data governance security compliance
17/10/2018

How data governance ensures data security and compliance

The implementation of GDPR in May 2018 has put data protection high on the list of priorities for businesses. The core question is always “What data can I share with whom, and to do what?” This is where data governance comes in: it’s a customized solution for managing the data collected and handled by your organization. And sooner rather than later, new technologies like AI will make protecting your data an even smoother undertaking.

Virtual organizational borders, a digital native workforce, cloud-hosted infrastructure, people bringing their own devices and the ‘right to be forgotten’ force us to rethink our data classification and information flows, both within and outside of the company.

Labels and policies

Every data governance project starts with an overview of the types of documents employees across different departments use every day. These are then classified into 3 to 5 ‘levels of sensitivity’, from ‘public information’ to ‘very confidential’. Levels are converted into labels, which are then mapped to policies. Each policy protects the document or mail from malicious sharing with external parties (data leak), unintentional destruction (data loss prevention), or enables long-time storage (data retention).

Powerful solutions like Microsoft Office 365 allow you to roll out these labels across the company. Employees can add a security label to every document themselves, but automatic tagging based on certain rules is possible as well. For example, documents are filed as ‘personal information’ by Office 365 when it spots an identity card number. In the near future, AI will make this automatic tagging process even better, as it recognizes behavioral patterns linked to certain documents.

Data management and GDPR

Today, however, good data governance still requires quite a bit of work when it comes to correctly identifying and labeling documents. But the payoff is substantial, particularly with the advent of GDPR. When certain clients or employees want to enforce their ‘right to be forgotten’, it’s much easier to comply when every document is tagged correctly. Furthermore, an automatic ‘retention policy’ will warn you when data needs to be discarded – or retained – because of certain legal or administrative rulings.

App governance

Platforms like Office 365 come with a number of different applications that generate and handle data while also supporting integration with third-party cloud services. An important part of data governance is to determine which people and data sources can connect with which app. Today, many people bring in external apps. Typical examples are task management apps like Trello or Asana and consumer storage apps like OneDrive and Dropbox. This can lead to a risk of security breaches, as documents shared on these external apps aren’t monitored. It’s important to define rules for both internally developed and existing third-party apps in terms of who can connect with which organizational data source.

User adoption is crucial for the success of your new solution. Find out how our change management approach can help.