Data are the fuel of the Information Age, and all organizations acknowledge the value of well-managed corporate data assets. The problems start when we begin to ask just exactly how the data assets are to be well managed.

In response, many organizations have put data governance departments in place and have tasked them with ensuring good data management practices. That by itself still doesn’t solve the problem. A typical data governance unit might consist of five employees in a total workforce of 5,000, so you can immediately see the problem of how such a unit can scale its efforts to cover the entire enterprise.

Yet the mission is worthwhile. For instance, in quality management, the proper handling and curation of datasets produced by metrology is of great importance. But this is only one of many examples. Data privacy, data retention (purging outdated data), accurate specifications, and definitions of reported metrics are some of the other data management tasks requiring attention, and there are many more. Still, the question remains of how a data governance unit can scale to address all these needs.

Enter data policies

This is where data policies come in. Unfortunately, the word policy means different things to different people. The way we’re using it here is to signify a directive that seeks to control human behavior around data. A data policy tells people what to do in terms of some aspect of data management. It doesn’t tell people how to do it, and neither is it a set of prescriptive rules or a specification for automation of some kind. However, it is enforceable and is enforced.

A great advantage of data policies is that they can be enterprisewide, and this gives a small data governance unit the ability to carry out its mission on improving data management across an entire organization. Of course, not all data policies are necessarily enterprisewide; but though some may only be relevant in a particular context, many are.

A further advantage for data policies is that, in general, they are nearly always respected by all employees in an enterprise. This helps gain adoption.

What can go wrong?

Given all these favorable aspects of data policies, there’s usually an expectation that a data governance unit will issue them. Perhaps the initial ones would be more fundamental. For instance, a policy on personal data handling could cover topics like the individual’s responsibility for ensuring data quality in data entry, maintaining security for personal information, and ensuring they fully understand data before basing decisions on them. It seems like an easy step to get from this outline to a written policy.

However, it’s at this point that problems often arise with data policies. Data governance units can write a data policy and claim they “have” a policy just because they have an artifact. Worse yet, some units operate based on a project mindset and see a policy as a deliverable that meets an objective and date in a project plan. What these units don’t understand is that there are many other tasks that remain before a data policy gets adopted. Neither do they realize that other units in the enterprise—e.g., legal, risk, and internal audit—may have legitimate interests in some data policies. Coordination is required with these other units to prevent overlap, gaps, misunderstandings, and even conflict in policy work.

Doing data policies the right way

To prevent these problems, a data governance unit must spend time setting up the entire capability needed to do data policies, and not simply start writing them. This involves setting the scope for data policies, which can be tricky because data are everywhere. A data governance unit may get authority to develop data policies, but there could be many policies already in place that cover some aspect of data management. A data governance unit must negotiate with the units that own these policies to either transfer them to data governance or consult them about any updates. It’s vital to prevent different data policies having contradictory requirements for a given area of data management.

This requires setting up coordination mechanisms between data governance and relevant units. It’s best to formalize these mechanisms and incorporate them into a “data policy of policies” that covers how data governance will do policy work.

Another way in which data governance does not operate alone in policy work is that there’s often some kind of policy process in an enterprise. Perhaps all policies must be approved by executive management; perhaps they must be communicated by corporate communications; and so on. The data governance unit will have to integrate its policy work with this bigger picture, which is required but not always easy to discover and understand because it might not be fully formalized.

One other need is for a well-defined data policy life cycle. This will map out the journey of a data policy from inception to discontinuation with details of how each phase is carried out. Many data governance units that focus simply on writing a policy get surprised by the support requirements needed during the operational phase of a policy, for which they may not be adequately resourced.

The data policy imperative

The capability to develop and gain full adoption of data policies to drive outcomes toward better data management is more important now than ever. The growth in data use to drive business value, and the increasing regulation of data, require a policy response. AI is the big new factor because it requires policies for unstructured data, such as text, images, audio, and video, that were never considered in the traditional structured data of databases that have been almost exclusively the focus of data management in the past. These new challenges mean that data governance units everywhere must develop the necessary capabilities to do effective data policy work and overcome some of the issues that have been prevalent in the past.