Guidelines on the Corporate Governance of Data

Purpose

The GNDI Guidelines on the Corporate Governance of Data, or national guidelines issued by the respective GNDI member based on them, provide the Board of Directors (BoD) with guidance as how to

• balance safeguarding legal and ethical data compliance while capturing competitive opportunities from data (i.e. strategic, operational, commercial, social, etc.)
• improve governance effectiveness and efficiency by making use of data-driven governance approaches

Scope

The guidelines cover all data-related strategic, commercial, and operational activities of the company, in particular related to data, datafication and data-driven governance as well as operating and business model as defined in the Glossary.

Development

The development and application of the guidelines follow a set of principles:

• The guidelines are developed in a collaborative effort involving national GNDI member organizations to ensure adequate incorporation of different national requirements
• Given the ongoing development of data-driven technologies, the guidelines will be reviewed and updated in a timely manner by the GNDI policy committee

Core Principles

Part I: Providing Strategic Direction for Data Governance

Data strategy: In line with the roles and responsibilities defined, the BoD leads and supports the management in developing a comprehensive

• data business strategy and
• data resilience strategy (incl. compliance, risk, and crisis approach)

that define the company’s approach to

• data asset management (incl. valuation and intellectual property (IP) approach)
• data technology management
• data partnership management

based on the following data principles:

• data safety and security
• data value and veracity
• data usability and compatibility
• data integrity and sustainability

The strategies, policies, and tools proposed must be fit for the organization and shall take into account the organization’s and other stakeholders’ interests

For that purpose, the BoD may consider tasking an existing committee with data-related direction and control, set up a dedicated committee, initiate an advisory board, or, in the case of SMEs, appoint a member of the BoD with experience and successful track record in the field of data governance to ensure sufficient attention and expertise. The dedicated person or committee shall work closely with relevant subject matter experts and the management team

Data strategy integration: The BoD ensures that relevant data considerations are fully integrated into other strategies, in particular into the

• Market-oriented strategies: e.g. marketing & sales, research & development
• Operations-oriented strategies: e.g. manufacturing, procurement, logistics
• Resource-oriented strategies: e.g. finance, HR, technology/IT, legal
• Ecosystem-oriented strategies: e.g. partnerships, alliances, M&A

Part II: Providing Oversight of Data Governance

Data strategy execution: The BoD ensures that the data strategy is developed and implemented by the senior management as per plan and target by monitoring its implementation progress and measuring its impact, including benchmarking performance with that of comparable organizations

Legal data compliance: The BoD ensures that the company is fully compliant with all data regulations applicable where ever the company operates and data is stored (e.g. in cloud computing) and has the respective corporate policies and corresponding training programs in place, in particular related to relevant

• data protection laws, industry standards, and recommendations
• privacy laws, industry standards, and recommendations
• cyber security laws, industry standards, and recommendations
• intellectual property laws, industry standards, and recommendations

Ethical data compliance: The BoD ensures ethical compliance and understanding of the societal implications of its data-related business practices, in particular related to

• data-driven technologies, such as artificial intelligence
• data handling, such as data storage, leakage, veracity, or sharing
• data use, such as in research, sales and marketing, and human resource management

Data reporting: The BoD understands the value of intangible data assets as well as possible risks and liabilities from the use of data and ensures meaningful reporting in line with respective accounting rules and reporting standards

Part III: Promoting the Culture for Data Governance

Data-driven governance: The BoD promotes the concept of data-driven governance by utilizing data technologies to improve transparency, effectiveness, and efficiency of board decisions in a responsible manner

Data awareness, mindset, and capability building: The BoD ensures that the organization develops awareness for data-related matters, a mindset for data-driven decision-making and data handling capabilities across all levels of the organization by ensuring adequate representation of experts in the relevant bodies, incorporation of data-related capabilities in competence framework and provision of training and development programs in particular in

• data methodologies
• data technologies
• data resilience management (incl. compliance and risk management)
• data ethics

Part IV: Adapting Data Governance to the Context

Contextual adaptation: The BoD ensures that corporate data governance policies are adapted to local requirements and sectoral contexts (if the company operates in multiple markets and industries)

Regular updates: The BoD ensures that data governance policies are regularly reviewed and adapted to take into account the latest technological, competitive, and regulatory developments

Application

The GNDI Guidelines on Corporate Governance of Data approved by the GNDI Executive Committee are effective November 1, 2018. The latest version can be found at gndi.org. The guidelines provide a global cross-sectoral perspective and serve as a basis for adaptation based on industry, organization type, and jurisdiction

Appendix I: Glossary

Artificial intelligence: The simulation of human intelligence processes by machines, especially computer systems. These processes include learning, reasoning, and speech and image recognition.

Board of Directors (BoD): The BoD is a group of individuals, appointed or/and elected by shareholders and mandated to direct and control the company, establish policies for corporate management, oversee the executive management, and to make decisions on major company issues.

Data: The representation of facts, such as text, numbers, graphics, images, sound, or video.

Data-driven business model: Commercialization of data-driven offerings.

Data-driven governance: Usage of data and analytics/artificial intelligence to improve the effectiveness and efficiency of corporate governance.

Data-driven operating model: Usage of data to improve, run and safeguard operations.

Datafication: Process of moving from a product- and process-oriented to a data-driven business approach.

Digital transformation: The pro-active change of business and organizational activities, processes, competencies and models fully leveraging the changes and opportunities of relevant digital technologies.

Digitalization: Process of moving from an analog to a digital business approach.

Intellectual property (IP): IP refers to the protection of creations of the mind, including brand names, inventions, designs, or software.

Machine learning: Machine learning is a subset of artificial intelligence that often uses statistical techniques to give computers the ability to learn with data, without being explicitly programmed.

Appendix II: Practical Guide

How to get data governance on your BoD’s agenda?

1. Create awareness for the governance of data and establish shared language between BoD and top management
2. Identify and discuss key data topics relevant to your company in a joint effort by the BoD and top management
3. Identify the need to adjust or introduce new data-related corporate policies
4. Ask top management to come up with a datafication roadmap
5. Discuss and approve datafication roadmap
6. Task top management to implement datafication roadmap, monitor its implementation and provide regular updates
7. Assess progress and need for adjustments to datafication roadmap on a regular basis