Consulting Services • Published 3/15/2022 How SB 475 Changes Data Governance in Texas

As privacy, data protection, and data governance continue to be key topics of board room conversation across the globe, many states have introduced--or passed--legislation to protect their citizens and state agencies from the loss of sensitive or personal data. In Texas, Senate Bill (SB) 475, passed in 2021, requires Texas state agencies and institutions of higher education to implement sound data management, security, and data governance processes throughout their departments. Governor Greg Abbott signed Senate Bill 475 into law and the Department of Information Resources (DIR) was tasked with heading this effort to ensure all departments comply.

What new requirements are included in Texas SB 475?

While SB 475 addresses many new requirements around networks and security, it also requires that all state agencies and institutions with greater than 150 employees appoint a data management officer (DMO). This DMO can be an existing full-time employee or a new hire, although the law does not provide additional funding for the new position. It is the expectation of DIR that this individual has the competency, capability, and authority to guide and direct the agency toward a more mature data governance program. SB 475 Sec.2054.137 outlines several duties of the DMO, including:

• Establish an agency data governance program to identify the agency's data assets, exercise authority and management over the agency's data assets, and establish related processes and procedures to oversee the agency's data assets; and
• Coordinate with the agency's information security officer, the agency's records management officer, and the Texas State Library and Archives Commission to implement best practices for managing and securing data in accordance with state privacy laws and data privacy classifications:
  • Ensure the agency's records management programs apply to all types of data storage media;
  • Increase awareness of and outreach for the agency's records management programs within the agency; and
  • Conduct a data maturity assessment of the agency's data governance program in accordance with the requirements established by department rule.

This requirement of a data maturity assessment is continued, in Sec. 2054.515 of SB 475:

• At least once every two years, each state agency shall conduct an information security assessment of the agency's:
  • Information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities; and
  • Data governance program, with participation from the agency's data management officer, if applicable, and in accordance with requirements established by department rule.
• Not later than November 15 of each even-numbered year, the agency shall report the results of the assessment to:
  • The Department of Information Resources (DIR); and
  • On request, the governor, the lieutenant governor, and the speaker of the house of representatives.

What obstacles may complicate implementation?

For many state agencies and institutions, the concept of data governance may be new, and perhaps a bit abstract. Additionally, many agencies and institutions employ a federated model for data management that can make data governance a challenge. In higher education, for example, central campus administration typically has very little insight into research data being held at the college of business, making it difficult to understand the institution’s complete data footprint. In the near term, DIR has adopted the posture that incremental growth is acceptable since there is a reduced window for conducting the first assessment, which is due to the DIR on November 15, 2022.

Help is available.

Data governance is not a new concept, and there are many frameworks and tools available that can help your department assess and remediate gaps in your program. P&N Data Governance and Privacy professionals take a risk-based approach to this assessment to understand your areas of least capability with the highest potential risk for loss, miscategorization, duplication, or data corruption. Most data governance frameworks have a dozen or more domains, so just getting started can be daunting task.

P&N has helped large Texas state institutions assess their current data governance and data management posture against best practice frameworks. We work closely with internal audit, compliance teams, data management officers, and institution leadership to identify key risk areas and provide a road map to a more mature data governance program. Our assessment methodology leans heavily on the standards leveraged by TAC-202. We can help you grow in incremental compliance with SB 475, better understand your data footprint, and reduce duplication of activities across your agency or institution. Contact us for help assessing how SB 475 may impact your organization, and for support throughout the compliance process.