The Startup Guide to Data Governance

Data governance, like all things security and compliance has started to flow down from larger enterprises to startups. While data governance can be an entire company function on its own. For the purpose of this post, we've paired down and tailored data governance for startups. It's simple, actionable, and auditable.

As a startup, should data governance matter to you? The answer is yes as it is becoming table stakes for a functioning cybersecurity and privacy program The only way to build trust is to ensure your customers have faith you will manage their data effecitvely and securely. Data governance is essential to doing that.

Simple Steps to Data Governance for Startups

Startups can easily get mired in the details of data governance and get stuck in building out a program for it. Below are simple steps to build and implement a data governance strategy.

1. Classify Data

While some people will tell you to start with an inventory of your data, our approach is to start with defining your data categories. If you start with the various data classifications, you ensure you have all of your current and future use cases met. Below are the classes of data we recommend.

• Public. Data that can be publicly shared. There is no risk to the company, either in reputation, regulatory, or competitive advantage, from this data. A good rule of thumb for this category is any data is that readily available to the public from other sources.
• Internal All. Data that be shared with all of your employees and contractors but not externally. Some examples might be company-specific polices, org charts, or even internal job descriptions,.
• Internal Restricted. Data that can be shared selectively with employees and contractors. While no special approvals are needed to grant internal access. Most companies will use Internal as a classification and not break out Internal All and Internal Restricted but we think, given the dynamic nature of both data and workforces, being more granular in classification helps ensure proper rules are applied to data and systems.
• Confidential. Data that is sensitive but not regulated. This could be sensitive systems information or employee policies, procedures, or even benefits data. The companies defines the rules on how this data is handled.
• Restricted or Regulated. Data that is regulated. This includes PII from certain geographies (California under CCPA or the EU under GDPR, for example) and regulated data such as protection health information or financial information (under PCI). Data regulations define the rules for how this data is collected, process, and stored.

Your data classification system should be a part of a Data Governance Policy or Data Classification Policy. There are templates for this. If you're a Vanta customer, you have access to a Data Classification Policy; the Vanta Data Classification Policy has 4 classifications of data, combining Internal All and Internal Restricted into one category. The Vanta Data Classification Policy also contains security controls for each classification, which is very convenient to use either as is or as a starting point; we encourage all of our vCISO customers that use Vanta to review policy templates in entirety and edit to align those policies with the specific operations of the company.

Workstreet also offers Data Classification Policy and Data Governance Policy templates. As with Vanta, review and ensure the policies align with your company.

2. Inventory Data and Systems

With SaaS sprawl and the proliferation of SaaS apps , this not easy, even for small startups. Creating an inventory of all of your systems, cloud services, SaaS apps, and other data repositories is hard to do the first time and needs to be revisited often or it will become stale.

This offshoot of this process is a list of your vendors, which is valuable for other reasons beyond data governance. As you go through the effort

3. Assign Data and Systems a Classification

Once you have you various data categories documented and you have an inventory of all systems and data, it's a straightforward step of assigning a data classification to each system. This process should involve different stakeholders including IT, security, and system owners. The discussions that come out of these conversations can be fruitful for risk management.

This step can, and often is in smaller startups, combined with Step 2 above - inventorying.

4. Define Data Rules Based on Classification

Whle inventorying and classifying data is a valuable step in and of itself, the rubber meets the road when you then apply rules based on those classifications. These rules inform how different systems are managed, how data is shared, who can and can't access systems and data, how data has to be retained, and how each system fits into your disaster recovery and business continuity plan. The upfront work from above is essential to build and implement effective policies and procedures.

Data Usage

The ways in which data is used can be applied to different systems and repositories of data based on data classifications assigned to them.

Data Security

Different data and systems have different data security requirements. A data governance strategy and documentation should determine the levels and types of security each system needs.

Data Access Controls

Data governance should make creating access controls for various systems programmatic. The rules of access should be determined by the type of data being accessed.

Data Retention

Data retention, as a general rule, should align with regulatory, legal, and business requirements. Different classifications of data have different retention requirements. As a part of this process, legal reviews should be done as legal (contractual) requirements are sometimes overshadowed by regulatory requirements.

Data Backup

Data backup is an offshoot of data retention and business continuity so is a downstream effect of data governance.

Data Deletion

The flipside of data retention is data deletion. Certain classes of data, and accompanying systems, need to be deleted in accordance with contractual or regulatory obligations.

Business Continuity Planning (BCP) and Disaster Recovery (DR)

One downstream impact of data governance is on business continuity and disaster recovery planning. A thorough business continuity plan prioritizes and allocates resources to recovery efforts to meet defined recovery times. In cases of certain classes of data, often regulated data, there are specific external requirements on availability of data. Data governance should inform prioritization of return to operations to.

The Importance of Data Classification for Startups

Data classification is a critical component of data governance. All SaaS companies store large amounts of data, often sensitive data, including personal information such as names, addresses, and financial information. Without proper classification, it's difficult to know which how data and corresponding systems should be handled.

Classifying data allows companies to identify the types of data they are collecting and processing, as well as the level of protection each type requires. This information is then used to develop policies and procedures around handling sensitive data, including access controls, encryption requirements, business continuity plans, and retention policies.

In addition to helping companies protect their customers' sensitive information, proper data classification can also help your startup comply with various regulatory requirements. Many industries have specific regulations around how certain types of data must be handled and protected, as well as when and how that data needs to be retained or erased. By properly classifying their data, startups can ensure they are meeting these requirements and reducing the risk of potential fines or legal action.

A strong data classification program is essential for any startup that wants to protect its customers' sensitive information while also complying with regulatory requirements.

Using Minimum Necessary Standard for all Data

The Minimum Necessary Standard (MNS) is an essential aspect of data governance. It means that companies should only collect and store the minimum amount of data necessary to fulfill their business objectives. This standard ensures that companies are not collecting unnecessary information about their customers, which can help reduce the risk of data breaches and improve overall privacy.

MNS is relevant regardless of data classification. Companies should only collect, process, and store data as needed to deliver their products and services.

When implementing MNS, startups must first identify the specific types of data they need to collect for their business operations. This can include things like customer names, addresses, and financial information. Once these types of data have been identified, startups should evaluate whether they really need to collect all of this information or if they can get by with less.

By implementing MNS, startups can reduce their exposure to privacy risks while also improving transparency and trust with their customers.

In addition to helping ensure only the minimum necessary data is collected and stored, MNS ensures that data is deleted when it is not needed anymore.

Common Challenges Faced by Startups when Implementing Data Classification

While data classification is essential for data governance, implementing a strong program requires more than this. One of the biggest challenges is identifying all the different types of data that need to be classified. With so much data being collected and processed, it can be difficult to know what should be classified as sensitive and what should not.

Another challenge is ensuring that employees understand the importance of data classification and how to properly classify data. This requires ongoing training and education to ensure that everyone in the organization is aware of the policies and procedures around handling sensitive data. With SaaS sprawl, startups have more and more SaaS apps housing more and more data. Ensuring all of the managers and admins of these SaaS apps understand the data in SaaS apps and accurately classify it is not easy and is an ongoing task.

In addition, keeping up with changes in regulations and industry standards can be a challenge. As new requirements are introduced, companies must update their classification programs to ensure they remain compliant.

Finally, managing access controls can also be a challenge when implementing data governance. Access controls are important to ensure that only authorized individuals have access to sensitive data, but this can be difficult when there are multiple systems and platforms involved.

----

Maybe all the above sounds foreign to you. Or daunting. Data governance can be hard if this is new to you, which it is to most startups. A few things that may help you get started with data governance:

1. Try a security and compliance platform like Vanta. Vanta gets data governance as a company but also include data governance policies like data classification, protection, and retention.
2. Hire Workstreet to build, implement, and maintain a right-sized data governance approach for your startup. We are security and privacy experts that work exclusively with growth-focused startups. We can also help you build trust with customer and check the box as you security official or vCISO.

Whatever path you choose, don't push off data governance. It's 10x easier to tackle this early in your startup's journey than later.

‍