Not all responsibilities for data and its management fall under the role of Chief Data Officer (CDO). Different data types require different accountability, and different roles (CISO, DPO)
Experience has shown that the Chief Data Officer (CDO) is not accountable for some forms of data. For example, the CDO is not accountable for sensitive data, whether personal or not. Many organizations give their CDOs responsibility for managing the organization’s enterprise data management functions.
The Data Protection Officer (DPO), or equivalent, is accountable for sensitive personal data. This may be required by the regulatory provisions as in the European Community or be found valuable by a company or a Supervisory Authority as in the US. For a Public Authority, there is a privacy protection issue that requires regulatory provisions. Technical and organizational measures, including the designation of the DPO, contribute to the mitigation of risks to the individuals’ rights and freedoms.
The CISO or equivalent is accountable for sensitive non-personal data. This is not required by the regulations but is a best practice for information security.
So, what is the CDO accountability scope and how does the CDO operate in a collaborative framework?
Non-sensitive Data: Value Measurement and Accountability
The CDO role is exercised on non-sensitive data. It can be either an enterprise role or a business-function role. Within its scope, the CDO must therefore contribute to enhancing the data asset by breaking down the barriers between company organizational units (services and departments). Through this process, the CDO develops shared capabilities (including knowledge) on the role’s scope.
Thus, the CDO is accountable for shared data, that is, data that is used by different organizational units, serves different business processes, is shared by several applications, etc. This challenge of breaking down silos must also result in the pooling of intelligence and human skills to innovate, create value, or improve productivity using data and information as assets.
The data under CDO accountability is the shared data, whatever the format, the storage medium, the data producer, the data consumer, the scope of use (internal or public). This would include:
- All reference data, including master data (customer, product, organization, employee, etc.), constitutive data (addresses, bank details, payment terms, etc.), parameter data, including tables of values (customer segments, cost elements, etc.) and nomenclatures (postal codes, currencies, professions and socio-professional categories, NAF, etc.)
- All shared transactional data, that is, those produced by the company’s cross-functional processes (Billing, Compensation, Ordering, etc.)
- All external data (web, social networks, IOT, Open Data, etc.), shared by nature
- All analytical data (Sales, Marketing, Finance, Risk, etc. indicators, reporting and analysis)
Data governance is a major function of data management and the CDO usually has overall authority in the development and implementation of data governance processes.
Shared data on a smaller scale in the company, within a subdivision of a business-function, or even not shared, are intended to fall within the business accountability. They could benefit from a shared framework supported by the CDO depending on the interest perceived by the business, for their use and sharing within this scope.
Also, the non-sensitive data may be used internally or publicly. Non-sensitive data can be managed through their attachment to local and vertical processes.
Accountability Architecture: Data Management and Data Governance
Within the company, accountability on data is as much a matter of regulatory compliance as security, knowledge management or data value measurement. The identification of the accountable roles on data can occur following the pattern below:
Data classification is one of the first projects a company must undertake to engage its data management plan. Doing this enables the organization to clarify the issues faced by each group of data and to adapt the technical, organizational, and economic resources allocated.
Data asset elements face different security, protection, sharing and/or usage issues. Data classification allows the data management team to organize these data assets in groups and to distinguish several groups:
Sensitive personal data exposes the data subjects to risks concerning rights for privacy and can inflict accountability issues for the organization. Data processing for sensitive data is based on regulations that may require companies to assign management and governance responsibilities, along with other responsibilities. When these provisions are not required, the company itself may be interested in doing so. These actions and decisions are often the responsibility of a Data Protection Officer role or Chief Privacy Officer role.
Sensitive non-personal data (company or partner) exposes data subjects to the risk of image, position, contracts, or finance. The processing of this class of data is done under regulations that require the company to put in place appropriate security measures. The technical and organizational means to ensure this security are always left to the discretion of the data subjects. Within the company, they are the preserve of a Chief Information Security Officer role.
Shared data, whether internal or public, are subject to usage issues. Usage may be done under a regulation (risk reporting in bank or insurance industries, accounting reporting for listed companies, etc.). Sharing is not governed by any regulation but rather by internal rules. This may be organized around a Chief Data Officer role, either at enterprise or departmental level.