The foundations of effective data governance

The popular conception of a data breach involves a determined hacker taking advantage of an unsuspecting but otherwise blameless victim via an unknown vulnerability or a sophisticated phishing attack. But what about when the victim leaves the door open?

The 2021 case of Securitas, a leading security provider, where poor data governance and cybersecurity practices exposed 1.5 million files – 3TB – shows even industry experts can make obvious errors leading to potentially disastrous results.

In this case, cybersecurity team SafetyDetectives discovered an open Amazon S3 bucket, exposing employee PII and sensitive company data of at least four airports in Colombia and Peru. While the issue was reported to the company, which closed the bucket five days later, it was unknown how long the bucket was left open and who may have accessed it.  

Inside the bucket, two databases contained the personal information of Securitas employees and airport employees, photos of ID cards and other unmarked images (which included EXIF details such as GPS location and device models of cameras used), including full names, pictures of employees, occupations and national ID numbers.  

In addition, the bucket held data from Securitas mobile apps, used by security officers to help with several tasks, such as incident reporting. While the data did not expose any specific sensitive data, the SafetyDetectives team warned the contents could be used to aid in criminal activities.  

According to the team, many companies and employees across several industries could have been exposed, and the breach could affect airport security and the safety of people who protect the lives of travelers and airport staff.

Such a result is a classic example of what can happen when a company does not implement strong data governance.

For another, just look at the major breach at data broker National Public Data. While the exact cause of the hack is yet to be determined – even the precise size is unclear – what is clear is that poor data governance was at least partly responsible. While the initial breach was caused by an attacker – USDoD – shortly following the attack another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage.

If security experts and data brokers can’t get data governance right, the rest of the world needs to take this more seriously.

Every company must prioritize data governance

No matter their focus or industry, every organization increasingly relies on data to make decisions and build value. Once upon a time, companies may have struggled to make decisions owing to a lack of information, now the reverse is true.

By the end of 2024, forecasts predict 147 zettabytes of global data will be produced, with an estimation of 181 zettabytes produced globally by 2025. A lot of this data resides in unstructured data sources such as documents, emails, or media files, which comes with further challenges for analysis.

As every organization adopts new tools or processes that generate more data, the problem now becomes: how do we handle the data we have, for compliance, security, and to ensure we harness it for the best results? How do we ensure it is high-quality, safe, secure, and handled appropriately?

Whether they realize it or not, every organization is engaged in solving this problem.

Data governance is the process of managing the ownership, availability, quality, integrity, policies and procedures of data, in relation to compliance with regulations and industry standards.  

Indeed, strong data governance is critical for growing organizations, especially in the face of evolving privacy law, increased cybersecurity threats, greater privacy expectations from customers, and advanced, data-hungry technology like generative AI.  

‍

The core elements of good data governance

Data governance cuts across all aspects of an organization; given data’s criticality, data governance needs to be all-encompassing in order to be effective.

Data ownership & accountability

Every piece of data within the organization should have a designated owner who is responsible for its management and use. This ensures that data is consistently maintained and accessible, which is crucial for meeting governance goals.

Data quality & integrity

High-quality, trustworthy data is the foundation for sound business decisions. To achieve that trust, organizations must implement rigorous data management practices that include regular data cleaning, validation, and enrichment processes.  

These processes involve identifying and correcting inaccuracies, removing duplicate entries, and ensuring that data is up to date.

Another essential element is data classification, which involves categorizing data based on its sensitivity and importance. This classification enables organizations to apply appropriate security measures and access controls, safeguarding sensitive information while ensuring that critical data is readily available to authorized personnel.

Metadata management plays a crucial role in good data governance. Metadata — the information that describes the content, context, and structure of data — offers essential insights into how data should be used and governed. Effective metadata management ensures data discoverability, improves data lineage tracking, and enhances overall data understanding within the organization. Achieving data understanding is a precondition of data security and privacy.

Consistent data policies & procedures

To achieve such uniform quality, you need to establish and maintain consistent data policies across the organization. For a given data type or sensitivity level, different teams need to understand how to manage it safely in line with policies.

Compliance with regulations

Depending on your industry or jurisdiction, your organization may be subject to privacy or recordkeeping laws, or other compliance frameworks.

Since the passage of the General Data Protection Regulation (GDPR) in 2016, similar data privacy laws have been passed all over the world. While the United States has yet to pass a comprehensive federal law, states have moved on the issue, with a total of 19 US states – from Rhode Island to Florida – having modern privacy laws enacted.

Indeed, as the privacy world continues to evolve, your obligations may change. Good data governance must involve assessing your obligations and ensuring your policies and procedures measure up.

Data security & privacy

In tandem with the privacy world’s evolution, the cybersecurity threat landscape continues to shift. Effective data governance must have the goal of keeping customer and stakeholder data safe at its core. As we’ve outlined, once you understand the data you have, you can take measures to keep it safe, whether selecting secure storage, managing access, or removing the data when you are allowed.

Tools & technology

In a world of data abundance, strong data governance requires automation and machine learning. Manual approaches will no longer cut it. Selecting the right technology for data classification, monitoring and automation is crucial, among other tasks, is crucial.

‍

Benefits of strong data governance foundations

Improved data trustworthiness

Strong data governance means data your organization can trust. In addition to the compliance and security benefits this brings, trustworthy data means teams can make better decisions.

Operational efficiency

With a strong data governance framework, teams will know what they need to do with each piece of data, allowing them to work faster and reduce redundancy or errors.

Better compliance and risk management

One of the key reasons to establish strong data governance fundamentals is for compliance reasons. Poorly governed data can lead to increased risk, whether from a failed audit or a damaging data breach. When you understand your data, you can take steps to keep it safe, secure, and compliant.

Support for future growth

Is your organization among the 55% that have or are implementing generative AI technologies such as Microsoft Copilot? Whether you’re using it now, or plan to in the future, strong data governance is essential.  

To implement good AI practices in your organization, you need to start with a foundation of effective data governance. In the case of Copilot, the risk is that the service will supercharge existing poor data governance or security practices, enabling potentially damaging outcomes like an employee asking for the CEO’s salary, a threat actor gaining access to sensitive data, or more prosaic outcomes like an AI model being trained on outdated, irrelevant, or test data.  

With strong data governance practices in place, you can avoid these outcomes, as you'll remove you are not entitled to keep and understand and protect the rest.  

‍

Start with a solid foundation

As we’ve seen, for a multitude of reasons it’s well past time to start building a strong foundation in data governance. Whether your focus is on improving cybersecurity or compliance or enabling teams to work more efficiently with higher quality data, ensuring you understand and manage your data appropriately is at the core of the solution.

And as the generative AI boom continues, ensuring your organization is prepared to take advantage of the technology is critical. RecordPoint can help.

Once data sources are connected to the RecordPoint platform, you gain the ability to govern data responsibly throughout its lifecycle. Acting as your single source of truth, the platform ensures comprehensive oversight for end-to-end governance, legal compliance, and proactive risk mitigation.  

Whether managing file holds for legal proceedings or detecting compromised data during a breach, the platform offers effective data control and detection capabilities. Integrated within your Global File Plan/Business Classification Scheme (BCS), retention triggers automate classification, streamline records disposition, and ensure compliance with regulations. This setup enables easy policy adaptation to changing laws and regulations, empowering your organization to detect sensitive data and manage it accordingly when a breach does occur. 

‍