Data Governance vs Data Privacy vs Information Security?

Data Strategy
Written By Edward Wynn

Here at DPI Consulting we are engaged in a lot of data governance work and there is one question that comes up, without fail, on every single project. 

What is data governance and how is it different from data privacy/protection and information security? 

So, I thought it would be beneficial to get my point of view written down!

These areas are all different but very much related, for starters they are all risk management activities but they have very different goals.

What is Information Security?

Information security is about managing the risks associated with data loss and corruption; its goal is to keep information (and thus data) secure. That means:

  • Retained within the system, application or organisation that owns it

  • Intact or in the format it is intended to be 

  • Accessible to those who have a genuine business need to use the information. 

Information Security best practice has an international standard ISO27001 which most businesses adopt or measure themselves against. Within this context you’ll often hear people talk about CIA - Confidentiality, Integrity and Availability of information, which is really just a summary word for each of the three bullet points above.

Data Protection or Privacy

Whether you’re thinking about data privacy or data protection, this area is about managing the risks associated with personal and sensitive personal information as defined by the applicable data protection legislation in your country or operating markets (GDPR in Europe and the UK). Its goal is to ensure a business is compliant with the laws of the land and does the right things with any personal data it collects, stores and uses. 

Obviously the applicable standards here are set by the data protection legislation, examples within UK GDPR being:

  • Ensuring that the organisation is registered with the Information Commissioner or ICO if required to do so

  • Appointing a Data Protection Officer who is accountable for data protection matters across the organisation

  • Providing privacy notices to customers/prospects and ensuring data is only used for notified purposes

  • Ensuring that you can respond to Data Subject Access Requests (DSAR) and Right To Be Forgotten (RTBF) requests appropriately and within the required timeframes

This list could go on but I am sure you get the idea. 

So, what’s Data Governance?

Data governance is about managing the risk of using poor quality data within your business. This might be providing inaccurate data to investors or regulators, or making sub-optimal or incorrect decisions within the business operations. Its goal is to create trust in data such that the business has access to data it understands, that reconciles, that is well defined and kept up to date and can therefore be easily used without having to check and double check if it's correct.

This may sound obvious but how many times have you sat in a meeting where the first part of the meeting is spent discussing the data itself, what it represents, whether it is accurate and why it is different from a similar set of numbers seen in another meeting. I am sure that most people will have seen and been frustrated by this. At best it's a driver of inefficiency, at worst it's an accident waiting to happen.

Data governance is therefore concerned with things like:

  • Who owns data and can make decisions about how to define it

  • Where is data defined and how are these definitions made available to colleagues

  • How is data quality checked and what happens when issues are discovered

As this blog is about establishing the differences between the three areas I won’t get into more detail here about what data governance is - that’s a blog topic in itself. 

I do however want to consider how the three areas complement each other and their respective goals. This is perhaps easiest if we consider some extreme scenarios:

  • If data is not defined and documented (data governance) how do you know where your personal data is that needs to be managed in-line with data protection policies?

  • If data is locked down or secured (information security) to such an extent that people cannot access the data they need, how will the business operate and value be delivered from the data? 

  • Similarly how do the information security team know who to provide access to and who not? This is one of the roles of data governance, providing the business requirements for data access.

  • On the flip-side, if there was no access control (information security) and people had access to everything, how could you expect to keep personal data confidential or ensure people used the right data in their business activities?

In conclusion, there are both similarities and differences between data governance, data protection and information security and whilst they all have their own goals I would suggest that a business needs all three capabilities in order to be really effective.

I will explore data governance in more detail in a follow up blog but hopefully this has helped to clarify the purpose and goals of each discipline and how they need to work together. If you’d like to discuss this further why not book a call with me?

Edward Wynn

January 2022


Edward Wynn
Previous

So, what is Data Governance?
Next

What is a data strategy and why do I need one?