Processes and data are mirror images of one another. Processes not only consume and generate data, but are themselves a form of data and governance processes are required in order to manage data generally. Let's take a brief look at the processes of this latter type – the processes that control how data is created, used, updated, and disposed by an organisation.
First, there are the processes that govern the types of data that an organisation creates. To get a grip on these, it is necessary to build data models, then create a many-to-many map of the entities contained in these models to operational business processes. There are three types of data model:
- Conceptual Data Models that set out the key entities of interest to your business, aligned with industry-specific standards such as ISO 21549 for health informatics and ISO 55001 for asset management
- Logical Data Models that also include the characteristics of each entity, in the form of attributes
- Physical Data Models that show the locations of entities in systems and which systems hold a master for each entity (noting that more than one system may be considered to master a single entity)
Second, there are the processes that govern how data is used. These can be understood with reference to the standard Data-Information-Knowledge-Wisdom pyramid. Raw Data that may be incomplete, inconsistent, or subject to other quality issues must be converted to reliable Information in a manner aligned with ISO 8000 for Data Quality Management. Information should then be provided to senior managers as Knowledge, using Business Intelligence techniques aligned with ISO 30301. Finally, predictive analytics can be developed that convert Knowledge to Wisdom techniques and technologies based on Data Science, modelling, and simulation.
Third, it is necessary to take control of how data is updated. Business rules for data manipulation should be defined using the logic framework set out in ISO 24707. Communications both internal and external should be aligned with OAGIS 9, which includes ISO 15000-5 (better known as ebXML), ISO 20022 for payment, and industry-specific standards such as ISO 22857 for transfer of health data across borders. Master and reference data management processes must be designed and introduced, again with reference to ISO 8000.
Fourth and finally, it is necessary to bring the deletion of data under control. Retention policies and chain of custody proof should be formalised, in a manner aligned with industry-specific standards such as ISO 27789 for electronic health records. An enterprise-wide archiving infrastructure should be implemented, ideally in alignment with the open framework set out in ISO 14721. All usage of data by the organization must be made subject to information security regulations, for which there is a choice. The NIST Cybersecurity Framework as used by UK government includes useful standards such as NIST 800-30 and 800-35. The longer established ISO 27000 series includes ISO 27001 and ISO 27002 which define the what and how of information security respectively, and together provide much of what you need for GDPR compliance.
Understanding the processes above is the basis of a data strategy – and unless your organisation is very highly advanced, few of these processes will be fully automated. Managing data requires careful definition of critical human processes.
Keith Harrison-Broninski
Latest posts by Keith Harrison-Broninski (see all)
- Human Processes: Architecting processes - March 7, 2022
- Human Processes: Technical Debt Doesn’t Matter - November 1, 2021
- Human Processes: Paying Down Your Digital Debt - May 3, 2021
- Human Processes: Me, We - March 1, 2021
- Human Processes: There’s No Such Thing as Good Tech - January 4, 2021
Speak Your Mind