Data governance in times of POPI and cyber crime - Yolanda Smit, PBT Group

An increase in cyber attacks targeting businesses and legislative requirements like the Protection of Personal Information Act (POPI) have brought attention to the need for effective data governance, says Yolanda Smit, Strategic Business Intelligence Manager at PBT Group. At its heart, data governance focuses on driving enterprise data management practices to the next level of maturity, where data is being managed intentionally and not just as an afterthought. Data security and privacy management, data architecture management, data quality management, records management, business intelligence, and data operations management are all vital elements in this new discipline of management.

Decision-makers are realising that data is an asset which can only be improved and protected from deterioration if it is managed effectively.

Take cyber security as an example. While it is a high priority item on most data governance strategies, its success rate can often be viewed as mixed. Start-ups and digital companies have more readily embraced the protection demands of the data-driven world than their larger counterparts who are struggling to update legacy architecture.

Yet, for all the attention being placed on external threats, those coming from internal sources remain the biggest challenge. Companies are scratching their heads and often implementing controversial policies when it comes to handling exiting or disgruntled employees or "Bring Your Own Device" (BYOD) scenarios.

Addressing these policies is dependent on well-defined and ratified data governance strategies. Unfortunately, larger corporates are typically finding themselves closer to the start of that journey than the end.

From a compliance perspective, there are multitudes of legislation and regulations that drives the need for improved data governance. Depending on the industry, the volumes may become overwhelming. Some general legislation and regulations that apply to all businesses in South Africa includes the aforementioned POPI, the Companies Act, and the Electronic Communications and Transactions (ECT) Act, among others.

It is the financial services industry in particular that is buckling under new regulations streaming from the Reserve Bank, the Financial Services Board, and its Financial Advisory and Intermediary services division. All of this varied compliance leaves data governance teams struggling to make sense of it all and challenged to align the various controls, processes and practices accordingly.

So where to for companies and their focus on data governance?

The main concern is to protect the data asset and manage the change required as a result of new regulation while still keeping their focus on delivering the strategic directive of the company. In many respects this is similar to what CIOs are facing, juggling adopting new technology and IT governance while still focusing on keeping the (IT) lights on.

There is no silver bullet approach to solve this current reality where companies face disruption in data governance strategic priorities as they have to meet compliance deadlines. However, this current reality emphasises the importance of establishing a formal data governance capability to manage these contentious forces deliberately and systematically.

As an added strategy, data governance offices in highly regulated industries should consider establishing a separate capability focused only on scanning the compliance horizon, analysing impact of new compliance requirements, and then coordinating managing initiatives to implement remediation, while the rest of the data governance organisation focuses on driving the strategic priorities of security and data quality.