Enterprises traditionally focus on securing physical assets with procedures and practices. As more enterprises embrace digital transformation, data protection is increasingly emerging as a key focus area and concern as data are becoming increasingly more valuable. As the data as an enterprise asset paradigm evolves, approaches for data protection have also evolved from a focus on network security, antivirus software and role-based access to a more holistic approach considering specific datasets of importance to enterprises and regulations.
Increasing leadership awareness on the impact of data protection and the corresponding decision rights and responsibilities is imperative. A systematic approach to implement data protection and governance is recommended, and the following considerations should be reviewed:
- Align leadership roles and responsibilities pertaining to enterprise data. This includes a data protection office and a designated C-level owner to ensure compliance with local laws and establish enterprise policies for data protection.
- Include IT governance, risk and compliance (GRC) as part of organizational-level GRC programs to give visibility and importance to digital and data programs and assets as part of enterprise risk strategy and management.
- Identify critical data elements for the enterprise based on value added and expected to the business and functions. Establish decision rights across leadership roles to ensure alignment with data strategies, location considerations, authority and access considerations and operational compliance. This may include decisions such as what data can be utilized to drive business benefits through use in analytics as well as licensing or sale.
- Organize critical data assets using a data grid with associated enterprise roles, responsibilities and functional areas to be involved for visibility on the current state of data assets and safeguards to be maintained to protect the respective data assets.
- Define clear data lifecycles for products, solution programs and services that help track cost and value of data assets across their ideation, design, creation, validation, deployment, support and rejuvenation phases to optimize decisions on return on investment of data assets and portfolios.
- Implement a visual approach to monitoring data assets updated with context from threat perceptions and regulatory developments impacting data governance to maintain the required vigilance.
It is important to educate employees that data protection awareness and practices are not confined to IT and legal functions; data protection is the collective responsibility of the enterprise and all stakeholders. Ongoing vigilance and data governance decision-making are required by each enterprise function for the identified critical data elements.
Editor’s note: For further insights on this topic, read Sai Krishnan Mohan and Ranganath Iyengar’s recent Journal article, “Establishing Enterprise Roles for Data Protection,” ISACA Journal, volume 6 2022.