top of page
  • davidroberts137

Big gaps in data governance

Updated: Dec 11, 2023

In a recent report on Data Governance by the Governance Institute of Australia there were some concerning findings, such as:

- Nearly 60% of boards do not have an understanding of the organisation’s current data governance challenges

- More than half of organisations do not have a data governance framework, mostly due to lack of capacity or resources

- A third of organisations don't have data governance on the risk register

Governance Institute data-governance-report-2023 (1)
Download PDF • 3.29MB

- there are many different ways data governance is managed and governed with responsibilities differing widely

The recent IAPP Summit A&NZ discussed the recent data breaches and upcoming changes to the Australian privacy laws...the advice to organisations was simple:

1. Start preparing for the new the new privacy laws now,

2. Make sure you know what data you can't protect what you don't know you have!

While there is lots more to do to protect Australians personal information, we are seeing more organisations improve their data governance, typically with a few key activities:

  • a data discovery exercise identifying personal information (as defined by the privacy laws in the jurisdictions they operate).

  • a risk assessment based on the data they find and a mitigation/remediation plan.

  • developing or refining data policies that cover collection, usage, storage and, deletion.

  • Implementing processes and tools to ensure that these policies are being adopted

  • enhancing organisational accountabilities including data stewards and cross business data governance forums

As organisations mature, they are taking a risk-based approach to data governance where they look at ways to mitigate both the likelihood and impact of a data breach....when (not if) it happens! The aim is to make the organisation a less attractive target for cyber criminals because of what is held and minimise the harm to individuals of a breach.

This type if risk mitigation can be done in many ways, including:

  • Reducing the data collected thought policy and implementing privacy by design principles into the new initiatives and systems changes.

  • Utilising digital identify providers to eliminate or reduce the need to hold copies of ID documents such as passports and drivers' licences.

  • Automate deletion of data after retention periods

  • Minimise the number of systems in which data is held and avoid making copies for analytics purposes.

  • Introduce access management to minimise the access to data only to those who really need it.

Overall, there is lots to do and it's good to see Australian organisations starting to make some initial progress in this important area.

37 views0 comments

Recent Posts

See All


bottom of page