Why are Data Governance and Data Quality Necessary to Achieve Compliance
Introduction
The last several years have seen compliance thrust into the spotlight, with takeovers, mergers, acquisitions, stock market crashes, accounting scandals, operational failures, corporate failures, security breaches, fraud, and thefts, having triggered the need for stricter governance, and creation and enforcement of regulations to improve the accuracy, credibility, security, and privacy of corporate data with an intent to prevent scandals, financial disasters and data breaches. As new risks emerge, new regulations come into the picture and/or existing regulations are amended, and compliance becoming more complicated.
Organizations frequently consider compliance requirements as a tremendous hassle given the complexities of compliance requirements and depth and breadth of information and the cost needed to fulfil these requirements.
In this article, we present a brief overview of compliance and regulations, discuss the cost of non-compliance and some related statistics, and the role data quality and data governance play in achieving compliance.
Definition of Key Terms
Regulations are rules or laws created by government or authorities in order to control behaviors or the way activities are conducted.
Compliance is about following rules and regulations.
Non-compliance costs are the costs that result when a company fails to comply with rules, regulations, policies, contracts, and other legal obligations.
Data compliance is a term used to describe the practices and processes that organizations adopt to ensure data associated with regulations are organized, stored and managed such that they are guarded against loss, manipulation, corruption, theft and misuse.
Data quality is the data’s fitness for use or purpose for a given context or specific task at hand.
Data governance is a system of policies, rules, standards, processes, practices and structures, roles and responsibilities, controls, and decision rights to oversee the management of data.
Some Key Regulations
Payment Card Industry Data Security Standard (PCI-DSS): Non-compliance penalties can range from $5 to $100,000 per month depending on the company size and the scale of the violation.
Occupation Health and Safety Administration (OSHA): Fines up to $13,653 for each penalty. Companies can face up to $136,532 in penalties for repeated violations over 3 years.
Health Insurance Portability and Accountability Act (HIPAA): Fines up to $250,000 and 10 years of imprisonment for individuals. If it is discovered that the violation occurred due to a lack of training, the employer is penalized.
General Data Protection Regulation (GDPR):
The two tiers of GDPR fines are as follows-
The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
The more serious infringements that go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR, could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Cost of Non-Compliance — A Few Statistics
“If you think compliance is expensive, try non-compliance.”
While the cost of compliance is high, the cost of non-compliance is significantly higher — nearly three times higher than the cost of compliance through implementation of data quality, governance, and compliance frameworks and solutions. Below are a few eye-watering dollar figures related to the cost of non-compliance with regulations:
Organizations lose an average of $5.87 Million in revenue due to a single non-compliance event.
The average cost of non-compliance has risen more than 45% in 10 years.
The total cost of non-compliance is more than $14 Million and constitutes the following cost components:
Fines, penalties, and other fees
Business disruption
Revenue loss
Productivity loss
Reputation damage
According to a 2021 IBM report, lost business due to downtime or diminished reputation accounts for 38% of the overall cost of a breach.
In 2020 alone, banks were fined $14.2 Billion for non-compliance, with the United States accounting for 78% of issued fines.
The average cost of a data breach among organizations surveyed reached $4.24 million per incident in 2021, the highest in 17 years. (IBM)
In 2021, the average breach costs for healthcare organizations increased by 29.5% to $9.32 Million.
In 2022, Epic Games, Inc. was fined $275M by the Federal Trade Commission (FTC) for violating children’s privacy laws and altering default privacy settings .
Is Compliance the Biggest Driver of Data Governance?
As per “The 2018 State of Data Governance Report” conducted by erwin, 60% of the respondents indicated the need to comply with regulatory mandates as the topmost driver for data governance.
I ran a 7-day poll in the TDWI: Analytics and Data Management Discussion Group, a data-focused group on LinkedIn, which has close to 80,000 data quality and data governance practitioners, and advocates across the globe, with the very same question, and the responses are as shown in the screenshot below.
The poll closed at 130 votes from data quality, data governance, and BI professionals, and details are as follows:
52% chose the option—“Yes”, that is, compliance is the biggest driver of data governance;
45% chose the option—“No”, that is, compliance is not the biggest driver of data governance;
A tiny percentage (4%) chose “Other (please comment)” option.
The percentage of respondents of choosing compliance is the biggest driver of data governance is slightly greater ( that is, 7% greater) than those opting for compliance is not the biggest driver of data governance.
This is understandable, as there several other business drivers and use cases of data governance such as, better decision making, data security, data privacy, data analytics, big data, improving operational efficiency, revenue growth, reputation management, improving customer satisfaction, mergers and acquisitions (M&A), partnering and outsourcing, and improving data quality.
Why are Data Governance and Data Quality Needed for Compliance?
Compliance with regulations requires good quality data, and in order to have good quality data you need the data to be effectively governed; that is you need effective data governance. In fact, the early drivers of data governance originated as mandates in the compliance, legal, risk, and audit departments within organizations.
While data has always been important, regulations such as, but not limited to, Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), have challenged organizations to improve their data quality, and to create controls and formal accountability for data.
Compliance requirements require the ability to locate and understand data associated with regulations. Organizations also need to be able to produce the right data at the required level of granularity at the right time. The data also need to be of high quality (that is, it should be accurate, consistent, valid, and complete).
The ability to trace data present in a report to its sources, is becoming a regulatory requirement, especially in cases of regulatory reporting. This is known as data lineage or traceability and is one of the dimensions of data quality.
Knowing where your compliance-related data resides is the first step towards achieving compliance, and is often the biggest challenge too. This is because most organizations are by nature data hoarders and compliance-related data is generally stored in a myriad of different locations, systems, data stores, and formats in organizations. In short, compliance-related data is often scattered all over the place.
However, unless a business knows where the related data are stored in the organization, it is not possible to provision the data in regulatory reports, prevent unauthorized access, ensure data security and privacy or guarantee if the data are fit for purpose. The reporting entities must be able to demonstrate how each value in a report is generated, including its calculation, transformation details, its lineage, and source data . Each data item in a regulatory report must be credited to a data owner and a data steward, who should be able to prove that it is of high quality. Also, organizations should have the knowledge, capability, and documentation to trace the data item back to an authoritative source.
Data governance results in data stewardship roles being established. Data stewards who are subject matter experts (SMEs) are responsible for specific data sets. Data stewards understand the business meaning of the data, and the purposes for which the data are used. They can locate the data needed for compliance purposes with the help of data discovery software.
Also, data governance results in the establishment of standards around data elements and data entities across the enterprise. Data governance ensures that metadata and data lineage information is up-to-date, which in turn assists the data discovery process. Data governance also results in creation of processes for resolving data quality issues and ensuring data is of high quality.
Concluding Thoughts
The regulatory landscape is diversified by industry sectors, markets, countries, and geographies, which are extremely dynamic and constantly evolving.
Data governance and data quality are important elements to ensure success with compliance. While data governance and data quality are not only about compliance, with good data governance and good quality data, organizations should be able to be compliant with respect to data.
Also, there other drivers of data governance such as but not limited to data security, data privacy, data analytics, improving operational efficiency, revenue growth, reputation management, improving customer satisfaction, mergers and acquisitions (M&A).
Ultimately, whatever be the business driver, data governance should deliver business value. If data governance is not delivering business value, then an organization is not doing it correctly.
Good governance must balance security, accessibility, productivity, and enablement, as well as ensure that processes are streamlined to minimize accessibility cycle times. This will ensure that an organization’s data governance implementation is least disruptive.
Data governance is a journey that involves a significant amount of effort, time, investment, and cultural changes and these must be taken into consideration to achieve and sustain its success.
This article is a modified version of the article — Compliance, data, quality, and governance, published in EDPACS in March 2022, and draws significantly from the research presented in the books — Data Quality: Dimensions, Measurement, Strategy, Management and Governance, Data Governance and Compliance: Evolving to Our Current High Stakes Environment, and Data Governance Success: Growing and Sustaining Data Governance.
Thank you for reading! Take care!
Please do let me know whether this article was helpful, and what more you would like to read with respect to compliance, data quality, and governance. Please leave a comment here or connect on LinkedIn.
Biography: Rupa Mahanti is a consultant, researcher, speaker, data enthusiast, and author of several books on data (data quality, data governance, and data analytics). You can connect with Rupa on LinkedIn or Research Gate (Research Gate has most of her published work, some of which can be downloaded for free) or Medium.