Data Quality Policy

Regulatory Requirement

Financial entities must adopt a Data Quality Policy as an integral part of the ICT risk management framework. The policy shall ensure that all data processed, stored or transmitted through ICT systems remain accurate, complete, reliable, authentic, timely and securely protected throughout their lifecycle. It must address data integrity, confidentiality, availability and authenticity, while preventing corruption, loss, unauthorised access, and processing errors. The policy ensures resilience of ICT systems by governing the quality of the data on which those systems depend.

Core Components of the Data Quality Policy

Purpose, Scope and Regulatory Alignment

The policy must:

Support the ICT risk management framework under Article 6 DORA,
Apply to all data processed by ICT systems, including customer data, operational data, security logs, configuration data, metadata, and data exchanged with ICT third-party service providers,
Ensure compliance with data quality requirements arising from Article 9(2)–(3) DORA,
Support response and recovery activities by ensuring availability of accurate and authentic data during disruptions.

Data Quality Principles

The policy shall define mandatory principles for:

Accuracy – data reflect reality without systemic or manual errors;
Integrity – data remain complete and unaltered except through controlled processes;
Authenticity – data originate from verified and trusted sources;
Confidentiality – data are accessible strictly on a need-to-know and need-to-use basis;
Availability – data are accessible when needed to support business operations;
Reliability – data quality controls ensure dependable outputs across systems;
Non-repudiation – relevant data are stored and logged in a manner enabling traceability.

All principles must be embedded into system design, procurement, change management and operational controls.

Data Quality Controls Across the Data Lifecycle

The policy must specify controls for:

Data creation and capture – validation mechanisms, authorised sources, secure interfaces, error prevention;
Data transfer – secure channels, encryption in transit, validation of completeness and authenticity;
Data processing – automated and manual controls preventing corruption, inconsistencies or loss;
Data storage – integrity protection, secure configuration of databases, protection against unauthorised manipulation;
Data retrieval and usage – role-based access, strong authentication, monitoring of anomalous access;
Data archival and deletion – secure retention processes aligned with legal requirements;
Data recovery – ensuring that restored data maintain the same integrity as production data.

In all phases, controls must minimise human error, system flaws, and risks linked to poor data administration (Article 9(3)(d) DORA).

Requirements for ICT Solutions Supporting Data Quality (Article 9(3) DORA)

The policy shall require that ICT tools and processes:

Protect the means of transfer of data (secure protocols, encryption, network segmentation),
Minimise risks of corruption, loss, unauthorised access and technical flaws,
Maintain protection against lack of availability, breaches of integrity, confidentiality failures and authenticity problems,
Incorporate mechanisms to detect and handle data anomalies and inconsistencies,
Ensure data quality in automated systems, including algorithmic processing and event-driven workflows.

The design of ICT solutions must comply with Article 4 DORA (appropriateness of technologies and processes).

Linkage to Information Security Policy (Article 9(4)(a) DORA)

The Data Quality Policy shall:

Form a subordinate component of the overall Information Security Policy,
Align classification of data and ICT assets with the classification methodology under Article 8 DORA,
Ensure that data quality requirements correspond to asset criticality and impact tolerance levels (Article 6(8)(b) DORA).

Access, Authentication and Cryptographic Controls

The policy requires:

Role-based access control aligned with Article 9(4)(c) DORA and Article 21 RTS RMF,
Strong authentication mechanisms and cryptographic controls per Article 9(4)(d) DORA,
Encryption of data at rest, in transit and, where needed, in use,
Secure key management in line with Articles 6 and 7 RTS RMF.

These access and authentication controls directly support data quality by preventing unauthorised manipulation or destruction of data.

Data Quality Monitoring and Validation

The policy must define:

Continuous monitoring of data quality indicators (e.g., error rates, failed validations, data reconciliation discrepancies),
Automated alerts for anomalies affecting data integrity or completeness,
Regular reconciliations between systems,
Dashboarding and reporting to ICT risk management and operational owners,
Integration with logging and anomalous activity detection (Article 12 and Article 23 RTS RMF).

Data quality defects must be logged, categorised and escalated in line with impact on critical or important functions.

Minimum Requirements for Change, Patch, and Update Management

To maintain data quality, the policy shall require:

Testing of data migration, conversion and transformation processes under the ICT change management framework (Article 9(4)(e) DORA),
Verification that system changes, patches and updates do not negatively affect data integrity, availability or confidentiality,
Rollback plans to recover from failed changes.

Responsibilities and Governance

The policy must define:

Clear allocation of data quality responsibilities across business, ICT, risk and operations,
The role of ICT risk management in monitoring data quality risks,
The role of data owners and data stewards,
Oversight by senior management as part of its responsibilities under Article 5(2) DORA,
Involvement of internal audit in assessing effectiveness of data quality controls.

Dependency on ICT Third-Party Service Providers

The policy shall ensure that:

Data quality obligations are embedded in contracts with ICT third-party service providers,
Providers supplying or processing data must maintain data quality controls equal to those required internally,
Data quality monitoring extends to outsourced data flows (aligned with Article 28 DORA and RTS TPPol).

Incident Management and Data Integrity Protection

The policy must align with the ICT-related incident management process (Article 17 DORA) by ensuring:

Data corruption or loss is classified as an ICT-related incident where relevant,
Restoration of data to its last known good state is integrated into response and recovery plans (Article 11 DORA),
Logging, root-cause analysis, and documentation of data-quality incidents.

Continuous Improvement

The policy shall incorporate requirements to:

Review and update data quality controls based on threat intelligence, audit findings, data incident trends and technological changes,
Periodically reassess data quality risks as part of the ICT risk management framework (Article 6),
Incorporate lessons learned from stress events, errors, data incidents and DR failover exercises.

Purpose and Supervisory Significance

Supervisors expect a Data Quality Policy that demonstrates:

Full alignment with Article 9 DORA’s objectives of ensuring trusted, accurate, secure and resilient data,
Integration with ICT security, change management, incident management and data protection frameworks,
Strong governance and demonstrable operational control over data integrity, availability and confidentiality,
Clear assurance that data quality weaknesses are systematically identified, escalated and resolved.