In our first column of this series, we discussed why it is in the best interest of general counsel to cultivate successful relationships with the company's chief information officer and IT staff. Not only does a collaborative approach benefit the operational efficiencies of each respective department, but in an era where data breaches top national headlines on a regular basis, a team-minded system to dealing with security and privacy issues makes these corporate governance challenges easier to handle.

When a positive interdepartmental relationship has been established, successful GCs create a culture of data responsibility, accountability and sustainability. How does a GC institutionalize good data governance so that, when bad things happen to the company, the legal department can respond appropriately, or better yet, avoid crisis events?

Proactive data governance planning is the most effective defense. The ability to control costs, timing and the nuances of any required “culture change” can place the company in a strong position to align the organization in the prioritization of data governance in advance of any crisis.

Establishing the Data Governance Committee's objectives and responsibilities

To do this successfully, the company should establish a Data Governance Committee (DGC) within the institution. The DGC's primary duty is to ensure responsibility, accountability and sustainability of data practices. The framework for effective data governance planning contemplates the personnel, technology and policies and procedures necessary to ensure the preservation, availability, security, confidentiality and usability of the company's data. Furthermore, a DGC encourages strategic thinking and the creation of opportunities surrounding the appropriate use of data within the organization.

Key steps are establishing roles and objectives for the DGC. These should be clearly articulated in the form of a governance charter and should be well understood by the key members of the DGC.

The group should focus on establishing data standards for privacy and information security, records management, employee data, trade secret and intellectual property protection, e-discovery and litigation readiness and vendor management. Such policies must include a comprehensive set of rules, policies and procedures governing the proper use and disposal of the company's data. The DGC will be the decision-makers when issues arise related to data use and the DGC will consider the appropriate level of risk allocation, assuring that insurance and contractual risk transfer in connection with data risks.

Finally, the DGC can be a powerful tool for setting the tone within the company, establishing the internal top-down support for helping to ensure that employees are properly educated and trained about responsibility related to data and institutionally appropriate practices in the collection, use and disposal of data. The DGC should also develop appropriate channels through which employees can express concern and identify potential risks.

Composition of the committee

Choosing members of the DGC is crucial in ensuring the ultimate success of the committee. Members must comprise a cross-functional team, including representatives of executive management who can appreciate the role of data in the long-term objectives of the organization.

The DGC should include members of executive management, and representatives from the IT, marketing and legal departments, as each of these departments have jurisdiction over spheres of the company that are most likely to be affected by a data governance strategy.

Through participation in the DGC, representatives can closely coordinate to accomplish the established objectives and goals of the company in the context of data governance. Each of the team members has a crucial role in ensuring their respective jurisdictions are properly represented in the data governance process.

Roles and responsibilities

The roles and responsibilities of the DGC are to:

  • Establish direct reporting to the most senior corporate governance tier of company, as there should be oversight of data governance at the highest levels of the company.
  • Evaluate and respond to internal proposals relating to the use of data and information in connection with data mining, behavioral targeting and data analysis.
  • Monitor implementation and compliance of processes, and, when appropriate, propose revisions to policies and procedures adopted by the company.
  • Provide oversight to senior management, the chief technology officer and company employees in their efforts to reinforce good business practices and maintain legal compliance.
  • Be frequently and timely informed of compliance activities, training activities, communications programs, compliance audit reports and reports of alleged violations of the company's data governance policies.
  • Conduct annual evaluations of the company's data governance practices.
  • Consult with any advisors they deem necessary to ensure that the company conducts its business activities in compliance with the law.