Data governance for directors: new guidance by AICD, Allens and Melbourne Business School

Practical insights for boards, in-house counsel and senior management 4 min read

Data governance has become a critical issue for boards, requiring their active engagement and oversight. Without a robust data governance framework, AI governance, cybersecurity, operational resilience and regulatory compliance are impossible. Data governance is also integral to most business strategies—from digital transformation and AI adoption, to efficiency projects and attracting and maintaining customer trust.

Recognising both the importance and challenges of data governance, Allens, the Australian Institute of Company Directors (AICD) and the Centre for Business Analytics at the Melbourne Business School (MBS) have co-authored Data Governance Foundations for Boards: Key principles for director oversight and value creation (the guide). The guide is designed to help directors navigate the complexities of data governance, bringing together key governance principles and practical real-world insights.

The full guide is an essential read for directors, in-house counsel and senior management. The AICD has produced a helpful snapshot, as well as a checklist for SME and not-for-profit boards, but we think it is worth reading it in full, if you can.

About the guide 

Data governance has been on board agendas for some time, but its importance has recently been underscored by the proliferation of GenAI, cyber incidents, developments in advanced analytics and regulatory change.

The guide sets out the key principles for how directors should approach data governance and balance innovation with risk management and ethical considerations in the current environment. It incorporates case studies from leading Australian companies, individual director reflections, governance red flags and questions for directors to ask when overseeing data governance for their organisations. The guide also explains how data governance intersects with AI governance and cyber risk management.

For a more complete summary, see this snapshot.

The guide should be read in conjunction with the AICD's:

• Cyber Security Governance Principles (2024)
• Governing Through a Cyber Crisis (2024) (see our summary here)
• Directors' Guide to AI Governance (2024).

Key takeaways from this guide

The guide outlines five key data governance principles for director oversight and value creation in respect of data governance, which converge around three key themes: govern, leverage and protect.

Govern

• Clear and defined data governance accountability: clearly defined roles and responsibilities form the foundation of effective data governance. Clear board reporting supports oversight of data use and protection. Visibility into the data handling and protection settings adopted by external providers is also critical.
• Lifecycle management: it is essential to identify key data holdings within an organisation and manage them throughout their lifecycle—from collection through to disposal—to identify and manage risks effectively.

Leverage

• Strategic asset management: key organisational data should be viewed as a strategic asset. Effective data governance can enhance productivity, improve products and services, drive financial returns, and support risk management.
• Data-driven culture: empowering a culture that values data-driven decision-making is crucial for leveraging data's full potential while managing risks. Boards set the tone from the top.

Protect

• Incident response: boards should proactively plan for data incidents, ensuring robust response plans are in place that include communication strategies for stakeholders.
• Regulatory obligations: oversight of data governance forms part of directors’ existing fiduciary duties under both common law and the Corporations Act 2001 (Cth). To protect the organisation from legal repercussions while maintaining stakeholder trust, boards should oversee compliance with key laws such as the Privacy Act 1988 (Cth).
• Data retention and destruction: boards should understand and oversee the organisation's approach to retention, archival and disposal of data (in accordance with a documented strategy). The unnecessary retention of data can increase the risk of a data breach and its potential impact.

Actions you can take now

• Review your data strategy: ensure your organisation has a clear strategy for managing its key data assets aligned with your strategic objectives.
• Assign clear responsibilities: designate clear roles within your organisation for overseeing and managing data assets and use cases.
• Create a data inventory: undertake a thorough inventory or mapping exercise of your organisation’s key datasets, including where it resides, how it is used, who has access to it and how it would impact business operations if compromised.
• Consider data retention and disposal strategies: consider the adequacy and currency of your organisations' data retention and disposal strategies (and the related controls implemented by relevant third party providers).
• Revisit incident response plans: ensure you have robust plans in place for responding to data incidents, including clear communication strategies for stakeholders.
• Confirm whether data governance and cyber risk management policies and processes have been updated and adapted to address AI risks relevant to your organisation.