Executive Considerations for Data Governance with Microsoft Purview

Implementing Microsoft Purview to help govern your data is a strategic decision that requires thoughtful scoping and planning. Purview implementations look quite different from company to company, and the balance between security, usability, policy, and automation will be unique. I would like to share some important considerations that technology and business leaders need to keep in mind when determining when and how to sponsor a data governance initiative in their organization. Your reasons for undertaking the effort and what resources you must commit to it are critical to both the decision and a successful outcome.

Why Sponsor Or Support A Data Governance Project?

External Drivers

  • Compliance Regulations: Government-mandated industry compliance frameworks such as CMMC, GDPR, HIPAA, FINRA, or CJIS all have data governance requirements, most often for enforced retention and data classification policies.
  • Breach Disclosure Laws: Most countries and almost every US state have breach disclosure laws that require notification to those impacted by a breach of their personal information.
  • Cyber Insurance Requirements: More and more cyber insurance carriers are recommending customers have basic data governance controls like encryption and data loss prevention in place to help qualify for coverage.
  • Customer Requirements: Increasingly, corporate and government vendor management and purchasing teams have started asking (and sometimes requiring) their vendors to have information security and data governance controls in place in order to be awarded business. This is happening across both regulated and non-regulated industries.

Mitigate Data Risks

  • Stale and Over-Retained Data: If old, unneeded, or unvalued sensitive data is exfiltrated, it still requires a disclosure. Retention and disposal policies are often incompletely implemented, and Purview can help automate the enforcement of your policies.
  • Over-Permissioned Data: Similar to stale data, over-permissioned or over-shared data presents risks over time. Data classification controls and right-sized sharing policies can help reduce the chance that data is inappropriately accessed by accident or intentionally.
  • Unencrypted Data: Data labels can protect files and email with encryption that restricts who can access a file, even if it has been shared or sent outside the company. In some cases, exfiltrated data can even be rendered unusable to an attacker.
  • Data Loss Prevention: Data leakage can occur through simple errors or insecure business processes. Real-time scanning, labeling, and restrictions on data can stop leakage while allowing legitimate use and sharing. (The cost of one mistake can be significant.)

Modernize and Secure Collaboration Tools

  • Traditional Access Control Lists Are Not Enough: Modern collaboration tools rely on co-authoring, versioning, and sharing. This makes traditional access control lists difficult to manage, often leading to multiple, overshared copies. Protecting SharePoint, OneDrive, Exchange, and Teams content with integrated Purview labels and policies allows individual files and messages to be protected and retained, regardless of location.
  • File Server Limitations: Backing up, retaining, and auditing data use on file servers is at best onerous. Moving files to tenant services allows easier collaboration, increases visibility, and provides more protection options. 
  • Modern AI Tool Access: Copilot can only access and consider corporate data if it resides in the Microsoft 365 tenant– and speaking of AI…

Copilot and Other AI Tool Enablement and Visibility

  • Provide Certainty That Data Is Secured: Often the biggest worry that prevents widespread AI and Copilot usage is not having confidence that Copilot may expose inadvertently over-permissioned information. Purview can help mitigate that risk by helping control the content that employees, and therefore Copilot, can access.
  • Dated, Redundant Data Gives Inaccurate Results: Proper retention of active data and removal of stale data increases the accuracy of Copilot responses.
  • AI Visibility: The Purview AI Hub and Copilot-specific policies help provide visibility into AI usage and can block sensitive data from being shared with external AI tools.

What Do You Need To Commit To?

Improve Data Policies and Usage Guidelines

  • Acceptable use, data classification, and retention policies that define how to use labels, how to share data, and what not to do with data need to be updated and clarified.
  • Coordinate with legal, compliance, and business processes owners to ensure new policies and acceptable use guidelines align with their requirements.
  • To the extent you can, keep policies simple so they are easy to understand and follow. Complexity and usability need to be balanced.

Provide Resources and Time

  • Purview will require an “owner” with time to create and manage the data governance program along with an understanding of how the organization uses data. Adding this to an already overburdened technology group is usually not the answer.
  • Data owners and business unit teams will need to help define what sensitive data they have, how they use it, and commit to improving processes that handle data insecurely. (This is often more difficult than establishing the technical controls.)
  • Realistic expectations will need to be set. A full Purview rollout takes time to complete, and there are few shortcuts. Sensitive information policies will need to be tuned, improvements will be required as the deployment progresses, and employees will need time to be trained and brought along on the journey.

Adoption and Training

  • Data governance and Purview will impact most employees to some extent. The need for a comprehensive and thoughtful communication and training effort cannot be understated. Business processes may also need to change, and that can also take time.
  • Find the groups in the organization that inherently see the value of data governance and start with them. Ask them to be your data governance success stories and evangelists. Human Resources, Payroll, Finance, and Legal are often more aware of risks and regulations, and therefore often look for better ways to protect their data.

Next Steps

  • A Pilot: A good way to kickstart data governance with Purview is to execute a pilot initiative to help understand the Purview toolset and make policy configurations to audit and protect common sensitive data types. Understand what is possible and how it aligns with your organization’s needs.
  • Define Success: What would a successful data governance program look like in your organization? What data is impacted? Who is impacted How do you balance usability and governance? The answer will be unique to your organization and its culture.
  • Start to get to know more about how business units use data, what their processes are, and what you need to do to start reducing data risks.

We Can Help!

My colleagues and I help organizations with pilot efforts, Purview configurations, policy reviews, and other data governance initiatives all the time. We also have an award-winning Organization Change Management team to help lessen the fear and burden of change for end users. Let us know if we can help you get started!

Need Assistance with Data Governance?

Contact our team today to get help with any of the updates mentioned above!