Every organization has some form of “master data.” Whether the information is about customers, products, parts, suppliers, business units, chemicals, material, equipment or other factors, this data is the lifeblood of your organization. The data contained within a master data collection is highly visible in its final form and used throughout an organization by way of invoices, statements, packing slips, warehouse inventory lists, marketing catalogs, supplier listings and customer information. The challenge many organizations have is that their staffs may not recognize this type at information as master data. Master data touches every functional group, including the executive team, legal, finance, human capital, marketing, transportation and logistics, and facilities.


Master data not only consists of data elements viewed or recognized by the end user, it also contains metadata (data about the data) that often acts as the differentiator between what appear to be duplicate data entries. The exposure and proper management of the metadata must be communicated to the organization because removal of what may appear to be a duplicate entry of the master data could prove to be very costly. Secondary or associated data is another element often overlooked when organizations begin to manage their master data. This secondary data is often referred to as the “child” portion of the “parent-child” data relationship. The child data is information that further defines the “parent.” For example, for an online order, the customer name, address and account number comprise the parent data. Different types of child data would include credit card, logon and password information, as well as a list of the items purchased, dollar amount, conversion rate, date of purchase and credit card posting date. If validation rules addressing the management of secondary data are poorly designed, the results could be costly. Examples of poorly designed rules might specify to delete all primary data sets if no secondary data is present or if a customer’s password has not been accessed in 18 months. Master data with such high exposure requires a strong governance program. Everyone within the organization, as well as third-party suppliers, contractors, etc. are responsible for maintaining its integrity, accuracy and longevity. A governance program provides strategic leadership for an organization by setting the direction for collecting, maintaining and protecting its master data through a series of policies, processes, training and audits.


Methods of Management


Many organizations house master data in various databases and/or software applications, ranging from the very simple to extremely complex. Consequently, managing this data can become extensive and resource draining. The need for management must go beyond simply ensuring that the data is complete and correct - it must be part of the overall governance of the organization. Master data housed in multiple applications and databases requires a very stringent method of management and a commitment from all who have access to any piece or combination of the data. It requires strict accountability, access controls and authorization levels for the various access points of the data. When housed in multiple locations, the data is passed from point to point, depending on the coding instructions. It is possible that authorized individuals will alter data after it appears in its “final format.” What rules are in place to monitor and validate changes in the final format? Is there a process to maintain configuration control, that is, track these changes back and alter the data in its original location? If not, additional data is being created, adding to the proliferation master data - and providing a false statistics base for making business decisions.


Many articles have been written recently promoting master data stored in a centralized repository. This may not be feasible for some organizations because of infrastructure, cost or resource availability. However, decentralized and centralized data repositories face common challenges. These include extensive data cleansing and validation of all components, which takes time, resources and commitment from the organization. Data redundancy occurs with data backup and archival practices; protections and restrictions on duplicating sensitive data such as credit card numbers, passwords, and individual financial information cause additional challenges. Privacy protection acts such as the Patriot Act, Fair Credit Reporting Act, European Privacy/Data Protection Directive, HIPAA, and the Australian Information Privacy Principles are more requirements to consider. In some instances, the subordinate or child connection data may outlive its usefulness and be removed prior to the parent. This may result in an “orphaned” dataset during data cleansing or validation.


Many organizations do not include master data management (MDM) as part of their records management program. In more cases than not, master data is the product (for example, invoices, catalogs and marketing material) managed within a records management program. Managing “structured data” may not even appear on the records manager’s radar because structured data is traditionally regarded as the IT department’s territory. A comprehensive records management program should comprise the management of electronically stored data that includes master data.


Managing master data requires high levels of security and validation for accuracy and access. The organization must have multiple layers of security to ensure data availability is present in each of the databases and applications housing various master data components. The connection of subordinate data associated with the master may be held in another database or software application. In other words, parent and child data are managed separately. The associated data may or may not fall under the same rules and regulatory restrictions as the parent. When dealing with financial information (credit cards, etc.), associated or secondary data is under different regulatory scrutiny than primary (name, address, etc.) data The longevity and management of associated data will require the same attention and control from the organization’s record retention schedule as the primary data. If the associated data is not currently represented on the schedule, research should be conducted to ensure that all elements of the master data collection are incorporated and controlled under an enterprise record retention schedule.


The Policy


The governing of master data cannot be a line item in the corporate governance program; it must be maintained under its own program. A master data governance program must include a set of policies, procedures, training and awareness programs, and auditing components. The master data policy should identify (but not be limited to) the following:


  • A statement of intent related to the collection, storage and protection of master data and its associated data.
  • Data collection method(s) and specifications regarding longevity of use, protection and dispensation of data. If necessary, a separate data protection policy may be required.
  • Roles and responsibilities related to access control, segregation of duties and accountability.
  • Specific federal, state or local regulatory requirements that must be adhered to.
  • Associated business objectives, goals and core values aligned with the policy.

In a nutshell, a master data policy should outline the organization’s intent to protect, ensure the accuracy of, and manage its master data on a strategic level.


Procedural documentation is required to detail the roles and responsibilities, tasks and processes necessary to ensure that data is collected, protected, archived, compliant with regulations a global level and disposed of correctly. Needless to say, procedures must be implemented and deployed correctly to ensure that the policy is being carried out properly. Procedural documentation sections should include measures for protection, accuracy, completeness, availability, access control, and employee awareness and training programs. Specific processes should be instituted if the organization has third-party contracts for handling master data, along with procedures for ensuring master data validity and accuracy during technology upgrades, software enhancements and change management processes that involve manipulating master data or any of its subordinate or associated data sets.


Protection Measures


The organization must document and actively participate in the protection of customer data (names, addresses, credit card numbers, etc.) in accordance with federal and state regulations. Depending on how the data is used and stored within the organization, it is likely to be subject to the aforementioned privacy protection acts and SOX or discovery in the event of a legal action. Protection at a global level for the data’s country of origin - not just where the data physically “sits” on the server - also must be considered. Many countries have specific and quite strict regulations regarding security, data protection, collection and management of personal information residing outside of their countries as well as the transmission and use of the data.


Access Control


Depending on the type of data that makes up organization’s master data, access control is a vital element to be considered within the governance program. Factors to be considered are how the data is used and collected; triggers for obsolescence; who has access at any point of the data collection process; and the justification for access or altering of data.

Consider how the data is collected. If an organization generates its master data via online access, the following security measures should be in place.


  • Encryption,
  • Secured Web sites,
  • Password protection,
  • Credit card masking,
  • Log-on registration,
  • Shipping address,
  • Billing address, and
  • Alternate addresses (address book option).

For example, a customer service (help desk) employee that has access to the information entered from a Web site would have access to correcting the data with authorization from the customer. However, what is the process or triggers that allow customer service to access the information? Has data intrusion testing been conducted, and if so, what were the results? Is it possible for a customer to access another customer’s information from the Web site? What measures are in place to protect customers from external and internal intrusion or access to their data? Does the employee exit process include data lockout? Are procedures in place that meet the Federal Reserve SR Letter 01‑15 (SUP) “Standards for Safeguarding Customer Information?”


Third-Party Master Data Management


Organizations that outsource specific functionality such as payroll, accounting, etc. must also have a governance system that manages the third-party company and ensures security. It is essential to protect master data as it is electronically transmitted from the organization to the third-party contract and beyond. Avenues for accuracy and intrusion detection must be present to ensure that vital master data is not being corrupted or manipulated in any way during the process of being managed.


Awareness and Training


Individuals responsible for updating master data must be trained to manage it properly. When updating customer data, validating correct contact information is a key component for effective marketing. Master data is often used for projection of future business; errors in calculation due to incorrect information could influence the organization’s projections. The organization’s responsibility to protect personal information in its custody is another factor to consider. Proper awareness of and compliance with federal and state regulations are imperative when handling customer information.


Technology Upgrades, Enhancements, Change Management


Legacy or obsolete technology becomes an issue when addressing master data. Information housed in legacy systems may prove to be time-consuming and expensive to retrieve and manage related to resource allocation and production cost. The information must remain accessible and valid while being migrated to a new technology. The same holds true when conducting software upgrade testing or product enhancements. Formalized change management processes must include the validation and testing of any master data components to ensure that no alterations have occurred.


Use of Enterprise Records Retention Schedule


Master data is both the lifeblood and business asset of an organization. Therefore, it must fall under the same rules and requirements as other assets. For example, organizations can incorporate the rules of their record retention schedules as it relates to customer data as a guide for the longevity of master data. If the longevity of customer data is X years from last activity, date triggers can be set to the master data collection to begin aging from the most recent customer activity. As with other business records, master data may be subject to legal actions. In this case, the same rules must apply for placing data on “legal hold.” Likewise, master data should be subject to the same retention rules for archival as business records when they have outlived their usefulness. The incorporation of existing retention schedules will not be an easy task, but the overall value of ensuring current data is the payoff. The process can be successfully conducted for all aspects of master data and its associated data in an enterprise retention schedule.


Auditing the Program


Master data policy must include the means for gathering, protecting, using, validating, updating, aging, retaining and deleting nonessential or invalid data. The master data audit process must include a means to measure the accuracy and percentage of new data introduced to the system on a defined schedule.


The audit process will mirror that of the organization’s existing audit programs by combining process activities, security, and IT audits. A key component of any audit is validating policy execution. Each department or employee responsible for the collection, maintenance, use, archival or disposition of master data is subject to the audit process.


The grading or gap analysis of findings from an audit should contain recommendations for improvement and the risk associated with noncompliance with the established policy. The following list is a high-level collection of what needs to be audited within a master data program.


  • Form an audit committee possessing skill sets and knowledge of business drivers, data collection methodologies, security and protection elements, and IT software applications and including subject matter experts specializing in the multiple aspects of master data.
  • Validate that corporate policy is carried out and incorporated into the daily work routine as applicable.
  • Validate that the method of data collection, archival and maintenance adheres to industry best practices.
  • Validate security and protection regulations on a global scale, taking into consideration data protection regulations for the specific countries where the organization is doing business, as well as those data protection regulations for customer data applicable to specific countries of origin.
  • Validate training and awareness program effectiveness.

The protection, accuracy and effectiveness of master data are enterprise-wide responsibilities. Master data is a strategic information asset used to maintain a competitive edge and make effective business decisions. As a highly exposed business asset, it must be viewed as such - and managed and protected with the same high degree of attention paid to other key business assets. Organizations have a legal responsibility to keep their master data secure and protected. A master data program must be part of an organization’s electronic management system, records management program, document management systems and asset management systems. Only by integrating master data throughout these processes will an organization begin to truly manage and protect its master data.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access