The document outlines the principles and structures of data governance, emphasizing the roles and responsibilities of various stakeholders including data owners, stewards, and custodians. It discusses the implementation of data governance frameworks, security measures, and compliance with regulations such as GDPR and HIPAA. The document also highlights the importance of establishing a data governance council and the need for effective data management practices across organizations.

1. Data Governance – Week 3-4
(with links to DAMA-DMBOK)

2. 2
Week 3: Agenda
DAMA-DMBOK’s data governance principles
Privacy Compliance
Privacy Regulations (GDPR, HIPAA,...)
Security Measures
Data Governance Committees and roles
Data Security and Privacy
​
Data Governance Implementation, Security, and Privacy

3. 3
Typical Organisation Structures
Data Governance Council:
​
A DGC is core to this component and will need to develop as the complexity of data, its sharing and
management increases. CDO (if exists) of COO typically chairs the DGC
Data Governance Groups:
​
The DGGs are subordinate to the DGC and will be characterised by a ToR structure as for the DGC
with clear authority, responsibility and accountability; and aligned to Data Governance scope and
implementation
Data Working Groups:
​
DWGs are established either as part of business as usual or as a team within a data work stream of a
project

4. 4
PROCESS CENTRIC
Process owners become the data owner for
all data created, amended & deleted by the
business process for which they are
responsible.
DATA CENTRIC
Business appointed full time or part time
roles accountable for improvement of key
data domains wherever created or used
across an organisation, e.g. Data
Stewardship.
Organisational Models For DG
SYSTEMS CENTRIC
System owners become the data owner for all
data created, amended & deleted by the system
for which they are responsible.
CONTINGENT
There is no single best model for data
governance, either when initiating data
improvement activities, or as Business As Usual.
The best model is dependent on the type of data and the circumstances of
each initiative, at each stage of maturity.

5. 5
Example Data Governance Council
Heads of
Business
Divisions
Exploration
Legal
Logistics
Unconventionals
Finance
IT
Operations
HR Production
CDO
Data
Governance
Council
System Owners
Data Owners
Data
Governance
Manager
Data Quality
Manager
Data
Governance
Group
Data Working
Group
Data
Management
Steward
Data
Steward
Data
Custodian
Data Working
Group
Data
Management
Steward
Data
Steward
Data
Custodian
Data Working
Group(s)
Data
Governance
Office

6. 6
Typical Roles and Responsibilities
Data Owner:
Senior staff involved in managing a business area. Their role is to understand what information
is required, held, added and removed. They typically also understand
and advise on how information is to be moved, and what roles have access and for what
purpose.
Data Steward:
Ideally a Subject Matter Expert (SME) for the data subject area which they are responsible for.
Stewards need to be an advocate for good information management practice across the
business.
Data Custodian:
Typically from within the IT function the Data Custodian can correct data, ideally at its source.
They are responsible for the IT services & infrastructure required to protect the data in
accordance with the policies.
Data Stakeholder:

7. 7
​
Schedule, convene and lead joint data management working group
and report to Council
​
Develop and maintain Data Management Policies and Strategy
​
Identify Data Steward(s) for critical project and business processes
​
Prioritise DM functions to leverage reuse and support Organisation
and IS strategies
​
Conduct design reviews, data acceptance activities
Enterprise Data Manager /
CDO
DATA ROLES

8. 8
​
Accountable for the Data Subject area for which they are the “owner”
​
Work with Data Stewards to establish consistent data quality and
business rules
​
Define & approve quality, access and security requirements.
​
Ensure data for the data subject area is fit for purpose
Data Owner
DATA ROLES

9. 9
Data Owner
Role Responsibilities
1. Defining and agreeing critical data and ensuring standards are adhered to, to ensure data is fit for operational and
regulatory use. Where this is not the case define the benefit case for data quality improvement indicatives.
2. Sponsoring & overseeing data quality projects & services to improve data and ensuring embedding into BAU
3. Representing the data interests of their specific business function / area at the Data Governance Board
4. Appointment & co-ordination of appropriate key Data roles within their organisation e.g. Data Stewards, Records Retention
lead
5. Support review, approval & sign-off relevant data policies, standards, metrics & procedures impacting their data
6. Support review, approval & sign-off data architecture, data models & specifications for their data or process
7. Monitoring data quality indicators and approving implementing of data fixes (back logs and current issues)
8. Assurance & compliance monitoring for data policy requirements and agreeing data standards
9. Signing off Agreed data retention schedules and data lifecycle for business area and access roles (defining CRUD)
10. Providing support and resources to mitigate data quality issues and timely communication to the Governance Board to
review progress and address any issues the groups are facing.
11. Signing off data lifecycle and data processes - what data is needed, where, for how long and removed to support the
business
12. Signing off business data quality business rules for data quality tool, which will be used to monitor data quality
13. Security and access, roles and controls to maintain data

10. 10
​
Develop and maintain definitions
​
Create ongoing business rules for data
​
Authority for data and metadata definitions
​
Support business analysts in the alignment of functional processes and
data requirements
​
Assist data quality manager in defining metrics, matching and
standardisation rules
Data Steward
DATA ROLES

11. 11
Data Steward
Role Responsibilities
1. Ensuring data is managed in accordance with IMF and data process exist which others can follow
2. Implementing appropriate controls and data governance mechanisms to ensure data is fit for purpose, based on agreed process/lifecycle
3. Defining and monitoring key data to agreed standards and quality (business and regulatory (e.g. BASEL) needs
4. Assisting in understanding the business data needs to ensure data is fit for all customers (data mapped to processes)
5. Monitoring & enforcing data policies & practices within their business function
6. Communicating & promoting the value of IMF, to ensure data is right first time through appropriate IMF roles
7. Reviewing and monitoring data quality analysis & audits, including MI/outputs from data quality tools
8. Assist in data quality analysis & improvement and prioritise data for remediation
9. Data Triage - Identify and remediate data issues within own business unit or across the Enterprise
10. Providing first point of contact to resolve IM issues
11. Providing input to Data policies, standards & procedures for business function and across the Enterprise
12. Defining and agreeing of business data quality rules for data quality tool
Assist the Data Owners in the implementation & adherence to:
i. Information Management Principles
ii. Global Data Privacy Policy
iii. Global Information and Records Management Procedure
iv. Group Policy Information Security Management
v. Group Policy Protection and Disclosure of Price Sensitive Information
Other responsibilities

12. 12
Role Families & Roles
Architecture & Design Role Family / Data Management Roles
Domain
Agnostic
Architecture
Functional
Architecture
Data
Management
Infrastructure
Architecture
Integration
Architecture
Security
Architecture
Technical
Architecture
• Chief Enterprise
Architect
• Enterprise
Architect
• Lead Architect
• Solution
Architect
• Chief Functional
Architect
• Enterprise
Functional
Architect
• Senior
Functional
Architect
• Functional
Architect
• User Interface
Designer
• Data Owner
• Data Steward
• Data Custodian
• System Owner
• Chief Information
Architect
• Enterprise
Information
Architect
• Information
Architect
• Data Integration
Architect
• Data Modeller
• Database
Administrator
• Data Quality
Manager
• Data Governance
Office Analyst
• Chief
Infrastructure
Architect
• Enterprise
Infrastructure
Architect
• Senior
Infrastructure
Architect
• Infrastructure
Architect
• Network
Designer
• Infrastructure
Analyst
• Chief
Integration
Architect
• Enterprise
Integration
Architect
• Senior
Integration
Architect
• Integration
Architect
• Integration
Designer
• Chief Security
Architect
• Enterprise
Security
Architect
• Senior Security
Architect
• Security
Architect
• Security
Designer
• Chief Technical
Architect
• System Owner
• Enterprise
Technical
Architect
• Senior Technical
Architect
• Technical
Architect
• Software
Designer
Common Role

13. 13
Skills & Skill Levels required for Roles
Role: Enterprise Information Architect
Summary of role
This role requires a broad strategic view that is combined with a pragmatic and delivery focused mindset, deep
expertise in the information architecture domain, flexibility and a willingness to be involved in projects on a
‘hands on’ basis.
The Enterprise Information Architect is a professional with knowledge and experience in the information
architecture domain, and holds design authority for the information architecture domain within the business
area. As such, the Enterprise Information Architect provides thought leadership, strategy, governance, and
troubleshooting for the information architecture footprint, ensuring that the architecture can be pragmatically
implemented within the existing constraints and according to the agreed architectural principles and standards.
The Enterprise Information Architect will provide architectural input to the individual project design reviews,
and ensure that the each of the projects across the portfolio remains fit for purpose in the context of the other
projects and overall Strategy.
Enterprise Information Architect
Skills & skill levels for this role
List of skills and the optimum level required for this
role. For descriptions of skills and levels see each
individual skill page.
Family:
Business
Analysis &
Consulting
Family:
Architecture
& Design
Family:
Software
Engineering &
Quality
Family:
Project,
Programme &
Portfolio
Management

14. 14
Skills & Skill Levels required for Roles
Role:
Enterprise Information Architect
Skills & skill levels for this role
List of skills and the optimum level required for this
role. For descriptions of skills and levels see each
individual skill page.
Skill / Competency Definition: Enterprise Architecture
The creation, communication and improvement of the key principles, methods and models that describe the enterprise's
future state and enable its evolution. The scope of the enterprise architecture process involves the interpretation of business
goals, drivers and strategies, the assessment of the current capabilities of the people, processes, information and technology
of the enterprise, and the determination of how these relate to one another and to the external environment. The process
supports the formation of the constraints, standards and guiding principles required to define, assure and govern the required
evolution and the transitional processes that facilitate predictable transition to the intended state through information-
enabled change in the organisation's structure, business processes, information systems and infrastructure.
SKILL: ENTERPRISE ARCHITECTURE
Level Definition Description
1 Awareness
follow, assist
• Is aware of the purpose, goals and objectives of enterprise architecture, its importance to the business
and own area.
• Understands contribution of own role to the development of enterprise architecture.
• Can describe the established enterprise architecture framework used in National Grid.
• Aware of the key principles, methods and models that support the enterprise architecture framework.
2 Basic
apply, enable
• Applies established enterprise architecture models in the context of own role – typically within projects
rather than at an enterprise level.
• Ensure that the activities carried out within their role align with the enterprise architecture framework.
3 Skilful
ensure, advise
• Understands the frameworks for developing enterprise architecture and applies this in client enterprise
settings.
• Contributes to the creation of the principles, models and methods used in the organisation for
developing enterprise architecture.
• Takes responsibility for investigative work to determine requirements and specify effective business
processes, through improvements in information systems, data management, practices, procedures,
organisation and equipment.
4
Mastery
initiate,
influence
• Leads the creation and review of a systems capability strategy which meets the strategic requirements
of a segment of the business. Identifies the business benefits of alternative strategies.
• Develops enterprise-wide architecture and processes which ensure that the strategic application of
change is embedded in the management of the organisation.
• Establishes the contribution that technology can make to business objectives, conducting feasibility
studies, producing high-level business models, preparing business cases, taking into account different
implications of systems considered.
• Ensures compliance between segment business strategies, enterprise transformation activities and
technology directions, setting strategies, policies, standards and practices.
5
Expert
set strategy,
inspire,
mobilise
• Directs the creation and review of an enterprise capability strategy to support the strategic
requirements of the overall business. Identifies the business benefits of alternative strategies.
• Directs development of enterprise-wide architecture and processes which ensure that the strategic
application of change is embedded in the management of the organisation.
• Ensures compliance between overall business strategies, enterprise transformation activities and
technology directions, setting strategies, policies, standards and practices.

15. 15
Typical Organisation Structures
Data Governance Council:
​
A DGC is core to this component and will need to develop as the complexity of data, its sharing and
management increases. CDO (if exists) of COO typically chairs the DGC
Data Governance Groups:
​
The DGGs are subordinate to the DGC and will be characterised by a ToR structure as for the DGC
with clear authority, responsibility and accountability; and aligned to Data Governance scope and
implementation
Data Working Groups:
​
DWGs are established either as part of business as usual or as a team within a data work stream of a
project

16. 16
Data Governance Strategy & Implementation
TYPICAL DATA GOVERNANCE IMPLEMENTATION APPROACH
Delivers
Data Governance
Current Status
1. Data Governance
Maturity Assessment
(part of IM capability /
maturity)

17. 17
Data Governance Strategy & Implementation
TYPICAL DATA GOVERNANCE IMPLEMENTATION APPROACH
Gap Assessment
Current State
Desired State
Principle
s
Vision &
Strategy
Metrics Process
es
Workflo
ws
Comms
Training
Tools /
Technolo
gy
People &
Organisati
on
Build
Roadmap
Transition
Steps
DG Target State

18. 18
Example Data Management Aspiration
Data Management is embedded
as a core capability within our
company, enabling our data to
be exploited as a key strategic
asset, underpinning all of our
key decisions and informing our
future strategy
18
We can trust our data and have confidence in what
it is telling us
We have the right skills, tools and insight to
effectively manage our data and turn it into useable
information
Our data is structured in a way that supports both
our current and future business needs and the
technology enables secure and robust data
management
We all understand our roles and responsibilities and
are relentless about data quality
Driving Integrity
Driving Accessibility
and Security
Driving Value
Driving Sustainability
What This Means for Us What This
Enables
Our Aspiration

19. 19
Taxonomy of Principles
Principle
Description
Rationale
Implications
Next Steps
(if principle approved)

20. 20
The Data Centric List
5 key principles:
1. Data is a key asset of any organization.
2. Data is self-describing and does not rely on an application for
interpretation and meaning.
3. Data is expressed in open, non-proprietary formats.
4. Access to and security of the data is a responsibility of the
data layer, and not managed by applications.
5. Applications are allowed to visit the data, perform their magic
and express the results of their process back into the data
layer for all to share.

21. 21
Setting out Principles and Minimum Standards
Principle
Rationale
The Implications
Minimum Standards
Why It is Important
What It Means in Practical
Terms
The Minimum We Expect to Have in
Place
An Enduring
Theme / Belief
Supporting Guidelines
Guidelines on How the Minimum Standards
Should be Applied

22. 22
Data Security Management
▪ Planning, development, and execution of security policies and procedures to provide proper
authentication, authorisation, access, and auditing of data and information assets
▪ Effective data security policies and procedures ensure that the right people can use and update
data in the right way, and that all inappropriate access and update is restricted
▪ Effective data security management function establishes governance mechanisms that are easy
enough to abide by on a daily operational basis

23. 23
Data Security Management – Definition and Goals
Definition
▪ Planning, development, and execution of security policies and procedures to provide proper
authentication, authorisation, access, and auditing of data and information.
Goals
▪ Enable appropriate, and prevent inappropriate, access and change to data assets
▪ Meet regulatory requirements for privacy and confidentiality
▪ Ensure the privacy and confidentiality needs of all stakeholders are met

24. 24
Data Security Management
•Protect information assets in alignment with privacy and confidentiality regulations and
business requirements
o Stakeholder Concerns - organisations must recognise the privacy and confidentiality needs of
their stakeholders, including clients, patients, students, citizens, suppliers, or business
partners
o Government Regulations - government regulations protect some of the stakeholder security
interests. Some regulations restrict access to information, while other regulations ensure
openness, transparency, and accountability
o Proprietary Business Concerns - each organisation has its own proprietary data to protect -
ensuring competitive advantage provided by intellectual property and intimate knowledge of
customer needs and business partner relationships is a cornerstone in any business plan
o Legitimate Access Needs - data security implementers must also understand the legitimate
needs for data access

25. 25
Data Security Requirements and Procedures
▪ Data security requirements and the procedures to meet these requirements
o Authentication - validate users are who they say they are
o Authorisation - identify the right individuals and grant them the right privileges to specific,
appropriate views of data
o Access - enable these individuals and their privileges in a timely manner
o Audit - review security actions and user activity to ensure compliance with regulations and
conformance with policy and standards

26. 26
Data Security Requirements and Procedures
▪ Data security requirements and the procedures to meet these requirements
o Authentication - validate users are who they say they are
o Authorisation - identify the right individuals and grant them the right privileges to specific,
appropriate views of data
o Access - enable these individuals and their privileges in a timely manner
o Audit - review security actions and user activity to ensure compliance with regulations and
conformance with policy and standards

27. 27
Data Security Management Overview

28. 28
Data Security Management Function, Activities and Sub-Activities

29. 29
Data Operations Management - Principles
▪ Be a responsible trustee of data about all parties. Understand and respect the privacy and confidentiality needs of all
stakeholders, be they clients, patients, students, citizens, suppliers, or business partners
▪ Understand and comply with all pertinent regulations and guidelines
▪ Data-to-process and data-to-role relationship (CRUD Create, Read, Update, Delete) matrices help map data access
needs and guide definition of data security role groups, parameters, and permissions
▪ Definition of data security requirements and data security policy is a collaborative effort involving IT security
administrators, data stewards, internal and external audit teams, and the legal department
▪ Identify detailed application security requirements in the analysis phase of every systems development project
▪ Classify all enterprise data and information products against a simple confidentiality classification schema
▪ Every user account should have a password set by the user following a set of password complexity guidelines, and
expiring every 45 to 60 days
▪ Create role groups; define privileges by role; and grant privileges to users by assigning them to the appropriate role
group. Whenever possible, assign each user to only one role group
▪ Some level of management must formally request, track, and approve all initial authorisations and subsequent changes
to user and group authorisations
▪ To avoid data integrity issues with security access information, centrally manage user identity data and group
membership data
▪ Use relational database views to restrict access to sensitive columns and / or specific rows
▪ Strictly limit and carefully consider every use of shared or service user accounts
▪ Monitor data access to certain information actively, and take periodic snapshots of data access activity to understand
trends and compare against standards criteria
▪ Periodically conduct objective, independent, data security audits to verify regulatory compliance and standards
conformance, and to analyse the effectiveness and maturity of data security policy and practice
▪ In an outsourced environment, be sure to clearly define the roles and responsibilities for data security and understand
the chain of custody data across organisations and roles.

30. 30
Understand Data Security Needs and Regulatory Requirements
▪ Distinguish between business rules and procedures and the rules imposed by
application software products
▪ Common for systems to have their own unique set of data security requirements
over and above those required business processes

31. 31
Business Requirements
▪ Implementing data security within an enterprise requires an understanding of
business requirements
▪ Business needs of an enterprise define the degree of rigidity required for data
security
▪ Business rules and processes define the security touch points
▪ Data-to-process and data-to-role relationship matrices are useful tools to map these
needs and guide definition of data security role-groups, parameters, and permissions
▪ Identify detailed application security requirements in the analysis phase of every
systems development project

32. 32
Regulatory Requirements
▪ Organisations must comply with a growing set of regulations
▪ Some regulations impose security controls on information management

33. 33
• Basel Committee’s attempt to close existing gaps in RDARR (Risk Data
Aggregation and Risk Reporting)
• Aimed predominantly at G-SIBs (Global Systemically Important Banks)
• Designed to set compliance expectations for different risk types
• Focuses on governance, infrastructure, risk data aggregation and reporting
capabilities
• Also includes supervisory review, tools and cooperation
• Regulation presented in the form of 14 principles; e.g. “completeness,”
“timeliness” and “adaptability” with which banks must comply.
• Challenges:
• BCBS 239 is a principle-based regulation
• Few clear predefined metrics (yet) which banks can use to monitor compliance against the
regulation
• Principles focusing on qualities such as “completeness,” “timeliness,” “adaptability” and “accuracy”
can have different meanings, and potentially different metrics
• Even more different when applied to different risk types (e.g. credit, market, liquidity).
• However, this also presents an opportunity to interpret these principles in a
manner that is both compliant and adds real business value.
BCBS 239 & Data Management
.

34. 34
Developing metrics for compliance against BCBS 239

35. 35
Best Practice For Defining Data Quality Indicators
Trackability – make sure each DQI is monitored over time to track
progress
Acceptability – make sure it’s possible to define what
“good” looks like for each DQI
Relevance – make sure each DQI measures something
of importance to the business
Measurability – make sure each DQI can be
measured and quantified
Accountability/Stewardship – make sure each
DQI links to the Data Governance structure
Controllability – make sure the remedial
actions for each DQI are defined
DEFINE DATA QUALITY INDICATORS (DQI) WITH THESE CHARACTERISTICS:
TA
RM
AC

36. 36
The Impact of GDPR (Overview)
The GDPR will increase privacy for individuals and give regulatory authorities greater
powers to take action against businesses that breach the new laws.
What this means is:
Tough penalties:
Fines of up to
4% of annual turnover
or
€20M
whichever is greater
The regulation also applies to non-EU
companies that process personal
data of individuals in the EU
The international transfer of data will
be governed under GDPR rules
The definition of “personal data” is now much b r o a d e r and includes identifiers such as:

37. 37
GDPR (General Data Protection Regulation)
Who does the GDPR apply to?
• Controllers and Processors (of personal data).
The controller says how and why personal data is processed and the processor acts on the
controller’s behalf. (If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR)
• Processors:
are required to maintain records of personal data and processing activities & have significantly more
legal liability if you are responsible for a breach (new for GDPR)
• Controllers:
are not relieved of obligations where a processor is involved – the GDPR places further obligations to
ensure your contracts with processors comply with the GDPR.
Where does the GDPR apply?
• The GDPR applies to processing carried out by organisations operating within the EU.
It also applies to organisations outside the EU that offer goods or services to EU citizens.
• The GDPR does not apply to certain activities including processing covered by the Law Enforcement
Directive, processing for national security purposes and processing carried out by individuals purely
for personal/household activities.

38. 38
What can & can’t DG & a CDO address?
Can:
• Make order from chaos
• Drive business accountability for enterprise data
• Keep track of data assets: where they’re stored, who’s got access, and how often they
are cleansed and checked.
• Ensure data quality processes are established
Can’t:
• Be solely responsible for managing data
• Perform miracles to create “data perfection”
• Magically fix all historic data quality issues

39. 39
Week 4: Agenda
Projects should be conducted in groups of 4-5 students.
The project should emphasize two main aspects: (i) data governance and (ii) its relationship to the
DAMA pillars, especially on Governance.
The students are expected to deliver a project with presentation during this week. The week is
dedicated for them to chose their groups and topics, to work together in groups, and to receive support
from their instructor. The project requirements mainly depend on the instructor. The following are some
suggestion guidelines:
A presentation should be delivered by the groups to their peers and instructor.
​
Data Governance Capstone Project

40. 40
⮚Company Description
⮚Company Strategy
⮚Data Governance Council/Office/..
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 1: Develop Data Governance Office for Corporate i.e. XYZ

41. 41
⮚Department Description
⮚Department Strategy
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 2: Develop Data Governance Office for Purchase department in
Corporate i.e. XYZ

42. 42
⮚Department Description
⮚Department Strategy
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 3: Develop Data Governance Office for HR department in Corporate
i.e. XYZ

43. 43
⮚Department Description
⮚Department Strategy
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 4: Develop Data Governance Office for Finance department in
Corporate i.e. XYZ

44. 44
⮚Department Description
⮚Department Strategy
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 5: Develop Data Governance Office for Sales department in Corporate
i.e. XYZ

45. 45
⮚Department Description
⮚Department Strategy
⮚Define Data Governance Roles
⮚Define Data Security
⮚Define Data Governance Policies
⮚Define Procedure related to Policies
⮚Define RACI
Project 6: Develop Data Governance Office for Supply Chain department in
Corporate i.e. XYZ