Expert panel contextual analysis

We asked the experts some poignant questions on data governance and the findings.

What are the benefits of data governance?

"The here and now on data governance is know your data and don’t keep it for longer than you should." - Sue Laver, Company Secretary, Telstra

"Twenty per cent of the respondents were from health and social assistance and another 13 per cent were from financial and insurance services. These are organisations that are holding critically sensitive data. It may well be
that it’s the not-for-profit sector that’s the least well equipped. But it is also actually the highest risk, because of the nature of the data that it holds." - Megan Motto, CEO, Governance Institute of Australia

"I see data governance as much more of a whole of business problem rather than stopping the baddies getting in and then noticing when they’re there. When that happens to you — not if — but when it happens to you, your data governance will give you a really good handle on what you’ve got, where it is, what the implications might be." - Andrew Methven, Head of Risk and Compliance, Hearing Australia

"Quite often organisations will have all the best intentions, typically supported by a set of granular policies but at the same time, lack a centralised, strategic perspective or input based on what data it holds. This ability to step back and see the bigger picture is at the heart of good governance and underscores the benefits of good data governance. Recent experience points to this discovery or identification of data assets (and in some cases, liabilities) as being a long and difficult process. As with most things in life of that nature however, once you do it, you have a better platform to move forward from." - Ken Weldin, Partner, PKF Audit & Assurance

"Companies and their boards need to have a more comprehensive understanding of the data and personal information they collect and handle, the way is it used and the relevant governance and legal obligations that apply to the relevant data. Once businesses have mapped the data they handle and have the appropriate governance frameworks, policies and controls in place, they are able to engage in conversations at the board level around how the business is using data from a strategic commercial perspective and how it can be appropriately leveraged and effectively used as an opportunity for the business." - Joanne Moss, Board Chair, Non Executive Director, and Gadens Partner

Is there any urgency with data governance and risk management?

"There there’s a bit of ‘she’ll be all right mate’ kind of shining through. There are some scary statistics in this picture like ‘has your management team done anything?’ Forty-four per cent of people said no." - Stuart Harrison, General Manager Cyber Defence, nbn Australia

"What’s actually changing? If you can’t be influenced by Medibank, Optus, Latitude and move away from that complacency, then what will influence you? I would be disappointed if we saw this in five years’ time. Something has to change." - Ken Weldin, Partner, PKF Audit & Assurance

What is the role of the board with data governance?

"The board should be ultimately responsible for governance (including data governance). Importantly, the CEO should be responsible to the board for
supporting and approving all governance initiatives, including data governance. I was surprised at the lack of participation of general counsels in relation to data governance in relation to the survey, particularly given the complex legal landscape regarding the use of data and personal information (including under the Privacy Act 1988 and relevant legislation that governs specific data such as financial information and health information) as well as considerable legal risks associated with non-compliance with laws. Typically, where you have high risk issues and emerging issues that relate to governance, you normally see a general counsel that will be actively involved. Notably, there were not many General Counsels that participated in the survey." - Joanne Moss, Board Chair, Non Executive Director, and Gadens Partner

"The Privacy Act is currently under review, with proposals to change the civil penalty regime to a tiered approach, where penalties would also apply to low level contraventions of the Privacy Act or breaches of the act that were not ‘serious’ or ‘repeated’. Recent changes to Privacy Act last year also saw a significant increase in the penalties that can be imposed for serious or repeated interference with privacy (up to $50 million or three times the benefit obtained as a result of the contravention or if that is unable to be determined by a court, 30 per cent of the company's adjusted turnover during the breach turnover period for the contravention). We would expect that this will result in data governance becoming more of a priority at that board level and perhaps having a champion on the board who was more informed of the complexities regarding data governance and legal obligations." - Eve Lillas, Senior Associate, Gadens

"On the one hand, 58 per cent of the respondents say the board doesn’t have sufficient understanding, yet only half of the respondents are actually reporting anything to their board. I think there’s an opportunity to call out the necessity for making sure that — be it the committees boards, a separate risk committee, a separate technology committee — that we have the people with the right skills involved." - Andrew Methven, Head of Risk and Compliance, Hearing Australia

How is AI affecting the data governance landscape?

"[AI] was more viewed as something that would be important in 2030 — I’m thinking we might be underestimating the velocity of things here." - Karin Geraghty, Non-Executive Director, Strategist, Digital Transformation Consultant

"If you don’t know how people are currently using generative AI in your organisation, you better quickly get on to an audit and find out who’s using it and why, where and how. Start the conversation now because people are already playing around with ChatGPT and other AI tools." - Megan Motto, CEO, Governance Institute of Australia

"We have seen an increase in disputes-related legal advice and training we provide to client companies on generative AI. A large proportion of this advice has been in relation to data and data handling practices given businesses are concerned about employees inputting personal, commercially confidential or legally privileged information into generative AI systems, to create a contract or to create an advice or piece of work. The risks apply to both open and closed source systems, albeit in different ways. We are seeing disputes emerge in the US in particular to data and data breaches relating to AI." - Joanne Moss, Board Chair, Non Executive Director, and Gadens Partner

"I wonder if AI has moved so quickly that there’s a lag in the catch up of perceptions of both use and risk. But the uptake of generative AI has been so great that you might be more worried about it from a consumer perspective ironically from an organisational perspective. Consumers don’t get to see how the organisation is using it to their advantage, by making the access to information so much more effective." - Sue Laver, Company Secretary, Telstra

What is the importance of data as an asset?

"It’s all about assets. It’s about the value you place on something which shapes how much you care about it. If you’ve miscalculated, have a system to correct calls quickly. But all data is not equal. So the fact that it isn’t really high on everybody’s list was pretty surprising. And I think boards are going to have to think more and more about that. Is your value chain, is your supply chain all on the same page? Does everybody understand that it’s your brand and reputation and you can’t outsource the liability around that because you have a supply chain? If this was a cybersecurity discussion that would be a top
priority." - Stuart Harrison, General Manager Cyber Defence, nbn Australia

"‘Data is power’ may sound like a cliché but if it wasn’t true, then why would bad actors want to access it so much? It drives every decision or certainly should drive every decision rather than just relying on gut feel. Put to one side one’s own internal management of data, often the biggest risk can come from the outside and the interactions with third parties. These interactions can exponentially increase the volume of data in your ecosystem and from that, its value in driving better informed decisions." - Ken Weldin, Partner, PKF Audit & Assurance

"Data is a different type of asset and people don’t necessarily realise that it behaves differently: If you have a wallet and someone steals your wallet, you’re going to know because it’s physically gone. If you have data and someone steals it or copies it, you may not know because it’s still there. It doesn’t behave like other assets. On the positive side, it is one of the few assets that if shared, doesn’t decline. At the same time, that is also one of the drawbacks and one of the reasons we are seeing an increase in cyber crime." - Karin Geraghty, Non-Executive Director, Strategist, Digital Transformation Consultant

"Prioritisation is key. Defining that value statement around the data incorporates how much do you trust any one data set. Just have a think about that world that we’re entering into. And then get cracking with your plan of action and get to work with the cyber teams and IT teams." - Stuart Harrison, General Manager Cyber Defence, nbn Australia

Who's accountable for data governance?

"I recall hearing back in 2016 that data protection and cyber was now a non-delegable risk for the CEO. The impact of recent events certainly demonstrates the significant time, effort, cost and inconvenience that can follow from getting this wrong. As such, it’s hard to argue that the board should not be actively overseeing how this risk — and opportunity — is being managed. At the same time, the fact that one erroneous click can
expose the organisation and shut down operations underlines that data governance is a team sport encompassing everyone in the organisation." - Ken Weldin, Partner, PKF Audit & Assurance

"Ultimately, the board is responsible for data governance so let’s ensure we have the right people sitting on the board from a skills matrix perspective.
The business needs to consider reporting structures and processes at an executive level and assess who is providing information to the board and the CEO in relation to data related activities and initiatives. Businesses are starting to incentivise and structure reporting to ensure issues and opportunities related to data are taken seriously." - Joanne Moss, Board Chair, Non Executive Director, and Gadens Partner

"I would always put the board as having that oversight role rather than what I would call ‘accountability’ - because that sits with management in terms of getting staff to put the program together for the board to overseeing it." - Sue Laver, Company Secretary, Telstra

"It has to be with the CEO. The board provides oversight, monitoring, assessment, checking and holding people to account, as well including how and when they communicate with the organisation with sensitive information. It’s a team sport." - Ken Weldin, Partner, PKF Audit & Assurance

How important is data retention?

"There was one statistic that I wish I’d seen placed much higher — purge. If you don’t need it, delete it permanently. Don’t have it in slow storage for a gazillion years. Everybody has finite resourcing, so unless it’s an organisational priority of the highest order, this is going to go to the back of the queue. And if you add cybersecurity requirements and all the other stuff that businesses need to be run and be profitable, I think some tough trade-offs are going to have to be made. You’re going to have to accept some risk somewhere." - Stuart Harrison, General Manager Cyber Defence, nbn Australia

"The majority of the respondents to the survey indicated they have a policy and a data retention policy in place, but they don’t measure it. This highlights a critical issue in relation to businesses putting policies in place that are not effectively managed. While preparing a data retention and storage policy that sets out the minimum retention periods under different legislation is a necessary first step, the policy needs to be actively implemented and managed to assist with data minimisation and compliance with laws regarding how long businesses should retain data." - Eve Lillas, Senior Associate, Gadens

"A lot of the legislation is geared towards keeping things much longer than is necessary and that’s what needs a review in order to reduce the risks as well." - Sue Laver, Company Secretary, Telstra

"It’s hard if you haven’t got a lot of money to design a system that can be that subtle around what you do and don’t keep. So you end up just keeping everything forever." - Andrew Methven, Head of Risk and Compliance, Hearing Australia

"People are assuming that organisations have this in hand. People are assuming their data is safe and if it’s not, that’s a significant expectation gap that isn’t going to do anyone any favours when things go wrong. This is why this is such a big issue: once trust is gone, that’s your equity gone." - 

For any assistance with addressing the data governance needs of your organisation, do not hesitate to contact your local PKF Audit and data governance expert.