It’s hard to say whether workflows or Venn diagrams are my favorite. Lately, it seems to have been workflows non-stop. It probably has something to do with my background in music. I like the flows of melodic lines.
In any event, below is a workflow for a data governance framework that brings each of these facets of data governance into a series of executable processes. It begins with data class and stakeholder assessment, incorporating these findings as teams will define and execute appropriate data processing modules, build out product requirements and roadmap, and confirm compliance with relevant laws and corporate policies.
Among the steps embodied above are points for deeper discussion and customization based on the quantity, identifiability, and planned uses of personal data. For example, identifiability may require facilitated discussions and client-specific definitions based on the sources of data under consideration and the data’s significance in the enterprise whether managed in a cost center or embedded in revenue-generating offerings.
This phase of development is foundational. It nests considerations of data management and protections in critical elements of marketing strategy, surfacing that an offering’s value is based in significant ways on sensitive data. However, it doesn’t stop at debating data usage with the privacy or legal departments. By following the basics of marketing strategy, the team deepens its understanding of all who have a stake in the usage of such data. This broadening of beneficiaries beyond the concept of paying customers is critical to elevating the interests of data subjects.
The next sets of processes, while represented as linear, typically proceed in looping fashion. The team may turn next to evaluating and refining or enhancing data processing functions based on its understanding of the target markets and stakeholders. These functions include: a) provenance and lineage; b) authentication; c) authorization; d) data encryption; e) data classification; f) data catalog; g) data versioning; and h) API management. A cross-enterprise environment in which a client is accessing or utilizing shared data within an offering may require additional functions such as an extensible common data model.
Key to greater cross-functional understanding and trust is discussions with privacy professionals who may advise the development team from a data minimization perspective and data scientists who may focus primarily on quantity and utility of data and tools to provide trust assurance and security across data flows. Privacy policies and guidance are part of and/or complement the data governance framework but must be grounded in understanding and preserving the value of the offering.
In between these two stages—data processing functions and policy language—are additional creative opportunities. Data-driven solutions that may engage individuals who are the subjects of the data can deepen confidence in the solution by integrating UI/UX features including context-based consent requests and privacy reminders. Each step along the workflow, whether decision-point or a class of processes is critical. Over the term of the engagement, they inspire executive-level confidence in the product team and its internal stakeholders. As data-infused solutions are deployed, this workflow demonstrates to external stakeholders that a data governance process was followed with thought and care.