A Business Understanding of Data Policies
Policies are the laws of an organization. They are not detailed rules specifying how to do things, but provide a framework of what must be done.
Data has been important for decades, and this is accelerating in the age of AI because data is the fuel that drives AI.
While a lot of heads would nod in agreement, the reality is that data is not managed as well as it should be. We can easily find examples of poor data quality, duplicate copies of data that incrementally add to storage costs, data that is not correctly understood and interpreted, personal data that is mishandled, and so on.
This is where policies around data come in. Without data policies, staff manage data only if they realize they need to, and in ad hoc ways that vary widely. Perhaps some of these practices are good, but often they are not, and many times required practices are simply absent. This is not to blame anyone; it is just the way things have evolved.
Technology is Not the Answer
But data policies are often simply not developed in many organizations, or only policies absolutely needed for compliance are.
In part this seems to be due to an expectation that the technology housing and processing data will deal with all these management needs. But humans interact with data frequently. We get to decide what data goes into computerized systems, what the data means, how it is input, how it is processed, how it needs to be secured, what we do with the outputs of these systems, how data is eventually disposed of, and many other tasks. In other words, there is a great deal of primarily human behavior around data that is only indirectly related to technology.
Perhaps these behaviors are sufficient for our private lives, but in the organizations we work for it is a different matter. All modern enterprises are highly reliant on data, and staff in one part of the organization are often reliant on data from another part. This complexity increases the need for good data management by all staff interacting with the data.
It is the human aspect that drives the need for policies. Data policies seek to improve human behaviors around data in organizations so that a reasonable level of good data management practices is reached. This cannot be done with technology because the human interactions are never going to be replaced by automation. People are always going to interact with data.
The Weakness of Centralized Data Governance
Another feature of data is that it is everywhere in every organization. This is recognized by executives who have invested resources and authority in setting up centralized Data Governance offices and the like.
But such resources do not scale to the problem. A Data Governance office will likely have a handful of full-time employees, ranging to a few dozen in a very large organization. Compare this to thousands or tens of thousands of employees in these organizations who are interacting with data, and who need guidance to avoid creating “data messes”.
What Is a Policy?
This is where data policies come in. Data Policies can drive best behaviors of staff when they interact with data. Policies are the laws of an organization. They are not detailed rules specifying how to do things, but provide a framework of what must be done. We can define a policy as:
A high-level imperative that controls business behavior. It supports one or more principles. A policy specifies what to do, but not how to do it. A policy is enforceable and enforced.
Breaking Down the Policy Definition
My definition of policy contains several key points:
1. A policy is an imperative – a command – that tells people to do something: This does not mean it is written in harsh language, but it must be followed.
2. A policy controls business behavior: That is, enterprise staff are going to have to do something to be in compliance with the policy. Automation may be involved, but the human element is primary.
3. A policy is aligned to principles: Principles are logically prior to policies. If we have a policy that does not align to any of our stated principles, then we have de facto principles that we are not articulating, but upon which the policy is based. If we have principles that are not related to any policies, then we may suspect that we are not really serious about these principles (although some principles may genuinely have no policies related to them).
4. A policy must not tell people how to do something: It cannot anticipate every situation and circumstance. Instead, it must specify what must be done and leave it up to the readers to figure out how to implement the policy. It is possible to specify courses of action, but these are practices, standards, and procedures.
5. A policy is enforceable: It is not a theoretical document that is put somewhere for people to read if they happen to be interested. It is not a set of suggestions. Moreover, there is a mechanism by which the policy can be enforced, and this mechanism is put in place before the policy is released to the enterprise.
6. A policy is enforced: That is, the mechanism that could be used for enforcement actually is used for enforcement. This point is often under-appreciated. Enforcement requires action. People who just want to write a policy and be done with it have to face up to fact that they will participate in enforcement. Enforcement does not usually mean punishment (though it sometimes may). Rather, it is detecting out of compliance conditions and then working with the areas where these are found to fix the problem. To some extent it is more like providing support – except the context is a mandatory one. Any support requires resources and the Data Governance units issuing data policies must ensure they have the necessary resources to provide support their policies.
What A Data Policy is Not
A data policy cannot be any of the following:
Educational Material: A policy does not seek to educate, that is, explain the concepts involved. Of course, data governance and data management are complex
areas and some kind of education may be required for staff to understand a data
policy. But this education must not be part of the data policy. There is nothing
imperative in education and it will confuse the reader if it is included in the policy.
Training: This too cannot be part of a data policy. It will be too much like a
procedure, and will appear to prescribe how to implement the policy.
Guidelines: These are optional advice. Policies are not optional.
Best Practices: These are lessons from outside the enterprise that have been
documented as being successful. Despite this, they are often not specific enough
for a particular organization. Some people like to try to identify them and adopt them so they do not have to do much thinking. But they are not policies.
Very confusingly, the word “policy” is used in a completely different within IT in the areas that deal with access control. Here “policy” means a low-level, specific rule for permitting access. As we have seen, policies are not detailed rules. The unfortunate result is that when IT professionals and the business discuss data policies they typically mean very different things and the conversations can be incredibly confusing.
Data Policies and the Business
Data policies seek to drive good behaviors around data in organizations where there may be very few Data Governance professionals. This does not mean businesspeople should be passive when it comes to data policies. Businesspeople can and should suggest where there are needs for data policies. These needs may not be obvious to a central Data Governance organization. Also, businesspeople should push back if a data policy is unreasonable or simply impossible to implement. Of course, this must be done only in more extreme circumstances, and not merely because a policy is inconvenient in some way. Businesspeople should also ask to be consulted and informed about proposed new data policies or changes to existing policies. In short, the business should become as engaged as possible in the management of the data policies which will ultimately influence the way the business works.
If you’d like to learn more about my background and what led me to write this publication, I invite you to click below to learn more about my journey.
