The challenges and opportunities of computational governance

“The more data you have, the more important data governance becomes. Just like accessibility, however, governance is a problem that scales; more data equates to a greater number of data policies that need to be developed, enacted, and checked.”

About a year ago now, I penned an article looking at the key data trends for 2023. In it, I used the point above to highlight the growing importance of computational governance. Twelve months on, I think the need for organisations to embrace the potential of that approach has never been greater. Before we look at why that is, though, let me give you a brief refresher on what computational governance actually is.

For just about any organisation that deals with data at scale, governance of that information is now a critical issue. Legislation including the EU’s Data Governance Act and the UK’s Data Protection Act has introduced severe financial penalties (and even criminal charges) for non-compliance, providing additional motivation for organisations to put adequate controls in place.

What those controls look like can vary from organisation to organisation, with everything from the type of data in question and its point of origin through to its end use having an impact on how it is handled. At the same time, most data governance policies revolve around three key issues:

While these questions may sound simple enough on the surface, they can actually be incredibly complex. In a large organisation, for instance, how would you know that a data governance policy was being followed? How would you know if it wasn’t? If it wasn’t, how soon would you know? Would you be able to explain why the policy hadn’t been followed? Could you have prevented it from being breached? If so, how?

This is where the idea of computational governance comes in. Through a combination of data analytics and machine learning algorithms, the theory is that key data governance challenges can be automated – with policies both created and enforced via the use of artificial intelligence (AI).

Clear opportunities, complex challenges

Like many other tasks that can be augmented through AI, computational governance could deliver a wide range of benefits to organisations that adopt it, with some of the most appealing being its:

While the opportunities presented by computational governance might be clear, deciding on the best way to approach it is a little more complex. Even within the data science industry, where data management is a subject of the utmost importance, there are differing opinions about how computational governance should be employed. Broadly speaking, though, people tend to follow one of two distinct schools of thought.

The first of those is a technology-centric perspective, something that is common among enterprise architects. Naturally, this group tends to focus on computational governance as a development-related challenge, a puzzle to which software and applications are the solution. The key principle here is that, by embedding various parameters in at the software layer, you can establish the precise controls over data that you need.

If this sounds rather like an evolution of existing approaches to security – and the kind of policies that get built into email clients and the like – then that’s because the overarching concept is indeed very similar. It’s also quite easy to understand how that kind of model might work, with different permissions allocated to different groups based on the role they play in relation to a dataset.

On the other side, data practitioners – who have worked with data sets (and, for me, specifically personal and retail data) for many years – may focus on different issues. From our point of view, the biggest challenge regarding computational governance isn’t at the technological level, but the reality of how permissions are gained from data subjects such as retail customers, and the realities of how their data can be used.

This is inherently complex territory. Not only are there many upfront variables to consider, but the situation is also constantly evolving. Privacy notices can change, laws can shift, and even subtle alterations to terminology can mean the way you handle data today might look very different tomorrow. Even for something as innocuous as insight-gathering, that can lead to difficult questions about whether certain types of data can still be used.

A major issue here is that retailers – and indeed, most organisations – don’t tend to have a standard approach to data collection and use. As a result, no matter how good your technology-driven rules and parameters may be, computational governance is still extremely difficult to achieve because there’s simply no universal way to apply those controls.

Imagine an organisation that has a website, a loyalty programme app, and in-store self-checkouts, for instance. All three of these touchpoints could be requesting the same information from an individual, but each with slightly different use cases – and therefore slightly different privacy notices and consent options as well. Even if those things are synchronised, an individual may then provide different consents at each collection point.

What results from that is contradictory data, the kind that needs complex rules that are continually maintained and refreshed to make it useable.

There is work to be done, but the potential remains immense.

At present, then, the appeal of computational governance probably comes down to the number of data sources you have, the ways in which you want to use them, and whether you’re attempting to combine them with other information. Does the concept hold greater promise for those organisations that handle less data? Today, there’s a compelling argument to suggest that’s the case.

Despite that, though, and the very real obstacles outlined above, there is abundant potential here. Difficult as it may be to get right, computational governance could give organisations and individuals a whole new level of confidence about how their data is being used.

As well as helping to alleviate the compliance burden for organisations, the additional safeguards that it brings will provide new reassurances about the safe use of personal information. But the potential will only really be unlocked when we find a more consistent – and simpler – way to collect individuals' data in the first place.