Creating an enabling culture which protects data yet drives business processes is a challenge. At a recent DataIQ Breakfast Briefing, sponsored by Experian QAS, the experience of Yorkshire Building Society provided a good benchmark, as David Reed reports.
With financial services facing a wide range of regulations to comply with - from the Data Protection Act and PCI DSS through sector-specific legislation - there are often many different compliance projects on the go at once. Speaking earlier this year at the DataIQ Breakfast Briefing on “Achieving data excellence in financial services”, sponsored by Experian QAS, Broadbent argued that building a culture of governance allows the business to embrace them all.
There is certainly no shortage of stimulus to get data management operating to the right set of rules. As Sue Gold, partner at law firm Osborne Clarke, which hosted the event, pointed out: “There is an increasing level of regulatory enforcement and concerns - and not just for financial services. There is a real need for a balance between the rights of the individual and the legal requirements of the business.”
She provided an overview of the proposals contained in the Data Protection Regulation which is making its way through the legislative process in Brussels. From consent to data protection officers, it seems likely to introduce considerable changes to existing practices. While many data practitioners have been hoping that lobbying would lead to a dilution of the proposals, Gold noted that the first report by one of the key committees considering the new law actually tightened them.
Much of what is being proposed is an unknown quantity, like the need for privacy impact assessments. “You will need to seek the views of data subjects. How would you do that?” asked Gold.
Janani Dumbleton, senior consultant, data governance and strategy at Experian QAS, noted that “good data governance and good data management practices you can start adopting now so when all the scary stuff comes in, you have got something to work with.” That way the business can be ready for the new requirements, having already assessed its data quality and adequacy, for example.
She outlined a suite of processes which organisations can adopt to get them up to speed by documenting what data is being captured, where it resides, who has responsibility and ownership, as well as where that data is being put to work. Data governance documents these aspects of data management in the business and that documentation is likely to be a major part of proving compliance under the new regime.
“Once you’ve monitored a process, how do you monitor it for data breaches? A regular data audit is important, but it shouldn’t be a chore for people. Put something in place that allows you to measure whether you are in breach or not,” recommended Janani.
When Broadbent joined Yorkshire Building Society, the company had nothing like that in place. An enthusiastic champion of data governance, she warned against getting carried away at the outset. “When I went into YBS, I saw it as a blank canvas and I had grand plans, but they had never done anything like this before, so they were really scared. You need to go on a journey with them,” she said.
The building society had grown through mergers and acquisitions, taking over Barnsley, Chelsea, N&P Building Societies as well as the Egg brand. Each of these had their own marketing databases and sources which required spot fixes by the data management team. The need to integrate and update this infrastructure created the space in which she was able to make a compelling case for data governance.
“We have formalised it to enable effective data management practices to ensure the organisation values the data as an asset, trusts the data to make decisions on, and to ensure the customer trusts us with their data,” she said.
The core components of the new governance approach are a suite of policies, meta data management, data quality, master data, information lifecycle management and stewardship. “Data stewardship in my mind is the most important part of data governance,” said Broadbent.
“Without the commitment of the organisation, it is tough to get where you want to be. Our model is to have senior leaders who are data owners - general managers who know they are accountable and have each nominated somebody to act as the day-to-day point of contact. Those data guardians sit on the data forum, while the leaders sit in the DG council,“ she added.
That council meets quarterly with leaders from 21 key business functions, including human resources, finance, credit risk as well as technical teams, while the forum has 25 members and bi-weekly meets. To spread the message, Broadbent’s team also holds walk-in sessions and open days.
Documentation is a core part of the initiative. Says Broadbent: “We’re currently working on a data stewardship guide that looks at the roles and responsibilities across the board, for example, the DPA, PCI DSS - everything that relates to data we are putting into the pack to make them aware of the processes and projects. It is one piece of guidance for everyone, rather than each function coming up with their own.”
Policies have similarly been accompanied with guidelines to make them clear in practical terms to everybody. A more complex piece of documentation has been the data dictionary which categories all of the data items in use and their definitions. This is published on the intranet for all staff to be able to access.
Agreeing on these definitions is by no means an easy task, warns Broadbent. “If we have a loan to value percentage, how is that calculated? There are five in our business which are all different and nobody knows why. One uses balance at the end of the month, another the balance at the end of the day. Do we need five different ones?” she asks.
Financial services face very stringent rules about data deduplication which imposes a very high standard for data quality. Accounts must not be merged unless the business is 100 per cent certain they belong to a unique individual, for example, and all deposit taking bodies have to file a return on their single customer view to the financial authorities.
“SCV is tricky when you have had lots of mergers and not all of your databases talk to each other. Do you have the confidence to merge the data or are you scared to deduplicate because of the risk?” she says.
Challenges like this are one reason why many organisations resist undertaking data governance and the creation of an enterprise-wide culture. There will also be individuals who resist and it takes the enthusiasm and drive of a data governance champion to keep the initiative moving.
Maintain that energy and the outcome should be genuinely enabling for the business, however. Broadbent’s recommendation is to, “shout about it. Data governance is 50 per cent about managing the work and 50 per cent evangelising. You have to be talking about it all the time so people know where to go for help.”