FD Insights Issue 12 | Page 21

Governance of Data

Data Governance / Management

Will We Be Sued If Hacked

Legal and Business Process To Follow if Hacked

Do We Really Need To Process All Personal Information

Operational & Technical Measures For Storing Selecting
Personal Information Securely

Should We Follow An “IOT” Approach

Are We Producing Reporting That The Business Can Use
To Extract True Value

Should We Buy Or Sell Data

Is The Data We Collect Accurate

The practices described in the ISO/IEC 38500 are not
exhaustive but provide a starting point for discussion of the
responsibilities of the governing body for the governance
of data. That is, the practices described are suggested
guidance and not a closed or limited list.
In an environment where technology and data are essentially ubiquitous, it is unlikely that any organisation or
governing body will find itself in a static position as regards
the Governance of Data. Governing bodies will be almost
certainly faced with assessing and weighing-up risks around
their data.
Aspects such as “control” will need to re-evaluated. Long
considered security and control over one’s on-premise environment may need to be re-evaluated when one accepts
that an IT Manager can download sensitive data, delete
same and walk away with all that a company holds dear.

Theo Watson, Corporate Attorney for Microsoft
3. Acquisition: the governing body should evaluate,
direct and monitor acquisition of data and its use within
the organisation.
4. Performance: The governing body should evaluate,
direct and monitor the performance of how the data
use within the organisation is meeting the needs of the
business.
5. Conformance: The governing body should evaluate, direct and monitor the extent to which the data use
of the organisation satisfies its external and internal
obligations.

The fallout following the Ashley Madison hack provides us
with a good case study. While the company did not directly
derive revenue from, and its business was not primarily
about data, data was a material asset in its business.
Protecting its data (a key asset) should perhaps have been
given a higher priority in light of the obvious risk around
a possible hack. While only a full investigation will reveal
whether Ashley Madison was in any way at fault for allowing
the hack, we can nevertheless draw on the fallout