP is one thing, implementing it correctly is another. Given the resources and time demanded in creating a data governance strategy, which is well and truly worth it, getting a DGP that benefits your business is crucial. The old cliché “what’s worth doing is worth doing well” applies here.

To assist you, below are three key steps for creating an industry-leading DGP.

Step One – Create a leadership team charged with developing and implementing the DGP

Best practice starts at the top. Having a strong team lead the process of developing a data governance strategy greatly increases its chance of becoming part of the organisation’s culture (the Holy Grail for all high-level business strategies).

If you have a DPO and a CISO, they will naturally be included as part of the team. The advantage of a DPO is that they perform their tasks independently and can therefore ask the tough questions and use their soft skills to persuade members of the organisation who dislike change to support the strategy.

To achieve the best coverage of knowledge and skills, be sure to include members of the management and operational teams. Also, include those experienced in IT, Privacy, Security, Governance, Risk & Compliance, Sales & Marketing, and Product Development. This will ensure the DGP addresses all areas where data is used.

Step Two – Understand the data you have

Manual data discovery processes are ill-equipped to deal with the amount and complexity of data held and used by most businesses. The solution is to invest in data discovery tools that will create a broad data inventory, recording metadata tags and data types such as structured or unstructured data. This will allow you to pinpoint data assets and the information within them and classify and enrich that data to better comprehend what your business holds and how it needs to be governed.

Step Three - Align privacy, security, and data governance processes

On the surface, privacy, security, and data governance appear to perform separate business functions. For example:

  • Privacy addresses regulatory compliance.
  • Security teams protect your organisation’s data.
  • Governance addresses data usage and quality.

However, as we mentioned in the introductory paragraph, there are many overlaps and benefits to be gained by aligning these three critical processes.

Privacy management can only be improved by good governance - for instance, data discovery can help the DPO streamline processes around SARs or records of processing activities. Data classification can help security teams focus on areas of high risk.

Aligning the processes provides more transparency across data-related activities. Furthermore, policies and procedures can be standardised, and training programmes can also be aligned. Finally, costs can be reduced by sharing them across different parts of the organisation.

Wrapping Up

Like all data and privacy-related strategies, data governance is a continual process that needs defined goals and metrics to monitor and measure successes and ensure the framework and all that stems from it constantly improves.

People involved will need specialist skills but will also benefit from cross-training. Privacy training is proven to provide an ROI and that return keeps increasing. In a 2020 study by Cisco, 70% of organisations said they received significant business benefits from privacy beyond compliance, up from 40% in 2019.

The process of putting a DGP in place not only provides space to create a robust data governance framework but also allows for your privacy strategy to be reviewed and updated as well as affording the opportunity to cross-train privacy and IT professionals throughout the business. We recently wrote about this exact topic in which another Cisco study identified a third of security operations are looking to include data privacy as a core responsibility and competency.

To find out more about data protection and privacy law training, please email us at or call 0370 04 27701.

Click your chosen course below to see our next available courses dates