Paying your data due diligence

Two major stories emerged over the last few weeks that throw a spotlight on the importance due diligence in data. What I mean by this is actually having proper systems of control and governance over data in your organisation rather than simply paying lip service to it.

The first is the $400 million fine levied on CitiGroup for Data Governance failures by the Federal Reserve and the Dept of Treasury. The second is the recently released audit report by the UK’s ICO into the British Department for Education (which resulted in no penalties). Two different industries and in two different jurisdictions made the news for data governance failings. But then we look behind the findings at the root causes (doing our due diligence) we see a strong degree of overlap in the underlying issues.

CitiGroup Fine

CitiGroup were fined $400 million for a range of data governance failings. To put it simply, CitiGroup has evolved and expanded over the years through merger and acquisitions. This has resulted in a series of disparate data structures for different product lines and lines of business, each of which defines customer slightly differently and tracks and links customer data using different identifiers.

For several years, the Bank has failed to implement and maintain an enterprise wide risk management and compliance risk management program, internal controls, or a data
governance program commensurate with the Bank’s size, complexity, and risk profile.

Among the features missing from CitiGroup’s risk management and compliance risk management programs, controls, or data governance program were:

• A failure to establish risk governance frameworks
• A failure to embed governance and risk management  at the front-line
• A failure of their compensation and rewards system to incentivise risk management (i.e. to not reward risk taking)
• No plan to address data governance deficiencies, including data quality problems
• Inadequate reporting to the Board on data quality issues and progress to remediate those issues (an “out of sight, out of mind” deficiency).

Remediation means baking in Due Diligence

The remedial actions that CitiGroup have been ordered to undertake are, in and of themselves, significant (120 days to produce accurate and reliable data quality reporting for the Board for example, and similar changes to compensation and benefits schemes to bake in risk management objectives…). The key areas of focus explicitly include Compliance Risk Management, in addition to the ‘traditional’ areas of capital planning and liquidity risk management. In addition, CitiGroup will, as part of due diligence on mergers and acquisitions, need to seek approval from the Office of the Comptroller of Currency for any “significant acquisitions”.

Simply put: Data Governance is now a critical strategic level priority for CitiGroup because, unless they make meaningful improvements, there will be direct consequences for the leadership. CitiGroup has a tight timescale to put in place the meaningful data culture changes and supporting structures and systems to be able to demonstrate the effective operation of organisational and technical controls over data, its quality, its reliability, and its governance as an asset. Whatever systems and processes were in place have failed due diligence.

The root cause for this: a combination of factors probably contribute to this state of affairs for CitiGroup, factors which are present in many organisations that are struggling with data strategy and data governance issues.

1. Management literacy around data (what it is, what it means, how it ‘works’) means that decisions are often made to do things without considering the data aspects. We’ve seen this with clients through the years where a grand strategic plan has been developed but there is a black box called “DATA STUFF” on the roadmap that hasn’t been explored. This isn’t management’s fault. These skills are not traditionally taught and there remains a bias in many organisations that “data” is a technology discipline (this isn’t helped by the inward focus of many professional bodies in the area).
2. The bias towards technology solutionism is also a challenge. I don’t think CitiGroup’s problem is a lack of data quality software or BI tools to help make pretty dashboards of how bad things are for their Executives. I’m sure that there are any number of JooJanta Dashboards, but if there is a lack of understanding about what is meaningful to measure and it is not linked to actual management objectives and reward systems, it becomes wallpaper.
3. Good Data Culture is also difficult to develop when it is not a core focus of management. The company culture may be perfect, but if the scaffolding that allows for effective ethical decision making (or even procedural decision making) around data and data-related risks is missing, mistakes and failures can happen.

Department for Education Audit

Similar issues arise in the ICO’s audit of the Department for Education in the UK. Amongst other things, the ICO has found that:

• It lacked any proactive governance for data and information management (aka ‘management by crisis’)
• There was no formal documentation of governance structures and controls, and no formal document management system in place
• There was no proper DPO appointed
• There was no Register of Processing Activities
• There was no expertise engaged from within the Department to help define data retention schedules or other data management tasks
• There was no control or inconsistent control of data processors
• Defined governance ‘gateways’ were ignored or bypassed, particularly for commercial exploitation of student data.

In short: this is a data governance shit show. But from our work with DefendDigitalMe over the past few months, we’re unsurprised. From our work with Irish Public Sector organisations… I’d suggest they read the ICO’s report.

Lip Service instead of Due Diligence

The issues identified by the ICO mirror the CitiGroup findings in that there appears to have been extensive lip service to data governance and data protection. But this was not matched by investment in training (data literacy), formalisation of governance structures, enforcement of governance structures, or implementation of fundamental organisational and technical controls.

This is an important lesson for organisations to learn from: there is a clear need to ensure that the appropriate governance structures and scaffolding are put in place in the organisation to give effect to you data management strategy. Failure to to this means you simply cannot stand over how data is being managed. It becomes impossible to show the due diligence for your organisation and technical controls over data.

That’s when you find yourself encountering avoidable data protection breaches, failures to properly assess the impact of “mutant algorithms” on fundamental rights, or, as in the case of CitiGroup, accidentally transferring nearly a billion dollars to another company.

Due Diligence can simply mean writing down plans and assumptions

The recent investigation by the Data Protection Commission of Wexford County Council for their failure to complete a DPIA before deploying drone-based surveillance systems highlights the importance of simple control points in a process to document and record basic information about data due diligence in an organisation.  An ounce of proactivity is worth a ton of reactive responses to queries. The FOI response I received from Wexford County Council back in June showed a significant amount of post-facto rationalisation and validation of assumptions that might better have been applied and documented as a DPIA before launching the drones.

How Can We Help

Castlebridge helps organisations think about their data as a critical asset that has to be governed well to mitigate and manage data-related risks. This goes beyond just putting in the frameworks,  tickbox templates, and shiny software and includes education and training of staff at all levels in fundamentals of data and data management.

We have upcoming public courses on

• Data Governance (4th Nov)
• Register of Processing Activities (11th & 18th November)
• Data Quality (9th December)

If you aren’t sure about your needs, you can book an Advisory Clinic call with our team for a 1 hour quick consultation and diagnosis. Alternatively, if you are unsure of your immediate needs but have budget unspent this year, you can buy a Budget Manager Voucher to pre-pay for advisory or other services any time in the next 12 months.