How Merck’s Governance Strategy Balances Innovation & Security

Many data teams – especially at large enterprises – fall victim to a difficult paradox: while they generate vast amounts of data across lines of business, actually accessing and using it is incredibly difficult.

Take Merck for example, the world’s third largest pharmaceutical company by revenue. Data flowing in from their R&D, manufacturing, and commercial verticals was often siloed, severely limiting their potential to derive meaningful and timely insights from data.

“Data is very spread out in the entire company and governed in pockets,” said Alessandra De Almeida, Executive Director of Data Management & Governance. “And what we want, really, is to socialize and make the data available to the data scientists, data practitioners, data analysts, and executives that really need…this important asset.”

De Almeida sat down with Immuta CEO Matthew Carroll to discuss how her team has navigated these pressing challenges using a data strategy built upon three core concepts:

  1. Data Governance & Management by Design
  2. Establishing a Unified Data Marketplace
  3. Ensuring Legal & GxP Data Compliance

In this blog, we’ll explore these key themes, and how Merck balances innovation with data security and integrity.

1. Data Governance & Management by Design

The first core aspect of Merck’s data strategy is to incorporate data governance and management into processes by design, rather than as a separate function controlled by a single centralized team detached from their data users.

“[From] the moment we are defining … the solution that we’re going to implement to democratize and socialize the data, governance is part of the process,” said De Almeida. “It’s not on top or centralized – we have the principles and playbooks centralized as a guidance, but the execution is embedded in each process.”

We are seeing data management and governance as a principle – we want to have data management and governance by design.”

Alessandra De Almeida Executive Director of Data Management & Governance, Merck

By regarding governance as central to data democratization efforts, the Merck team ensures that data access control doesn’t fall by the wayside. Decentralized governance allows teams to control their data according to both applicable regulatory requirements and organizational standards.

This fosters collaboration between business units, detangling the data access and usage process and making resources available to those who need them, without sacrificing security.

2. Establishing a Unified Data Marketplace

With decentralized governance integrated into their data strategy, the Merck team still required a framework that could support both federated controls and self-service access. This framework needed to integrate various types of user roles – data stewards, data owners,  data scientists, business users, IT and governance users – as well as the range of data platforms in their data ecosystem, including Databricks, Snowflake, Starburst, and AWS.

This is where the second core aspect of Merck’s strategy was born – an internal data marketplace.

“The data marketplace aims to be the one-stop shop for searching, finding the data, and understanding what is necessary to access this data,” said De Almeida. “In the same environment, [users] request access, subscribe, and have it granted or denied by any reason – in one user experience.”

The data marketplace aims to be the one-stop shop for searching, finding the data, and understanding what is necessary to access this data.”

Alessandra De Almeida Executive Director of Data Management & Governance, Merck

By creating a data marketplace layer atop their data storage platforms – with data access controls and a data catalog operating in-between – Merck gives users a single location to find, request, and gain access to their data. This allows different teams to keep their existing data stacks, while opening up previously siloed resources to others who will benefit from them.

3. Ensuring Legal and GxP Data Compliance

As a global company, Merck is subject to a number of international standards, best practices, compliance laws, and regulations. From GDPR, to HIPAA, to good practice (GxP) regulations, the Merck team needs its marketplace to be kept up-to-date with evolving requirements in order to avoid the legal, monetary, and reputational penalties of noncompliance. These also include strict manufacturing standards set by regulators like the US Food and Drug Administration (FDA), which requires Merck to send reports to prove compliance.

It’s critical that standards – whether legal or GxP – are interpreted and adhered to as accurately as possible.

“I cannot have a recipe approved and then bake another type of cake,” said De Almeida. “I need to follow the strict recipe, and that is what the GxP meant – it’s a lot of documentation, and audit trails, and checkpoints, and quality gates that will make this data available.”

I cannot have a recipe approved and then bake another type of cake, I need to follow the strict recipe, and that is what the GxP meant.”

Alessandra De Almeida Executive Director of Data Management & Governance, Merck

Federated governance provides the baseline for compliance, allowing each of Merck’s specific teams to create and apply policy based on relevant GxP and legal standards. These team- or domain-specific policies are supplemented with the high-level principles and centralized playbooks that Merck leverages across all data products. The multiple layers of governance – created and applied across teams using Immuta’s plain-language policy authoring – enable Merck to actively maintain compliance with evolving standards. They then prove compliance to bodies like the FDA by submitting comprehensive audit logs – captured by Immuta – that track and record all user activity on their protected data.

Governance at Scale with Immuta

By leveraging Immuta to help implement data governance by design, establish a unified data marketplace, and maintain legal and GxP compliance, Merck exemplifies how to make data accessible and collaborative while upholding compliance and security.

As industries and regulatory demands continue to evolve, Merck’s journey offers valuable insight into how to address governance challenges at scale. To delve deeper into Merck’s experience with Immuta, watch the full webinar here. If you’d like to learn how the Immuta Data Security Platform de-risks your data use, request a demo.

De-risk your data use.

Immuta enables you to control data access and maintain compliance at scale.

Request a Demo
Blog

Related stories