Dive Into Business Processes to Improve
Data Governance and AI Efforts

We engage with a lot of small- to mid-sized organizations that are in different phases of planning or implementing data governance, compliance, or AI initiatives. I have noticed that there is a common circumstance that can slow down or frustrate these projects: The people tasked with getting a data governance program off the ground (often the technology team) lack a meaningful understanding of how and why the critical business processes that use confidential data actually work.

Larger organizations often have business analysts or they can bring in external help to map and document the data and processes, but small businesses almost never do. At most, there is some tribal knowledge about them, but never enough information to be able to help guide the organization through a true data governance effort that identifies sensitive data, its locations, and the processes that rely on it. As a result, the organization struggles to implement governance policies to address compliance and risks, including AI tools that can expose over-permissioned information.

Much of the time there is a cultural gap here too—whose job is it to know about these processes across the organization? This responsibility has typically not been formalized (or everyone assumes someone else is doing it).

Historically, the focus of IT teams has been on keeping systems secure, available, and performant. I am now seeing that cloud SaaS, data, and AI tools are starting to develop their own gravity and have started to pull that same IT team into needing more data and process expertise as well. The Technology group is uniquely positioned to add significant value here. They already have a global understanding of what platforms, applications, and storage locations are in use, along with responsibility for security. Working with the business units to document what sensitive data they use can be an almost natural extension of those responsibilities.

Here are some tactics that I have used in past organizations to start understanding where confidential data is used and why.

  • Leverage the tools you already have and find the low-hanging fruit to give you a place to start.
    • If you have Microsoft 365 licensing, Purview automatically indexes all the data in your tenant and identifies common sensitive data types, such as Personally Identifiable Information (PII) like social security numbers, financial information, healthcare data, etc.
    • PII exists and needs to be governed in every organization, so use your findings to follow up with the PII data owners to start documenting what they have, how they use it, and how it could be better protected.

  • Identify workgroups that are amenable to being part of an initial data governance effort. (These will often be the groups that own the PII mentioned above.)
    • Human resources, finance, payroll, or accounting teams are the usual suspects here, and are also often already worried about the data in their charge. This can make them more willing to work with you on getting processes defined and identifying what data may be at risk.

  • Find the outlier processes that are often sources of past issues or require “superhero” efforts. I have found that these same processes almost always involve confidential data as well.
    • If you don’t know what these are already, ask your service desk. (They will.) These are often critical or overly time-consuming processes that rely on specific expertise or extensive manual data manipulation. They also often lead to panicked help desk calls when something goes wrong.
    • Common examples include:
      • Regularly occurring financial processes (like payroll or month-end) that require extraordinary amounts of manual, off-hours work by particular people.
      • The “house-of-cards” spreadsheets that require constant repairs or restores.
      • Processes where large file transfer apps are used, such as payment processing, benefits enrollments, or EDI processes.

  • Scheduled ride-alongs. Intentionally spend time shadowing people or processes to get detailed insight and inform how any data governance controls or restrictions could be disruptive.
    • This has benefits beyond just sensitive data and process discovery. Ask people doing the work as to what frustrations or concerns they have, what risks they see, and what keeps them up at night. You’ll be surprised what challenges people face, and you may be able to help with existing tools.

This can be a lot of work, especially as you get this initiative started. My advice is to dedicate some regular effort to this, even if it is only a few hours a week. (This activity can also help people on the IT team grow and provide some career development opportunities.) As you discover more, you will also likely find some common challenges that can be addressed using the same solution across business groups. Small, positive steps can make a big difference over time and increase the IT group’s value to the organization overall.

Completing discovery and documentation of processes for the base cases discussed above, you can rinse and repeat the methodology as you review all areas that handle sensitive information to form the overall governance policies and controls.

We Can Help!

If you’re interested in learning more, Download our Microsoft Purview eGuide discussing the Four Feature Realms that Purview has to offer. If you have any questions or you’re looking for assistance with Data Governance, please reach out to info@eGroup-us.com or complete the form below. 

Need Assistance with Data Governance?

Contact our team today to schedule a call with one of our experts.