Ignasius Bayu Purnomo 18 June 2020 Data Governance

Ignasius Bayu Purnomo Bayu bergabung di BFI Finance Indonesia sejak bulan Februari 2020 sebagai Data Governance Head dan bertanggung jawab untuk membangun dan mengimplementasikan Data Governance. Sebelumnya Bayu berkarir di salah satu bank besar di Indonesia – Bank BNI. Di BNI, Bayu memulai karirnya sebagai seorang programmer lalu berkembang di bidang data analyst, mengimplementasikan dan membangun tim data mining dan data analitic; mulai dari Divisi Kartu Kredit, Divisi Customer Management dan Marketing, Divisi Produk Management hingga posisi terakhir adalah sebagai AVP Data Governance and Strategy di Divisi Data Management. Alamat email: ignasius.purnomo@bfi.co.id 2

Agenda 1. Drivers Data Governance 2. Introduction to Data Governance 3. Alignment 4. Element of Effective Data Governance 5. Data Awareness Culture 3 Data Governance People Process Technology

Drivers Data Governance 4 Data is a strategic assets New data consumers Increasing data-centric regulations Growing volume and type of data

Cuplikan Permen Kominfo RI No. 20 Tahun 2016 Peraturan Menteri Komunikasi dan Informatika Republik Indonesia Nomor 20 Tahun 2016 tentang Perlindungan Data Pribadi Dalam Sistem Elektronik

Cuplikan SE OJK No. 14 SEOJK.07/2014 Surat Edaran Otoritas Jasa Keuangan Nomor 14 SEOJK.07/2014 tentang Kerahasiaan dan Keamanan Data dan/atau Informasi Pribadi Konsumen I. Ketentuan Umum 1. Data dan/atau Informasi Pribadi Konsumen adalah data dan/atau informasi, yang mencakup sebagai berikut: a. perseorangan: 1) nama; 2) alamat; 3) tanggal lahir dan/atau umur; 4) nomor telepon; dan/atau 5) nama ibu kandung. b. korporasi: 1) nama; 2) alamat; 3) nomor telepon; 4) susunan direksi dan komisaris termasuk dokumen identitas berupa Kartu Tanda Penduduk/paspor/ijin tinggal; dan/atau 5) susunan pemegang saham. II. PERLINDUNGAN DATA DAN/ATAU INFORMASI PRIBADI KONSUMEN 1. PUJK dilarang dengan cara apapun, memberikan data dan/atau informasi pribadi mengenai Konsumennya kepada pihak ketiga. 2. Larangan sebagaimana dimaksud pada angka 1 dikecualikan dalam hal: a. Konsumen memberikan persetujuan tertulis; dan/atau b. diwajibkan oleh peraturan perundang-undangan. 3. Dalam hal Konsumen memberikan persetujuan tertulis sebagaimana dimaksud pada angka 2 huruf a, PUJK dapat memberikan Data dan/atau Informasi Prib adi Konsumen dengan kewajiban memastikan pihak ketiga dimaksud tidak memberikan dan/atau menggunakan Data dan/atau Informasi Pribadi Konsumen untuk tujuan selain ya ng disepakati antara PUJK dengan pihak ketiga.

Data Governance • Definition: The exercise of authority, control and shared decision-making (planning, monitoring and enforcement) over the management of data assets. • Goals: 1. Enable an organization to manage its data as an asset. 2. Define, approve, communicate and implement principles, policies, procedures, metric, tools and responsibilities for data management. 3. Monitor and guide policy compliance, data usage and management activities. 7

Data Governance Alignment CDO or Executive Sponsor Executive Data Steward Committee Data Governance Coordinator Data Owner & Steward (BU) Data Producer & Delivery (IT + BU) 8 Policy, Initiatives, Guidelines Operation, issues Data Governance Discover Define Apply Measure & Monitor

Elements of Effective Data Governance 9 Outcomes Data Risk Management & Compliance Value Creation Enablers Organizational Structure & Awareness Policy Stewardship Supports Data Quality Management Data Lifecycle Management Data Security Master Data Management Data Architecture Classification & Metadata Audit Data Logging & Reporting

Data Quality Management 10 • Definition: The planning, implementation, and control of activities that apply quality manage- ment techniques to data, in order to assure it is fit for consumption and meets the needs of d ata consumers. • Goals: 1. Develop a governed approach to make data fit for purpose base on data consumers’ requirements. 2. Define standards, requirements, and specifications for data quality controls as part of the data lifecycle. 3. Define and implement processes to measure, monitor, and report on data quality levels. 4. Identify and advocate for opportunities to improve the quality of data, through process and system improvements.

Master Data Management (MDM) 11 • Definition: Managing shared data to meet organizational goals, reduce risks associated with data redundancy, ensure higher quality, and reduce the costs of data integrations. • Goals: 1. Enable sharing of information assets across business domains and applications within an organization. 2. Provide authoritative source of reconciled and quality-assessed master and reference data. 3. Lower cost and complexity through use of standards, common data models, and integration patters.

Data Architecture 12 Data architecture defines information flows in an organization, and how they are controlled. A dat a architect is responsible for understanding business objectives and the existing data infrastructure and assets; defining data architecture principles; and shaping the enterprise data architecture to pr ovide greater benefits to the organization. A few basic concepts in data architecture: 1. Conceptual / business data model—shows data entities such as customer, product and transaction, and their semantics. 2. Logical/system model—defines the data in as much detail as possible, including relations between data elements, but without considering how data is stored or managed. 3. Physical/technology data model—defines how the data is represented and stored, for example in a flat file, database, data warehouse, key-value store.

Data Lifecycle Management Collection • Data Acquisition – use of existing data that had been produced by organization outside the company • Data Entry – create new data values for the companies by human or devices that produce data for companies. Maintenance • involves tasks such as movement, integration, cleansing, enrichment, retrieval of changed data, as well as known extract-transform-load processes Synthesis • an analytic arena that uses modeling, as found in risk modeling, actuarial modeling, and modeling for investment decisions Usage • Data use has special Data Governance challenges. One of them is whether it is legal to use data the way business people want it to. This is referred to as “permitted data usage” Publication • This can be defined as sending data to locations outside the company Storage • data archives are places where data is stored Delete • Once the data is no longer useful in any way for the company, the data should be deleted. This process must be carried out properly to ensure good data management. 13

Data Security 14 • Definition: Definition, planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets. • Goals: 1. Enable appropriate, and prevent inappropriate, access to enterprise data assets. 2. Understand and comply with all relevant regulations and policies for privacy, protection, and confidentiality. 3. Ensure that the privacy and confidentiality needs of all stakeholders are enforced and audited. Effective data security policies and procedures ensure that the right people can use and update data in the right way, and that all inappropriate access and update is restricted.

Data Classification 15 Data classification is broadly defined as the process of organizing data by relevant categories so that it may be used and protected more efficiently. Data classification is of particular importance when it comes to risk management, compliance, and data security. Example •Represents the most sensitive data with the highest security classification 1. Restricted •All data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data. 2. Private •Represent the least-sensitive data with the lowest security requirements 3. Public

Metadata Management Business Metadata • Definition and description of data sets, tables, and columns • Business rules, transformation rules, calculations, and derivations • Data models • Data quality rules and measurement results • Schedules by which data is updated • Data provenance and data lineage • Data standards • Valid value constraints • Stakeholder contact information (e.g., data owners, data stewards) • Security/privacy level of data • Known issues with data • Data usage notes Technical Metadata • Physical database table and column names • Column property • Database object properties • Access permissions • Data CRUD (create, replace, update and delete) rules • Physical data models, including data table names, keys and indexes • Documented relationships between the data models and the physical assets • ETL job detail • File format schema definitions • Source-to-target mapping documentation • Data lineage documentation, including upstream and downstream change impact information • Program and application names and descriptions • Content update cycle jobs schedules and dependencies • Recovery and backup rules • Data access rights, groups, roles Operational Metadata • Logs of job execution for batch programs • History of extracts and results • Schedule anomalies • Results of audit, balance, control measurements • Error logs • Reports and query access patterns, frequency and execution time • Patches and Version maintenance plan and execution, current patching level • Backup, retention, date created, disaster recovery provisions • SLA requirements and provisions • Volumetric and usage patterns • Data archiving and retention rules, related archives • Purge criteria • Data sharing rules and agreements • Technical roles and responsibilities, contacts 16

Audit Data Logging & Reporting 17 Logging provides a record of events related to data lifecycle. Each recorded event is a log entry, denoting information such as what occurred, when it occurred, and who or what caused it. Logs providing the data record through which managers can examine data lifecycle. Managers monitor logs to look for state changes, exceptions, and other significant events. If monitoring produces records, those are also logs that might be subject to further analysis or simply fulfill a compliance documentation requirement. Reporting refers to the generation (automatic or manual) of reports that indicate the status of data lifecycle to meet compliance goals. Reporting is intermeshed with both monitoring and logging, since reports can be based on the output of both monitoring and logging activities. Some authorities—such as ISO 27002—require management to report on the effectiveness of reporting and monitoring controls.

Data Awareness Culture 18 1. Implement data governance operationalization 2. Socialization of data governance, data quality, data security and data utilization 3. Create in-depth training for data producers, data modifiers, data consumers and data owners 4. Create data awareness program regularly 5. Create KPIs for data-related staff or unit. Data awareness culture will maintain and improve data quality, data security and data utilization that add value to business processes. Several ways to build data awareness culture

Thank You 19

Appendix 20

Roles of Data Architecture • Data architect (sometimes called big data architects)—defines the data vision based on business requirements, translates it to technology requirements, and defines data sta ndards and principles. • Project manager—oversees projects that modify data flows or create new data flows. • Solution architect—designs data systems to meet business requirements. • Cloud architect or data center engineer—prepares the infrastructure on which data sys tems will run, including storage solutions. • DBA or data engineer—builds data systems, populates them with data and takes care of data quality. • Data analyst—an end-user of the data architecture, uses it to create reports and manag e an ongoing data feed for the business. • Data scientists—also a user of the data architecture, leveraging it to mine organizationa l data for fresh insights. 21

ISO 27002 ISO 27002—Section 9.7.2.3 of the international data securi ty standard requires the organization to monitor logs to identify security events. Section 10.10 addresses the need for audit logs and system activity logs, log information and communication faults, and the protection of “logging facilities and log information.” 22