1. Objective:
1.1. Provide a brief overview of the Data Governance Working Group's (DGWG) history, foundational pricnciples, and goals.
1.2. Revisit this in light of 1.5 years perspective.
1.3. Identify some key areas where the group can add value to Carrot
1.4. Identify and discuss key challenges and opportunties.
2. Background
2.1. Netflix Deal
2.1.1. In Fall 2022, Carrot negotiated a multi-party data sharing agreement with Netflix, Mercer, and Springbuk.
2.1.2. This deal presented several new challenges because it involved sharing data in a fundamentally novel way that had not been previously vetted and was not a natural fit for our standard contractual framework..l;.
2.1.3. This was quite challenging because it involved mutiple teams (e.g, Legal,BI, Security) and there was no etablished forum or procedure to bring stakeholders together to:
2.1.3.1. Meet and discuss data sharing challenges in a holisitc, cross-functional way.
2.1.3.2. Determine, as early as possible, whether a proposed business initiative aligned with Carrot's core values and did not present any insurmountable legal, operational, or ethical challenges.
2.2. Establishment of the Data Governance Working Group (DGWG)
2.2.1. To address these challenges, Carrot established the DGWG, which held its first meeting on February 24, 2024. In addition to myself, attendes included Jasmine, Joe, Katisha (the head of Legal at the time), and Hilary.
2.2.2. In the first meeting, the group established some foundational principles, which are captured in the Charter:
2.2.2.1. Oversight: Oversee BI, IS, and Privacy program activities to ensure alignment with company strategies.
2.2.2.2. Data Lifecycle Management: Establish a BI data lifecycle, including collection, usage, storage, deletion, and/or anonymization.
2.2.2.3. Data Glossary: Build and implement a data glossary to ensure consistent and accurate terminology across the organization.
2.2.2.4. Enablement of BI Tools: Ensure BI tools meet regulatory and contractual requirements.4
2.2.2.5. Risk Management: Present new business risks or strategies to identify and prevent cyber and privacy risks.
2.2.2.6. Regular Review: Review and reassess the adequacy of the Data Governance Charter at least every two years.
2.2.3. The group also set forth some key goals:
2.2.3.1. Information Security (IS) Program: Protect Carrot's customers, members, and brand from cyber risks.
2.2.3.2. Business Intelligence (BI): Ensure the responsible collection, use, and retention of information about the company, its customers, members, and employees.
2.2.3.3. Data Retention, Data-Sharing, and Privacy Policies: Develop and maintain policies that comply with HIPAA, GDPR, and other US and global privacy laws.
2.2.3.4. Training and Development: Address evolving training and development needs related to data governance.
2.2.4. To address these challenges, Carrot established this Data Governance Working Group (DGWG).
2.3. Wider Scope
2.3.1. While the group was originally etasblished to address Neflix-type deals, its purpose and scope have grown much broader since then, essentially ecnompassing any activity involving data (with a focus on novel and higher-risk initiatives).
3. Taking Stock
3.1. Today marks the group's seventh meeting.
3.2. While we have made some progress toward these goals, it is clear that there is plenty of room for improvement.
3.3. I'd like to offer some ideas, and I propose we use today's meeting to think through these.
4. Highest Value-Added Areas
4.1. Buikding a compliance culture throughout Carrot
4.1.1. Suggestions: work with newly establsihed Compliance Committe; prepare and circulate infographics; prepare short, cross-functional training modules; build and implement an ethical framework.
4.2. Knowing our data
4.2.1. Suggestions: use BigId to map and classify internal and external data flows; establish clear data classification standards that align with regulatory and operational requirements; update Record of Processing Activities (RoPA) to align with the above and serve as central "source of truth;" establish data glossary to build a consistent vocabularly.
4.3. Anticpating and preparing for new intitiatives
4.3.1. Suggestions: build Confluence page to track and discuss intiatives impacting data; dedicate time during DGWG meetings to discuss this
4.4. Anctipating and preparing for new regulations
4.4.1. Suggestions: build Confluence page to track and discuss regulatory developments impacting data; dedicate time during DGWG meetings to discuss this.
4.5. Implementing Privay by Design (PbD)
4.5.1. Suggestions: work with product and engineering teams to think about and address privacy issues during the early design phase; develop guidance and P&Ps around this
4.6. Build and implement a risk assessment framework
4.6.1. Suggestions: clearly define and align on organizational risk tolerance; develop a standard and consistent framewoek to addrress, mitigate, and sign off on risks.
5. Challenges and Opportunities
5.1. Challenge: Lack of leverage throughout Carrot
5.1.1. Opportunities:
5.1.1.1. "Advertise" the DGWG through Town Halls, Carrot Chronicle, and training/workshops
5.1.1.2. Look to the newly established compliance committee for ideas (e.g., fun contests, tag lines)
5.1.1.3. Design an official logo/letterhead
5.1.1.4. Publish officail guidance (white papers, procdedures, etc.)
5.1.1.5. Set up a dedicated email address and Jira portal to address cross-functional initiatives
5.2. Challenge: Ineffecient meetings
5.2.1. Opportunities
5.2.1.1. Committ to regular meetings, even if attendance is low
5.2.1.2. Keep and circulate meeting minutes
5.2.1.3. Use Confluence page to set up and stick to disciplined agendas
5.2.1.4. Dedicate time to discussing new intiatives and regulations
5.2.1.5. Establish regular "check ups" to review and improve overall DGWG efficacy.