A DQM Group Report, March 2010

Data Governance – Avoiding the seven deadly sins; page 1

Data Governance – Avoiding t seven deadly sins the
Peter Galdies, Co-Founder & Product Development Director, DQM Group

The challenge for many companies today is how to deal effectively with the scale and complexity of managing data. There are ever increasing pressures to understand and conform to Government required policies and regulations like the Data Protection Act, Privacy and Electronic Communication Regulations (PECR) and to ensure that data is protected and secured as a valuable asset. If your organisation has an IT infrastructure, it has data. If it has data, it needs Data Governance. Data Governance is a suite of policies and strategies that ensures compliance, data security, data quality and IT assurance. It is also a process that has to be enacted in day-to-day business activities every time personal information or sensitive data is being handled. Data Governance is essential for protecting organisations from data disasters, for achieving data quality and for regulatory compliance assurance. Data security and regulatory compliance are now headline subjects. Despite £billions of investment in data security, over 70% of organisations experienced at least one data breach in 2008 (Source: Ponemon/PGP Corporation). 80% of data leaks are cr created by staff (Source: Forrester Research). Current trading conditions and increased redundancies have led to an increased risk of data theft by staff. Directors are now in the front line. Further regulation, now in consultation, could lead to them facin up to 2-years in facing prison for breaches of the Data Protection Act. The ICO will have new powers and resources to audit firms as they wish and issue fines up to £500,000 for each breach. Most firms are either unaware of the risks or are not equipped to deal with such data issues. Many are at the early stage of the Data Governance Maturity Model – just reacting to issues that arise. DQM Group has been helping businesses manage and control their data for over 10 years, including over 200 data governance audit in the last year audits alone. In that time we have gained significant insight into the most common problems found when businesses attempt to manage data governance. These are our 7 deadly sins of information governance: 1. Management Detachment 2. Foggy Purposes Purp 3. Greedy Collection 4. Data Hoarding 5. Un-enlightenment enlightenment 6. Risk Ignorance 7. Democratic Access This white paper aims to highlight these 7 key problematic the areas of compliance with the Data Protection Act and Information Security with practical recommendations for avoiding these pitfalls suggested where appropriate.


cost or simple lack of process. Often this process is spoiled by over or under perm permissioning and it can lead to distrust through the use of complex language or terms. Getting the right permissions at the point of data collection is vital to a good marketing or customer communications strategy strategy. We often come across organisations which retain all data compliances. understands my marital status? ep The data collected must stack up with the purpose given and not be excessive to that purpose. this is built into the permissions at data collection. Data Hoarding – Keeping it “just in case” Clause 5 of the DPA requires that personal data is retained only as long is as necessary for the nal d specified purposes. Additionally being able to demonstrate to the ICO that adherence to the DPA is being taken seriously at board level is undoubtedly a good thing. In our experience this is the single area of the Act that results in the largest is number of non-compliances. 3. How relevant is it for a product registration process that the business collection. many benefits including greater data availab ailability and a more transparent relationship with the data subject. data resulting in fewer complaints and a more “honest” relationship. such as ISO:27001 and the DMA’s DataSeal security standard mandate senior management involvement. ther Typically we find that organisations need to develop and implement some policy in this area. However we nal have come across many instances where the actual purpose of these has been lost and replaced by many pages of legalese mumbo-jumbo. March 2010 Data Governance – Avoiding the seven deadly sins. nd It’s often tempting when collecting data to ask a few additional questions that will build data a for future marketing exercises – while this may be quite acceptable we still see examples of over-collection. Often this can be achieved in a few paragraphs. page 2 1. Importantly the involvement and leadership of a senior manager may a give a Data also Governance programme a degree of importance it might otherwise miss. how you are going to use the data and where the reader can go to get more information. Foggy Purposes – Clearly explaining the purposes for data gathering gathering. Greedy Collection – Do you really need to know that? n Clause 3 of the Data Protection Act dictates that information gathered by businesses on private individuals should be adequate and relevant for the purpose for which it is provided. Certain standards. Most businesses now understand that they should have a privacy policy on websites where personal data is gathered and collection statements on data gathering forms. PROTECTING AND GROWING DATA VALUE PR DATA VALUE MANAGEMENT . To ensure continued compliance there shou be a process within the business that checks all hould data gathering for DPA compliance prior to use. on t if required. Management Detachment – Are you taking it seriously enough? A properly integrated and effective approach to Data Governance cannot normally be overnance implemented without the support and commitment of senior management. It is important to remember that all that is needed is a concise.RADAR™ A DQM Group Report. The important point is to ensure that you do d have a legitimate reason for this retention that is in the interests of the data subject and that. giving a clearer understanding to the da subject. Clarity here can provide 4. backed up with actual business processes that make the policy happen. You must retain some data for up to 7 years for legal or tax reasons and there may be legitimate business reasons to retain for longer. at honest and clear statement that explains who you are. indefinitely – with no real explanation other than convenience. Inevitably itment implementation may require a change to business processes and may have budgetary requirements – both of which may require sufficient authorisation. ance 2. So keep collection as “lean” as you can.

Risk Ignorance – We don’t know what we don’t know The idea of a formal risk assessment strategy is something quite alien to most SME’s but is a fundamental of good information security practice. 7. but actually quite representative of many audits we have completed. Best practice would look for a scheduled assessment. consistent methodology that should normally include assessing both likely impact and probability. It’s actually better to have a team of well trained. Access should be centrally controlled with authorisation required for changes and clear business processes surrounding new joiners. Most medium to large businesses today seem to recognise the need em for an information security policy.RADAR™ A DQM Group Report. these seem to think it’s the creation and existence of the policy document itself that is the end point. They forget that the policy is a set of rules and guidelines for staff behaviour. leavers and changes of job role. a refresher programme and occasional competency checks. In the worst cases this ines means that the policy is never communicated to relevant staff – and even in the best cases relevant training is often poor or too infrequent. is only accessible by those who need to use it. a Periodic reviews of access rights should be undertaken and corrective actions taken where issues are identified. We often find that organisations may have considered risks at some point but don’t have a structured approach to ranking. 6. Failure to undertake risk assessment is a significant security weakness and should be regarded sig as a serious flaw in any information governance programme. All too often we visit sites where anyone with network authentication can access all data within a system – this is not ideal. however it’s amazing how many of olicy. March 2010 Data Governance – Avoiding the seven deadly sins. prioritising and remediating them. Relevant staff should have suitable training at induction. Un-enlightenment – Not educating the team. Democratic Access – Everyone isn’t equal when it comes to security. perhaps annually or more frequently. Assessments should use a repeatable. page 3 5. d and reviews after any significant change or breach. and especially sensitive personal data. Access should be managed in such a way so that personal data. security aware staff and no policy than a are policy with no training! An extreme example. PROTECTING AND GROWING DATA VALUE PR DATA VALUE MANAGEMENT .

In addition. The DQM Group RADAR™ Report also gives us a base line to measure improvements with DQM Group on an ongoing basis”. working closely with most of the major information owners in the UK data industry as well as for clients in a variety of industries and trade bodies including y the UK Direct Marketing Association (DMA) for whom we helped developed its Best Practice on Data Security and its new Data Security Standard DataSeal developed with the British Standards Institute (BSI). which is responsible for promoting and regulating more than 190 affiliated events. we were extremely pleased with the professional. Andrew Kirkby. The organisation selected DQM Group. Britain has become the world’s most successful nation at eventing winning more than 260 medals in 84 ting years of Olympic. Face-to-face interviews with our team A typical example of RADARTM reporting PROTECTING AND GROWING DATA VALUE PR DATA VALUE MANAGEMENT . Having already commissioned a ‘Penetration Test’ of its systems to investigate potential for a hacker to enter its databases illegally in December 2009 it also wanted to have an independent review of its people and ent processes in terms of compliance to the latest data protection regulation and data security best practice. thorough and efficient service delivered by DQM Group and the quality of its final report both in terms of its important findings and recommendations for us to address the mmendations issues raised.RADAR™ A DQM Group Report. page 4 British Eventing – A Successful Case Study British Eventing governs the International sport of eventing in the UK. “I’ve already recommended DQM Group to our sister organisations British Dressage and British Bri Show Jumping who have similar issues to our own and would not hesitate to recommend DQM Group to any organisation that manages personal data and like British Eventing wishes to optimise its data management practice”. 10. DQM Group has been providing audit compliance programmes and tracking services for 14 years. Customer Service and IT Director of British Eventing commented. Since beginning in the UK with the first Badminton Horse Trials in 1949. “We wanted to identify any data risks to which the organisation might be exposed and have a practical action plan to fix such risks in order of priority. to help carry out its Risk Assessment Data ing Audit Review (RADAR™). the most trusted independent provider of data governance services to the UK marketing industry. British Eventing takes all matters of data security and regulatory compliance extremely seriously. March 2010 Data Governance – Avoiding the seven deadly sins. It manages the personal information on its members with great c care from both a data security and regulatory compliance perspective.000 members. The RADAR™ did precisely this. European and World competitions. On completion of the DQM Group RADAR™ Report.000 horses and 12.

70% of the UK’s leading data owners use DQM Group to audit their Commercial Agreements We monitor over 55% of UK list transactions.dqmgroup. Final de-briefing of the findings. The product is the first step on the DQM Group AbsoluteDataCompliance Programme which is designed to help organisations ascend the data governance maturity curve.com About DQM Group Formed in 1996 DQM Group has grown to become the most trusted independent provider of data governance services to the UK marketing industry. DMA and Business Links (Government business support network) We have won 8 important industry awards in the last 3 years We are regular speakers at industry conferences. data security and data protection compliance practices and maps out where your organisation has significant exposure. It generates a gap analysis compared to external data governance standards. Data Quality Management Group Limited DQM House Baker Street High Wycombe Buckinghamshire HP11 2RX T +44 (0) 870 242 7788 F +44 (0) 1494 435 485 www. datameasures. March 2010 Data Governance – Avoiding the seven deadly sins. carried out face-to-face.RADAR™ A DQM Group Report. Contacts: Angela Farquhar . tells you exactly what needs to be put right and how your organisation will benefit as a result.farquhar@dqmgroup. Confidential benchmarking against similar organisations can also be provided through ough the DataMeasures™ data governance benchmarking service (go to www. page 5 The RADARTM Solution RADAR™ is our Risk Assessment Data Audit Review tool which quickly and thoroughly identifies your current data risk factors. This leads to practical. affordable fixes which can be implemented in a timely and rigorous fashion. We provide a cohesive range of data governance products & consulting services The company is committed to raising industry standards in data governance we: • Chair the Institute of Direct Marketing (IDM) Data Council • Chair the Direct Marketing Association (DMA) Data Governance & Best Practice Working Party • Represented on the Direct Marketing Commission (DMC) • Publish DataMeasures™ – free to use data governance benchmarking and essential information for marketing.com Stuart Maxwell – 01494 435437 Email: stuart. PROTECTING AND GROWING DATA VALUE PR DATA VALUE MANAGEMENT .01494 435441 Email: angela.com www.maxwell@dqmgroup. The interview-based solution identifies current data management. data and IT professionals backed by the IDM. such as ISO 27001 and BS 10012.com • • Further Information For more information about DQM Group or RADARTM call 0870 242 7788 and speak to Stuart Maxwell or Angela Farquhar.datameasures.com).

Sign up to vote on this title
UsefulNot useful