We hear a lot about governance in relation to developing regulatory compliance processes and procedures, but do you really know what it is and the role it plays in achieving compliance with governmental and industry mandated IT security and privacy requirements?
Governance, management, and compliance: similarities and differences
The Cambridge dictionary defines governance as “the way organizations or countries are managed at the highest level, and the systems for doing this.” This might imply that governance and management are the same thing, and some people use the words interchangeably, but they are different. Governance is more about the “what” (what the organization strives to do and be), whereas management is about the “how” of everyday operations.
In the IT world and particularly in compliance circles, the narrower meaning of governance pertains to the measures taken to ensure that the organization meets its goals, including compliance goals, in the technological realm.
Both governance and compliance involve enforcing rules through the use of controls that can be technological (such as software that blocks sending certain files containing customers’ personal information outside the local network) or managerial (such as policies that impose administrative consequences for making photocopies of certain documents that contain sensitive personal information).
The biggest difference between governance and compliance has to do with the source of those rules. Compliance is about externally created and imposed rules that come in the form of laws enacted by legislative bodies, regulations made by administrative agencies, and/or rules created by industry oversight organizations. Compliance is mandatory; abiding by these rules is required to avoid loss of licenses, certifications, and permits, lawsuits, fines, and in some cases even criminal penalties. These consequences generally affect the organization itself, although in some cases individuals can also be held accountable.
Governance is about internally created and imposed rules that come in the form of company policies and procedures created by corporate managers and/or boards of directors. Governance is optional; companies can change or disregard their internal policies if those in authority wish to do so. Consequences to personnel who fail to abide by the rules can include termination, demotion, or administrative disciplinary action. Consequences generally affect individual employees, although in some cases the company itself can be held accountable.
Another differentiator you’ll often hear about is that governance is considered to be more strategic whereas compliance is deemed to be more tactical. This naturally leads to a discussion of the difference between strategy and tactics. The easiest way to explain the difference between these two is that strategy pertains to long-term goals and plans for achieving them, while tactics are the shorter-term steps that you take to move toward those ends.
Governance encompasses your organization’s broad plan and compliance is a (very important) action component that furthers the goals of that plan.
Foundations of Good Governance
Best governance practices for compliance are built on a framework of guiding principles that include:
Regulatory requirements, along with the organization’s business goals and IT objectives, are important factors that influence how these principles are applied.
Data Governance as a Compliance Requirement
We’ve been talking about governance in a broad scope, but regulatory requirements focus more specifically on the issue of data governance. Because so many compliance mandates are aimed at protecting the privacy of personal identifiable information, effective data governance becomes an explicit or implicit necessity to achieve compliance.
For example, many of the principles for processing of personal data that are laid out in Article 5 of the European Union’s General Data Protection Regulation (GDPR) are closely aligned with generally recognized data governance principles.
Data governance covers a broad spectrum of how data is collected, processed, stored, transferred, and disposed of, as well as who has access to it and when and how they are allowed to access it. Personal information privacy protection regulations place strict restrictions on the handling of such data.
Applying the Principles
Organizations that collect, process, or store personal data are accountable both to the individuals whose data they handle and to the regulatory body that exercises authority over compliance. Individuals within the organization who handle personal data are accountable to the organization and to their supervisors and upper management. It’s important to be aware of both of these levels of accountability.
Being compliant isn’t enough; organizations must also be able to prove their compliance to those entities to which they are accountable. Both internal compliance officers and industry or governmental bodies determine whether compliance has been achieved through audits of the organization’s records. Thus it’s essential create an audit trail that shows all the measures you have taken to comply with regulations.
Integrity has dual meanings: it pertains to adherence to honesty and ethical principles, and it also relates to unity and wholeness. A data governance plan should take into account both definitions; personal data should be handled according to the highest degree of moral and ethical principles, and the plan should also maintain the wholeness of the overarching organizational and IT strategy.
Standardization helps you to achieve compliance by providing a framework for your compliance efforts. Compliance is all about meeting prescribed minimum standards that are set out in the regulations. Standardizing processes and procedures for data handling across departments and locations helps ensure that no personal data is accidentally exposed or mishandled and that none of the compliance requirements “fall through the cracks.”
Data stewardship is a way of formalizing the accountability for data handling, by assigning specific responsibilities to specific roles. Data stewardship focuses on the practical, tactical implementation of the data governance plan, policies, and principles. Data stewards serve as liaisons between the IT department and the organization’s business units and are responsible for the integrity and protection of the data under their stewardship.
In addition to mandating the protection of personal data, the GDPR and other privacy laws give the subjects of that personal data certain rights pertaining to what organizations do with it. That’s where the governance principle of transparency comes in. Organizations must be willing and able to locate all the personal data about a particular person or persons in order to respond to data subject requests (DSRs). DSRs can include providing the data subject with copies of the data, erasing or restricting processing of the data, rectifying inaccurate or incomplete data, and/or transferring the personal data upon request of the data subject. A data governance plan must provide for processes and procedures to handle DSRs in accordance with regulatory requirements.
Implementing Data Governance for Compliance
The implementation of an effective data governance strategy requires involvement at all levels of the organization. Top level executives have final approval or veto authority over the data governance program. In large organizations, a data governance council or committee may be appointed by the C-level executives to undertake the work of outlining the strategy, creating the policies and establishing priorities.
Data stewards may be appointed by the committee to be responsible for the governance and management of data within a particular department or division and for ensuring that data producers, owners, and users know and adhere to the policies surrounding handling of data that falls under regulatory requirements.
IT and security personnel are responsible for classifying data and applying the appropriate security measures to protect personal data while it is being collected, processed, stored, or transmitted, as well as securing the infrastructure within which the data resides.
IT measures for protecting the integrity and confidentiality of personal data include data discovery, classification and labeling; encryption of data both in transit and at rest; access controls, including role-based access controls; data breach prevention and detection; and reporting and documentation tools.
Governance and compliance go hand-in-hand, as governance serves as the foundation on which a compliance program can be built. Governance, and especially data governance, are essential components in a regulatory compliance program, and a good data governance strategy can help protect your organization from the serious and costly consequences of non-compliance.