This isn’t about data governance; it’s about how the principles of governance (including corporate governance) apply to collecting, holding, using and generally dealing with data.
To begin, what do I mean by “data”? I’m including, here:
- Information, not just personal information – so, broader than Data Protection Act (DPA) data;
- Information in call recordings, videos and images, not just text, and including hard copy information;
- Information acquired from third-parties, so not just information generated internally or provided by customers or clients;
- Internal reports and the information that goes into them and is used to produce them – and also how the reports are then used; and
- Information generated by models and the systems that interact with those – so, straying into AI and model management.
Data governance is generally focused on rules, standards, policies, processes and so forth that set out how a firm’s data is kept secure and accurate and is useable throughout the lifecycle. But that focuses on locking down the data and prescribing use and there are other points to consider. Here are some thoughts.
1 Do directors know what questions they should be asking about data? – the board’s role is to direct the company, ensuring that the business is being well run in accordance with the direction the board has set, and non-executive directors should be challenging management. My experience is that DPA breaches are reported to the board as part of the MI pack and a breach – particularly a serious one – will usually be discussed at board meetings. There might also be questions about data used in models (e.g. risk of bias; use of third-party or synthetic data) and questions about use of AI applications in the business. However, data (i.e. the scope I’ve set out above) is now so important that directors should have as much knowledge about that as they do about financial performance and operational resilience. With that knowledge, they can ask the challenging questions. Without that knowledge, they won’t know what questions to ask.
2 Senior management should understand – really understand – the models and applications in which data is used, the scope of the data used and how it’s used – this is straying into model management and AI but at least one person in the senior management team should:
- Know the data used in models and AI applications and understand the implications of that for the firm; and
- Understand, fully, the models and AI applications in which data is used by the firm and how the data is used.
If I were a director, one of my first questions would be to ask who that person is and I’d then ask them to explain to me data scope and use.
3 Data and outsourcing chains – I’ve heard of a number of cases where problems are appearing further down the outsourcing chain – with the sub-sub-outsourced service provider or the sub-sub-sub-outsourced service provider. It follows that data held further down the chain is at greater risk of misuse, disclosure, corruption and the like. What oversight, monitoring and reporting arrangements does the firm have in place to identify any weaknesses and problems and address those? How does that fit with oversight, monitoring and reporting for outsourcing and operational resilience purposes and with board oversight of operational resilience?
4 Data journeys; customer journeys – customer journeys are commonly identified by firms as part of establishing whether customers receive good outcomes. Data journeys should also be set and fed into – and compared with – customer journeys. For instance, are journeys fully aligned and does a data journey have the potential to impact the quality of a customer journey in any way?
5 Data gaps – as well as focusing on the data a firm has, it would also be worth identifying gaps in the data and how those can be filled. Duplication of data, errors and inconsistencies receive attention but I hear less about dealing with gaps in data. This can help to address bias but there’s a wider point to consider.
6 Be clear about how data must not be used – I still see far more focus on permitted data use than consideration being given to how particular forms of data mustn’t be used but that can be a useful sense-check on data use. If I were a director, it would be the other first question I’d ask about data.
7 Regulatory focus on data – a lot of regulatory attention (particularly at the Financial Conduct Authority) has traditionally been on data breaches although use of data, model risk management and use of AI applications have moved up the regulatory agenda. However, expect to see regulators expecting greater levels of knowledge, and greater oversight, by senior management and boards in relation to data scope, use and security.
This note is intended to provide general information about current and expected topics and perspectives that might be of interest. It does not provide or constitute, or purport to provide or constitute, advice relevant to any particular circumstances. Legal or other professional advice relevant to any particular circumstances should always be sought.