LEGAL ASPECTS OF DATA. GOVERNANCE AND MANAGEMENT.WHITE PAPER

Scope. As artificial intelligence (AI), machine learning and big data become ubiquitous, gaining unique competitive insight from data has become an indispensable strategic goal of organisations large and small. Organisations increasingly look at their data estates recognising that data has value as a business asset but also carries risk and potential liability (for data breach, for example). To maximise value and minimise risk, organisations are looking to: • establish common processes that apply to their data assets across the data lifecycle; • appropriately protect data assets and address any misuse; and • enable efficiency gains to be harnessed from a structured, managed, consistent, standardised, repeatable approach that can be applied to all the organisation’s data-centred activities, operations and services. This white paper provides a practical guide to help organisations develop a structured approach to managing and governing its data operations in a legally compliant way. 

Difference between data management and data governance. Data governance and data management are different. In essence, governance sets the standards at a high level and management ensures those standards are followed day to day. By analogy with building a house, governance is the architect’s plans and governance is the building process. Data governance sets standards, policies, frameworks, and guidelines for data access, use and compliance, with the objective of ensuring that data is secure, accurate and responsibly and compliantly used. Governance stakeholders are drawn from all relevant parts of the organisation, focusing on the ‘what’ and ‘why’. Data management is more concerned with the ‘how’ and ensuring that data is fit for the organisation’s needs consistently with applicable governance: that it’s available, usable and reliable, with appropriate processes and tools in place. 

Data governance is evolving rapidly. Data governance does not arise in a vacuum. Large organisations will typically already have in place governance for all or part of their data activities and compliance requirements, including: • data protection and privacy (for example, records of processing activities, impact assessments and data protection by design and by default as required by the GDPR); • information security; • digital operational resilience; • critical infrastructure; • sector specific data regulatory compliance; and • information architecture management and AI and data science best practices and ethics frameworks.

  A structured approach to data governance and management. One way of developing a structured approach to data governance and management within an organisation is to: • consider the legal framework that applies to data • use this as a basis to develop a structured approach to managing data projects and operations based on four steps: Step 1: risk assessment; Step 2: strategy statement; Step 3: Policy statement; and Step 4: Processes and procedures. 

LEGAL FRAMEWORK – THE 8 LAYER STACK/the picture above

Consider legal framework. The first step when developing a structured approach to managing and governing an organisation’s data operations is to identify a sound legal framework for understanding the rights and duties that may arise in relation to that data. These rights and duties arise through intellectual property (IP) rights, contract and regulation. This legal framework presents a complex picture and presents various challenges. The differences between types of right in one country, the differences between similar rights in different countries, how different rights act concurrently on the stack, the multi-layered-ness of rights in the data lifecycle and the speed of the processes that create the data being assessed, each contribute to the legal complexity of the data rights picture and the legal challenges of data projects. 

 THE DATA ENGINE – INPUT, PROCESSING AND OUTPUT  

Overlay the data engine. In the next phase, the data engine of an organisation can be overlaid on to the legal framework. An organisation’s data engine comprises its data input operations, its data processing operations and its data output operations, see Figure 2, Data engine. Each part of the data engine is explained in more detail below. Figure 2: The data engine – input, processing and output operations 

Data input operations. Particularly with the rise of generative AI, data comes into the organisation’s data engine from an increasingly wide variety of sources. Data can be structured – exchange market data, structured messages or a bought in (licensed) marketing database, for example; it can be confidential or publicly available; it can be personal data or non-personal data; and it can be one or Data Governance and Management (Kemp IT Law, v4, August 2025) 6 more of these things at the same time. Increasingly, however, it consists of unstructured data like location and other data from mobile and data from home sensors, wearables and other IOT devices and sensors. Roughly 80% of an organisation’s data estate is currently estimated to be unstructured. 

The ‘pan-enterprise’ view. This picture conceptualising the data engine is of course over simplified: data input is starting to be but is rarely yet fully coordinated on an enterprise-wide basis: processing operations are likely to be carried out at the desktop as well as at the (on-premises or in-cloud) data centre; and departments may have their own systems and IT requirements. The ways in which an organisation can procure and use data are also increasing: they may procure data as a service (‘DaaS’) and AI as a Service (‘AIaaS’) from the cloud, rather than make the investment itself, or they may carry out some of these activities in house and some externally, 

 Data processing operations. Although data volumes and the power to store and process them are growing exponentially, there nevertheless remains a gap between the amount of data that organisations can accumulate, and their abilities to leverage that data in a way that is useful. The gap is narrowing with the migration from on-premises to in-cloud processing and as AI datasets and predictive forecasting and modelling techniques catch up with traditional retrospective reporting software. AI today incrementally assists organisations in unlocking the ‘unspoken secret of data’ – small effects with large, aggregated consequences. 

 Data output operations. The results of the processing then need to go to the places internally within the organisation (the departments and functions where it is of value) and externally (marketing and distribution partners and, increasingly, regulators) where it will be used. Use depends on the industry sector of the company concerned. In insurance for example, vehicle telematics and location based services can inform the insurer of a driver’s general skill and care and where he or she was when the accident occurred. This data can be used by underwriters to assess risk and premium costs, by claims assessors to evaluate fault, by the finance department to allocate capital based on risk and hence pay-out profile, by the compliance team for reporting to the regulator, and by product development for new product offerings and for marketing purposes. It is here that the licensing and data protection and other regulatory implications of using data for a different purpose than that for which it was originally obtained become particularly important. These legal issues are explored in more detail in our white paper, our white paper, Legal Aspects of Managing Data. 

 A 4 STEP APPROACH TO DATA GOVERNANCE

 Managing your data projects. The third view of data – balancing effective and legally compliant use of the organisation’s data assets – is superimposed on the first two, the common data legal framework and the data engine (see Figure 3 below). Here, the objective is a structured approach to managing data projects with the aim of achieving legally compliant data use across the organisation in a technically enhanced and practical way that allows the business to gain maximum advantage from its data assets. 

A four step approach to data governance. However, the rise of generative AI and ML are fuelling a ‘democratisation’ of the benefits of data utilisation, with operational departments outside the CIO’s group looking to use the new capabilities and features. A ‘top down’ approach to data governance may result in a lack of responsiveness and flexibility, whilst a ‘bottom up’ approach driven by operational usage may be fragmented and insufficiently address legal, regulatory and business risk in a way that is consistent with good governance. Practical, incremental management can be built into a structured approach to data governance projects based around four steps: • Step 1: risk assessment; • Step 2: strategy statement; • Step3: policy statement; and • Step 4: process and procedures. Figure 3: Towards a structured approach for managing data projects step 2: strategy statement • high level statement of company goals and strategy re data operations • establish working group • start point • risk assessment • GDPR/data protection compliance policies • information security assessments and policies • information architecture • data science best practices • AI ethics frameworks • CIO’s group is key: • information assets • information architecture • Legal group is key: • IPR • contract • regulatory compliance step 3: policy statement • statement of policy re data operations focusing on: • people context: • stakeholder groups • internal structure: • steering group • working party • compliance officer • governance detail • e.g. ISO/IEC 38505-1 • management detail • e.g. ISO/IEC 19944 • data sharing arrangements • project planning process • scope • resources • deliverables • timelines • authority levels • approval processes step 4: processes/ procedures • standardised data governance and management • build on existing compliance work • assessments (DPIA, LIA, infosec) • policies, practices • AI/data science best practices and frameworks • an-/pseud- onymise / hash PD/PII if possible • data sharing • data trusts and frameworks • awareness training • initial • refresher step 1: risk assessment • structured process to review/assess/report/ remediate • involve all the business • establish all data types used & their sources •where does the data come from? •legal wrappers applying to all data – IPR, contract, regulatory •what consents were obtained/are needed? • what processes do these data undergo? • what does organisation use these data for? Data Governance and Management (Kemp IT Law, v4, August 2025) 8 

Step 1: risk assessment. The first step or work stream in a data management and governance project is the risk assessment as to how the organisation is currently using its data, carried out along the normal lines of review > assess > report > remediate. The review will focus particularly on where data is sourced from, the terms under which it is supplied and how it is being used. The next stage will assess whether use is consistent with contractual and licence terms, etc. and whether all consents necessary for the use cases in question have been obtained (including where the data is personal data). The review and assessment will be part of a report to senior management. The review will normally also include recommendations by way of remediation plan to put right any areas of non-compliance that may have been identified in the assessment and also that are forward looking to the strategy and policy aspects of data governance. 

Step 2: strategy statement. The strategy statement is the articulation of the organisation’s rationale, goals and governance for data, prepared by an inclusive working group or task force consisting of senior management, the legal team, the CIO’s team and all other stakeholders. Identification and inclusion of all stakeholders, and articulating the prime objective of each in relation to data and how that objective will be achieved, will be critical to successful data governance and management. The strategy statement for big data will need to align with high level corporate objectives and with other strategy statements in the areas of: • data protection and privacy; • utilisation of AI and AI/ML ethics frameworks and guardrails; • information security; • sector specific data regulation; • information architecture and data methodologies; • data science best practices; and • intellectual property management. Organisations will therefore be able to build on work already done in these areas to avoid reinventing the wheel. The role of the CIO’s group (looking after IT procurement strategy, the organisation’s information architecture and assets and data modelling) and the General Counsel’s group (looking after the organisation’s IP assets, contracting and regulatory compliance) in formulating the organisation’s strategy will be key. 

Step 3: policy statement. Building on and implementing the governance level strategy statement, the policy statement is the next level down and focuses on the people context, internal structure, governance and management detail, approach to data sharing and development of re-usable project planning processes. The working group or task force will be responsible for the third work stream or step of preparing of the data policy statement. As part of its focus on the ‘people context’ of data governance, the policy statement Data Governance and Management (Kemp IT Law, v4, August 2025) 9 will generally settle the detail of the institutional framework – for example, steering group, working party or task force, whether there will be a data compliance officer (who may also be the current Data Protection compliance office for example). The policy statement will also mandate a project planning process for individual data projects, including setting out: • scope and dependencies; • resources needed; • deliverables; • timelines (to ensure that projects are to be completed on budget, on time and to standard); • authority levels; and approval processes. The working group/task force and policy statement are where the legal considerations around compliant data use across the organisation and the technical considerations around the organisation’s information architecture come together. Central to this work is the organisation’s overall approach to data management, governance and categorisation. 

A standards-based approach to data governance: ISO/IEC 38505-1. Organisations increasingly look at their data estates recognising that data has value as a business asset but also carries risk and potential liability (for data breach, for example). 

A standards-based approach to data management and categorisation: ISO/IEC 19944. ISO 38505-1 makes the point that data governance should not be confused with the field of data management, which has “many well-defined methods for the processing of data as well as mechanisms for ensuring the confidentiality, integrity and availability of that data” (ISO 38505-1, p. 7). ISO/IEC 199444 looks at the nitty gritty and provides in the context of data management relating to the cloud and personal data a standardised, structured and repeatable approach based on identifying relevant use cases, management practices and common taxonomy. 

Step 4: processes and procedures. The policy statement will drill down to the level of the fourth step or work stream, the detailed processes and procedures to be used in the organisation’s data management. They will likely align to GDPR impact assessments (DPIAs, legitimate interests, compatibility and information security assessments), work on anonymisation, pseudonymisation and hashing, AI principles and ethical frameworks. They are increasingly likely to be built on technical standards such as ISO/IEC 38505- 1, 29100 and 19944 and involve data trusts and data trust frameworks. The processes and procedures will also tie into the organisation’s HR policies and provide for awareness training. 

DATA TRUSTS AND DATA FRAMEWORKS: ENABLING COMPLIANT DATA SHARING

 Introduction. Data trusts and data trust frameworks (DTFs) are gaining traction as an innovative way to facilitate trusted and regulatorily compliant data sharing. Whilst organisations have different ideas about what data trusts could do, they are nevertheless enthusiastic and eager to find ways of sharing data whilst retaining trust, and still deriving benefits for themselves and others

Towards a definition of data trust. The ODI in its research on what is meant by ‘data trust’ found the term interpreted variously as a ‘repeatable framework of terms and mechanisms’, ‘mutual organisation’, ‘legal structure’, ‘store of data’ and ‘public oversight of data access’, before deciding in favour of ‘a legal structure that provides independent stewardship of data’. In addition to aligning to the ODI’s principles for good data infrastructure, the ODI set out six characteristics that a data trust should have: 

What does a data trust framework (‘DTF’) look like? The emerging view is to see the DTF as a legal framework together with a set of common operating rules, technical specifications and interfaces (APIs) agreed by and applying for the DTF’s specific purposes and  These may arise internally within the entity (between the entity and its trustees or directors, for example) and between the entity and third parties (around capacity, contracting, rights, duties and liabilities, etc.)  Equitable remedies for breach of fiduciary duty include rescission (setting aside), account of profits and other equitable compensation and proprietary remedies (constructive trusts, tracing and recovering tainted proceeds). Together, the legal and operating rules, specifications and interfaces enable and manage all ‘lifecycle’ activities for the data concerned (acquisition, flow, storage, use, sharing, consumption and deletion) within the ecosystem. The DTF is underpinned by a standardised approach to data categorization, data management and data governance

 Data trusts on a legislative footing. To capture the benefits of data-driven innovation, the EU and the UK are taking steps to facilitate data sharing across various industries. In the EU, the European Commission is fostering the development of common European data spaces, while the UK government announced the establishment of data-sharing frameworks, referred to as smart data schemes, through Part 1 of the Data (Use and Access) Act (DUA Act). This can be seen as paving the way to put the broad concept of a data trust onto a more specific mandatory, legislative footing for certain types of data sets in the UK and Europe. 

The EU’s legislative agenda.

 The EU’s legislative agenda in this area is more advanced, with its goal being to develop a number of common European data spaces in strategic sectors, including health, finance, agriculture, energy, mobility, research and innovation. These data spaces are intended to make sector-relevant data (such as financial data) findable, accessible, interoperable and reusable (FAIR data principles). It is doing this by proposing various sector-specific regulations.

 The EU Data Act. Key EU legislation in this area includes Regulation (EU) 2023/2854), the EU Data Act, which introduces some general rules of contract law in relation to certain data-sharing agreements to prevent contractual imbalances. There are two sets of key restrictions.

• The first set of restrictions is relevant in cases where data-sharing obligations apply, regardless of the nature of those obligations and whether they are imposed by the EU Data Act or any other EU or national law. Here, Chapter III of the Data Act determines that the data-sharing agreement between the data holder and the data recipient (that is, a third party that receives data on the user’s request) must not be unfair, and (in a B2B situation) the data must be made available under fair, reasonable, nondiscriminatory (FRAND) terms and, unless on the user’s request, non-exclusively. Even in B2B relationships, these agreements may only provide for a reasonable and non-discriminatory compensation that considers the Chapter III criteria. These general access rules do not apply to obligations to make data available under th0 GDPR and voluntary data sharing remains unaffected. 
• The second set of restrictions relates to unfair clauses and applies where certain data-related contractual terms have been unilaterally imposed by one party. These data sharing agreements can be either voluntary or result from a legal obligation to make data available. In these situations, the EU Data Act contains a blacklist of clauses that are always unfair, a grey list of clauses that are presumed to be unfair and a general catch-all clause for unfair terms. An unfair contractual term about access to and Data Governance and Management (Kemp IT Law, v4, August 2025) 16 use of data, or related rules about liability, remedies for breach or termination, that one enterprise has unilaterally imposed on another enterprise are not binding on the other enterprise. In addition, the EU Data Act, itself, creates a data sharing framework which enables users of connected products (and related services) to access their data and request their data be shared with data recipients). The Act also sets conditions for when a data holder can be required to make data available to an EU national public sector body, the Commission, the European Central Bank and an EU body in a B2G scenario. 

The EU Data Act has extraterritorial effect, meaning it may apply to non-EU organisations in certain circumstances.