In today’s world, every company is a tech company. Which means it is more important than ever that organizations know where their data comes from, where it’s going, and how it’s used. Data governance used to be relegated to compliance and IT teams, but now every business unit plays a role in how the company captures, stores, and processes data.
This prompts an important discussion for life sciences companies. Before organizations expand operations or implement AI technology, they must ensure data governance procedures are in top shape.
A robust data governance program is the best way to track and manage data flowing throughout a company, but most are disorganized or constructed in a silo. This guide offers tips on how to build or reorganize a data governance program, common potholes to look out for, and how it can aid the implementation of new technologies.
Build a thoughtful governance structure
Now is as good a time as ever to revisit your data governance structure — maybe it is owned by a single business unit, or it was piecemealed by various departments. Compliance, IT, InfoSec, and other teams all gather and handle data, and it’s important to have the entire business in lock step. Whatever the case, establishing a strong data governance program requires SASS: stewardship, architecture, and security standards.
Stewardship can be established in a variety of ways. Typically, a hub-and-spoke model is used by enterprises with complex operations. Under this model, a single business unit will work as the “hub” to establish the governance structure, maintain a data map, and secure the data. Other departments contribute as “spokes,” documenting how they manage their data and what policies they need from the governance model. This coordinated approach has several benefits such as preventing compliance silos, which makes demonstrating compliance to regulators much harder, and helping to avert unnoticed data leaks.
Architecture refers to how data governance teams store data. Storage needs differ according to the type of data and regulations that apply. For example, sensitive patient health information has strict rules set by HIPAA and shouldn’t be mixed in with data used to train AI programs like a support bot that helps visitors navigate a website. Every “spoke” should answer questions about their data that informs how it moves through the organization:
- Where does the data come from?
- What type of data is it?
- Who is it shared with?
- How long does it need to be retained?
- Can the data be used to add value or lower risk?
Security standards should be set to limit data breaches and regulatory violations. This aspect is likely already managed by compliance and IT teams, but a robust stewardship model and thoughtful data architecture ensure all data is monitored, captured, and archived according to rank and need
Watch out for common potholes
There are many considerations when establishing your own data governance policy. Organizations likely already have these in check and only need to review them when refreshing their program. However, there are certain elements teams often overlook or struggle with.
A critical one is monitoring all channels employees are communicating on or producing data through. Efficient communication throughout the business in a federated model can facilitate a clear understanding of what data needs to be captured. For example, salespeople may log client notes on a phone or private channel, but under DOJ compliance management programs, it’s now a legal requirement to archive that data. Retention policies and the correct communication compliance technologies can solve the problem, but only if companies know it exists.
Ephemeral messages are another tricky catch for compliance teams. Taking the time to communicate with employees on why they use channels that allow ephemeral messaging and the consequences of doing so can inform what compliance solutions are needed and boost their adoption down the line. For example, there are several technological solutions that allow employees to still use messaging channels like Apple Messages and WhatsApp, letting them meet clients or prospects where they’re most comfortable while capturing all communications via data connectors.
In these instances, executives should lead by example, using the compliance solutions they expect other employees to adopt. Implementing effective compliance procedures requires changing the practice, not just the policy.
Another often unforeseen risk is that of fourth-party vendors. If your company uses third-party vendors to process or store data, do you know what they’re doing with your data? Maybe a change in sub-processor violates the DOJ’s Bulk Data Transfer Rule or would hand your data to a vendor you don’t approve of. One solution is to work with a single-vendor solution. For example, Global Relay both captures and monitors communications data, storing it in our owned and operated data center. This means no other organizations touch your company data but for the one you signed on with.
Unlock new possibilities
Almost every company is looking to integrate AI to some degree, whether by introducing an AI chat bot or streamlining compliance workflows. Before utilizing data for this new technology, companies should lock down governance, ensure a complete and accurate data map, establish documentation across teams, and understand exactly how these new tools and systems work.
Data protection authorities across the globe have called for explainability by companies implementing AI into their products and services. Just like for data governance, companies need to fully document and understand how data moves through AI programs and how those programs change over time. This last point is known as “AI drift,” where self-training models decline in accuracy and effectiveness. It can be combatted by data augmentation and regular model retraining, but that requires a data governance program structured to look out for such changes.
Strong data governance provides visibility through the organization on where data is flowing and what restrictions are in place. This helps all teams adhere to regulatory restrictions and ensure data security as they grow in size, operate across international borders, or implement new technologies. Access this Global Relay whitepaper to learn more about the challenges and solutions for enterprise-scale data governance.
