Corporate data policy and its elements

This article is part of our Mastering Data series. This series examines the digitization underway in Canada’s economy, why it’s important, the data governance issues it creates, and how to address them. It also looks at the role you can play as a CPA in guiding your organization through the transition.

READ THIS ARTICLE TO LEARN:

• what is a corporate data policy
• why a corporate data policy is necessary
• elements of a corporate data policy
• the role of CPAs in corporate data policy

What is a corporate data policy?

A corporate data policy is a set of guidelines that are developed to make sure that an organization's data and information assets are consistently managed and properly used.

Why corporate data policies are necessary

A data policy enables an organization to consistently address the broad range of potential developments and scenarios that may arise related to its creation, processing, use, and sharing of digital data. This is particularly important given the many sources and forms that data can take, the volume of data that can be generated and the varied needs of business units that require access to the data.

Some common developments that may require data policy decisions include:

• unanticipated opportunities, and/or risks that present themselves through the process of an organization’s digital transformation
• unforeseen ethics and bias issues that surface as an organization initiates use of artificial intelligence (AI)
• conflict over data requirements between different types of data specialists within the organization e.g., compliance teams demand strict data controls, while analytics teams need large amounts of data as quickly as possible
• a need to integrate new data sources

The elements of a corporate data policy

A proper governance framework in the form of a corporate data policy can help align business units and departments. This in turn supports digitization efforts in a coherent way that adds value. To do this, a data policy should answer several core questions:

• How does the organization collect and distribute the right data at the right time?
• How does the organization handle revenue opportunities to monetize data?
• How should organizations that are sharing, selling or making data accessible throughout data value chains (the process of turning raw data into something of value) deal with legalities surrounding data ownership and data copyright?
• How should personal information be treated?
• What rules should organizations follow regarding data residency (physical location of the servers housing the data)?

A comprehensive data policy that addresses these questions will include the following elements.

1. Objective

The objective of a corporate data policy is to provide clarity, so it is easier for participants to understand what is expected of them. Organizations are often tempted to begin with a data strategy, which uses digital technologies and data management to improve business outcomes. However, without clarity on expectations, a strategy is difficult to implement. Therefore, it is important to first develop corporate data policies and from that base create the strategy.

2. Scope

The policy should identify the types of data covered and the intended use:

• Will the policy apply to all data collected by all business units, including HR, or will it be limited to data that does not contain personal information such as Internet of Things devices, orders, inventory, invoices, etc.?
• Will historical and archived data be included, or will the policy apply only to data collected after a set date?
• What limitations will the organization have on the use of data, i.e., what are the guardrails for employees to pursue innovation and new opportunities?

3. Accountabilities

The policy should designate a function that is accountable for its application. In organizations with a Chief Data Officer (CDO), that role would typically be responsible for policy application. The CDO will need to collaborate with other parts of the organization for shared areas of responsibility such as privacy.

Setting clear accountabilities for a CDO function in terms of planning, execution and reporting on the policy is essential in order to adjust other policies and procedures within the organization. 

4. Data ownership/internet protocol/licensing/copyright

The policy should clarify data ownership rights and stipulate how data must be handled. This is required for organizations that are looking to share data with others or to sell data to third parties. Some options to be considered include whether to:

• tag all datasets before sharing to track data use downstream and manage risks
• assert data rights through copyright and licensing agreements
• make data available and accessible to all with no restrictions

Data sharing contracts may be referenced in the policy. Finally, integration with potential patent strategies will be required to ensure that essential data is not subverted through innovation.

5. Data collection

The policy should clearly articulate how data collection activities must be handled before secondary data use and data sharing can occur. Clear rules regarding data provenance and lineage, data attributes and metadata (information that precisely describes the features of your data), data quality, and trustworthiness need to be established. Ideally, processes for data verification and labelling should also be articulated in the policy. Lastly, the policy should articulate how statements of providence/authenticity would be generated/provided to support data that is shared/sold or otherwise distributed.

6. Data access, sharing, retention and disposal

The policy should describe how relevant datasets and data sources (commonly referred to as data streams) generated by the organization would be accessed and shared. Some organizations will want datasets to remain where they are and not be transferred to other servers. In this case, the CDO would oversee the data access policy. This would include data access rights based on user credentials which would likely be operationalized through data controllers (individuals who apply rules regarding data access including privacy). Another approach could be to transfer datasets to a new server or to the cloud, where access rights can be managed centrally.

The policy should also articulate the parameters around data retention and eventual disposal. The use of a dedicated Application Program Interface as the mechanism for data sharing could be referenced in the policy. Additionally, frameworks for metadata and business glossaries would also be included.

7. Artificial intelligence

The deployment of AI to improve efficiency and generate better outcomes will be important considerations in many organizations. The policy should outline in what circumstances AI can be used in the organization. As data is needed for teaching AI algorithms, the policy should make the appropriate linkages between data collection upstream, and data access and data analytics downstream. The data policy could describe:

• rewards and incentives for the creation of high-quality datasets in priority areas
• the organization’s perspective on ethical use of AI
• the process to be followed to ensure that the AI remains strategically aligned as it evolves through machine-learning processes or reprograming activities

8. Data residency

The policy may have to articulate limitations regarding data residency, including residency of personal information. For example, public sector organizations may be obliged to store datasets on servers located in Canada or choose cloud providers located in Canada. Additionally, there may be circumstances in which information owners (for example, customers or members) must consent to residency outside of Canada.

There may also be jurisdictional issues like tax. For example, an organization may not be registered in another jurisdiction, but its data is resident in that jurisdiction. As such, the data becomes subject to the laws, regulations, standards, rules and practices of that jurisdiction, which could impact the organization’s operations, legal accountabilities and reporting requirements.

9. Privacy

Although most organizations already comply with privacy/confidentiality regulations, many do not have supporting policies in place. If the data policy applies to data containing private information, it should articulate how the organization will adhere with relevant privacy regulations. This may include provisions for the handling of complaints from customers or users, and may also lay out specific responsibilities and procedures that apply to data on citizens of different jurisdictions.

10. Ethics

In cases where algorithms are developed, trained or deployed, the policy may set up a process to ensure that ethical considerations are being addressed. Some organizations will set up AI ethics advisory committees to ensure that no unintended biases are introduced through the development, training and use of algorithms. They would also ensure AI remains strategically aligned and relevant. Ethical data use should also extend beyond AI applications.

11. Approval and implementation

A corporate data policy is an integral part of the corporate strategic plan. It should be reviewed and approved by the organization’s CEO and board of directors. As with any corporate policy, active support from management is essential for success.

The role of CPAs in corporate data policy

The foundational skills of the CPA designation include data analysis, data interpretation for strategic decision-making, and a deep business understanding, often leading to leadership positions. CPAs who work in assurance already use robust assurance standards to perform a broad range of engagements on matters other than historical financial statements. 

These attributes, combined with a CPA’s public interest responsibilities, position you well to help design, implement and oversee a corporate data policy. Further, the vast majority of organizations in Canada are small to mid-sized, have limited resources and in many cases have not yet moved toward digitization. CPAs working in these organizations could play a vital role in helping to manage that transition.

The competencies that you embody as a CPA also provide a strong foundation to work towards the role of a Chief Data Officer (CDO). The CDO function is commonly a senior executive position responsible for the data assets of the organization, including establishing the strategy and implementing the enterprise data solutions.

A corporate data policy does not need to be a detailed document. However, development of a clear and unambiguous data policy is a must for organizations to succeed in the future and to minimize risk. The policy should enable the organization’s business objectives and enhance successful project delivery. If designed properly, it will send the right signal to the organization about the value of mastering data and the part they can play in leveraging it. 

MASTERING DATA SERIES

More information is available on the critical role CPAs can play in mastering data, including the following articles:

• Canada’s digital economy and the CPA
• Understanding the data value chain  
• Creating a digitization strategy  
• What is your data worth?