Fatskills
Practice. Master. Repeat.
Study Guide: **Data Governance: A Practical Guide**
Source: https://www.fatskills.com/accounting/chapter/data-governance-a-practical-guide

**Data Governance: A Practical Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

Data Governance: A Practical Guide

Manage, protect, and ethically use data to drive decisions and comply with regulations.


What Is This?

Data governance is the framework of policies, processes, and standards that ensure data is accurate, secure, available, and used ethically across an organization. You’d use it today to: - Comply with laws like GDPR (EU) or CCPA (California) to avoid fines (e.g., Meta’s €1.2B GDPR penalty in 2023).
- Improve decision-making by ensuring data is trustworthy (e.g., 84% of CEOs distrust their own data, per KPMG).
- Reduce costs from poor data quality (IBM estimates bad data costs the U.S. $3.1T annually).


Why It Matters


1. Legal and Financial Survival

  • Fines: GDPR violations can cost up to 4% of global revenue (e.g., Amazon’s €746M fine in 2021).
  • Lawsuits: CCPA allows consumers to sue for $100–$750 per violation (e.g., Sephora’s $1.2M settlement in 2022).

2. Business Performance

  • Bad data = bad decisions: Gartner found that poor data quality costs organizations $12.9M/year on average.
  • Customer trust: 67% of consumers stop buying from brands that misuse their data (Cisco 2023).

3. AI and Automation

  • Garbage in, garbage out (GIGO): AI models trained on biased or low-quality data produce unreliable or harmful outputs (e.g., Amazon’s scrapped AI hiring tool that discriminated against women).
  • Regulatory scrutiny: The EU’s AI Act (2024) requires transparency in data used for AI training.


Core Concepts


1. Data Management

The lifecycle of data from creation to deletion, including: - Storage: Where data lives (databases, data lakes, cloud).
- Metadata: "Data about data" (e.g., who created it, when, and why).
- Lineage: Tracking data’s origin and transformations (e.g., "This sales report pulls from CRM → SQL → Tableau").
- Retention: How long to keep data (e.g., GDPR requires deleting personal data when no longer needed).

Key question: Who owns this data, and who can access it?

2. Data Quality

Measures how fit for purpose data is. Dimensions: | Dimension | Example Problem | Fix | |-----------------|-------------------------------|------------------------------| | Accuracy | Wrong customer address | Validate against postal APIs | | Completeness| Missing 30% of order records | Enforce required fields | | Consistency | "USA" vs. "United States" | Standardize values | | Timeliness | 2-week-old inventory data | Automate updates | | Uniqueness | Duplicate customer records | Deduplicate with fuzzy matching |

Rule of thumb: If you wouldn’t bet $100 on a decision using this data, it’s not high-quality.

3. Privacy (GDPR, CCPA)

GDPR (General Data Protection Regulation)

  • Applies to: Any organization processing EU residents’ data, regardless of location.
  • Key rights:
  • Right to access: Users can request their data (e.g., "Show me all data you have on me").
  • Right to erasure: Users can demand deletion (e.g., "Delete my account and all my data").
  • Data minimization: Only collect what you need (e.g., don’t ask for a user’s SSN if you only need their email).
  • Breach notification: Must report within 72 hours of discovery.

CCPA (California Consumer Privacy Act)

  • Applies to: Businesses with >$25M revenue or handling data of >50K California residents.
  • Key rights:
  • Opt-out of sale: Users can block companies from selling their data (e.g., "Do Not Sell My Personal Information" link).
  • Non-discrimination: Can’t deny services if users opt out.
  • Fines: Up to $7,500 per intentional violation.

Critical difference: | GDPR | CCPA | |-------------------------------|-------------------------------| | Opt-in (explicit consent) | Opt-out (assumed consent) | | Applies to any data | Applies to personal info | | Global reach | California-only (but similar laws in Virginia, Colorado, etc.) |

4. Data Ethics

Beyond legal compliance, ethics asks: Should we do this, even if we can? - Bias: Does the data reflect societal biases? (e.g., facial recognition works poorly on darker skin tones).
- Transparency: Can users understand how their data is used? (e.g., "We use your location to recommend nearby stores").
- Purpose limitation: Is the data used only for the stated purpose? (e.g., don’t use health data for targeted ads).
- Accountability: Who is responsible if something goes wrong? (e.g., assign a Data Protection Officer (DPO) for GDPR).

Example: Clearview AI scraped 30B facial images from social media without consent. Ethical? Legal? (GDPR says no; U.S. courts are split.)


How It Works: A Data Governance Framework


1. Define Roles

Role Responsibility
Data Owner Business leader accountable for data (e.g., VP of Marketing owns customer data).
Data Steward Ensures data quality and compliance (e.g., "This dataset has 95% completeness").
Data Custodian Manages technical storage/access (e.g., IT team sets up database permissions).
Data Protection Officer (DPO) Oversees GDPR/CCPA compliance (required for GDPR).

2. Map Your Data

  • Inventory: List all data assets (e.g., "Customer database," "HR records").
  • Classification: Label data by sensitivity (e.g., Public, Internal, Confidential, Restricted).
  • Flow diagrams: Visualize how data moves (e.g., "User → Website → CRM → Analytics").

Tool: Use Collibra or Alation for data cataloging.

3. Implement Controls

Control Type Example
Access Role-based access (e.g., only HR can see employee SSNs).
Encryption Encrypt data at rest (AES-256) and in transit (TLS).
Audit logs Track who accessed what (e.g., "Alice viewed Bob’s record at 2:15 PM").
Anonymization Replace PII with tokens (e.g., "User123" instead of "[email protected]").

4. Monitor and Improve

  • Data quality tools: Great Expectations, Talend (automate checks like "Is this field ever null?").
  • Privacy tools: OneTrust, TrustArc (manage consent and DSARs—Data Subject Access Requests).
  • Ethics reviews: Conduct impact assessments before launching new data projects.

Example workflow: 1. A user submits a DSAR (GDPR right to access).
2. The DPO verifies their identity.
3. The system automatically redacts third-party data (e.g., "This record includes data from Facebook").
4. The user receives a machine-readable copy (e.g., JSON) within 30 days.


Hands-On / Getting Started


Prerequisites

  • Knowledge: Basic SQL, familiarity with databases (e.g., PostgreSQL, BigQuery).
  • Tools:
  • Data quality: Great Expectations (open-source).
  • Privacy: Faker (generate synthetic data for testing).
  • GDPR/CCPA: OneTrust Free Trial.

Step 1: Audit a Dataset for Quality

Goal: Identify and fix data quality issues in a CSV file.


# Install Great Expectations
pip install great_expectations

# Initialize a project
great_expectations init

# Load a dataset (e.g., customer_data.csv)
import pandas as pd
df = pd.read_csv("customer_data.csv")

# Define expectations (e.g., "email should not be null")
from great_expectations.dataset import PandasDataset
ds = PandasDataset(df)
ds.expect_column_values_to_not_be_null(column="email")
ds.expect_column_values_to_match_regex(column="email", regex="^[^@]+@[^@]+\.[^@]+$")

# Run validation
results = ds.validate()
print(results)

Expected outcome: - A report showing pass/fail for each expectation (e.g., "10% of emails are null").
- Actionable fixes (e.g., "Add a NOT NULL constraint to the email column").

Step 2: Anonymize Data for GDPR Compliance

Goal: Replace PII (Personally Identifiable Information) with fake data.


from faker import Faker
import pandas as pd

# Load data
df = pd.read_csv("users.csv")

# Initialize Faker
fake = Faker()

# Anonymize columns
df["name"] = df["name"].apply(lambda x: fake.name())
df["email"] = df["email"].apply(lambda x: fake.email())
df["phone"] = df["phone"].apply(lambda x: fake.phone_number())

# Save anonymized data
df.to_csv("users_anonymized.csv", index=False)

Expected outcome: - A new CSV where real names/emails/phones are replaced with fake data.
- Use this for testing or analytics without violating privacy.

Step 3: Set Up a CCPA "Do Not Sell" Link

Goal: Add a CCPA-compliant opt-out link to a website.


<!-- Add this to your website's footer -->
<a href="/do-not-sell" id="ccpa-opt-out">Do Not Sell My Personal Information</a>

<!-- JavaScript to handle the request -->
<script>
  document.getElementById("ccpa-opt-out").addEventListener("click", function(e) {
e.preventDefault();
// Send request to your backend to opt the user out
fetch("/api/opt-out", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ userId: "123" })
}).then(response => {
alert("You have opted out of data sales.");
}); }); </script>

Backend (Python/Flask example):


from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route("/api/opt-out", methods=["POST"])
def opt_out():
user_id = request.json.get("userId")
# Store the opt-out in your database
# Example: update users set ccpa_opt_out = true where id = user_id
return jsonify({"status": "success"})

Expected outcome: - Users can opt out of data sales with one click.
- Your system logs the request and stops sharing their data with third parties.


Common Pitfalls & Mistakes


1. Assuming "We Don’t Have EU Customers" = No GDPR Compliance

  • Mistake: Ignoring GDPR because your company is U.S.-based.
  • Reality: GDPR applies if you process any EU resident’s data (e.g., a German tourist booking a U.S. hotel).
  • Fix: Audit your data for EU connections (e.g., IP addresses, payment methods).

2. Treating Data Quality as a One-Time Project

  • Mistake: Running a data cleanup once and forgetting about it.
  • Reality: Data decays at ~2% per month (e.g., 20% of customer emails go bad in a year).
  • Fix: Automate continuous monitoring (e.g., Great Expectations checks on every ETL run).

3. Overlooking "Dark Data"

  • Mistake: Focusing only on structured databases (e.g., SQL) and ignoring unstructured data (e.g., Slack messages, PDFs).
  • Reality: 80% of enterprise data is unstructured (Gartner). GDPR/CCPA apply to all personal data.
  • Fix: Use data discovery tools like Varonis or Microsoft Purview to scan for PII in files.

4. Relying on Consent as a "Get Out of Jail Free" Card

  • Mistake: Assuming "We have consent" means you can do anything with the data.
  • Reality: GDPR requires specific, informed consent (e.g., "We’ll use your data for marketing" is too vague).
  • Fix: Use granular consent options (e.g., "☑ Email newsletters ☐ SMS promotions").

5. Ignoring Data Ethics Until It’s Too Late

  • Mistake: Launching a project without an ethics review (e.g., using facial recognition for hiring).
  • Reality: Ethical failures can destroy trust (e.g., IBM pausing facial recognition sales in 2020 due to bias concerns).
  • Fix: Conduct an Ethical Impact Assessment before launching:
  • Purpose: What problem are we solving?
  • Bias: Could this discriminate against a group?
  • Transparency: Can users understand how it works?
  • Accountability: Who is responsible if it fails?


Best Practices


1. Data Management

  • Adopt a data catalog: Use Collibra or Alation to document all datasets (e.g., "This table has PII; access requires approval").
  • Automate lineage: Track data flow with Apache Atlas or OpenLineage (e.g., "This report pulls from Table A → SQL → Tableau").
  • Implement retention policies: Delete data when it’s no longer needed (e.g., "Delete customer data 7 years after last purchase").

2. Data Quality

  • Shift left: Test data quality early in the pipeline (e.g., validate CSV files before loading into a database).
  • Use SLA-based metrics: Define thresholds (e.g., "99% of orders must have a valid shipping address").
  • Assign ownership: Every dataset should have a data steward (e.g., "Alice owns the customer database").

3. Privacy

  • Minimize data collection: Only collect what you need (e.g., don’t ask for a user’s birthday if you only need their age range).
  • Pseudonymize by default: Replace PII with tokens (e.g., "User_123" instead of "[email protected]").
  • Conduct DPIAs: Data Protection Impact Assessments are required for high-risk processing (e.g., large-scale facial recognition).

4. Data Ethics

  • Bias testing: Audit datasets for bias (e.g., use IBM’s AI Fairness 360 to check for gender/racial bias).
  • Explainability: Ensure AI models are interpretable (e.g., use LIME or SHAP to explain predictions).
  • Ethics board: Create a cross-functional team (legal, engineering, product) to review high-risk projects.


Tools & Frameworks

Category Tool Use Case Cost
Data Quality Great Expectations Automate data validation (e.g., "Is this column ever null?"). Free
Talend ETL + data quality checks (e.g., deduplication). Free/Paid
Privacy OneTrust Manage GDPR/CCPA compliance (e.g., DSARs, consent tracking). Paid
TrustArc Privacy assessments and cookie consent. Paid
Data Catalog Collibra Document datasets and lineage (e.g., "This table has PII"). Paid
Alation Collaborative data catalog (e.g., "Who uses this dataset?").


ADVERTISEMENT