Even just thinking about setting up a data governance program can seem overwhelming. It’s hard to know where to start. Kate Carruthers has some of the answers .

Every day there are more reasons for setting up a data governance program. The General Data Protection Regime (GDPR) legislation from the European Union, for example, or the Australian Government’s looming Mandatory Data Breach Notification regime

They all add to the regulatory pressure to get on top of data governance.  Further, with the growth of big data and analytics, it is increasingly important to manage data as an asset.

However, there are some simple measures that will give any organisation a solid foundation for your data governance program.

A good way to start is to get a clear strategic focus and alignment, develop metrics that matter in your organisation, and develop a value proposition that key stakeholders can support. To obtain stakeholders support, be clear on what support you require from them, when you will require action from them, why you need their support, and how it will benefit them.

Build it in the business

The place to start is leadership, and leadership of the data governance program sits best in the business. This is not a technology role, although it will be required to liaise extensively with the information technology team. However, it is imperative that data governance sits somewhere in the organisation that is senior and has access to the C-suite.  This is because data governance is really facilitating a dialogue between the business, risk management, privacy and cyber security.

To setup a data governance office you will need a leader who can work at all levels in the organisation, brief executive stakeholders, navigate politics, facilitate meetings, and ensure that work commitments are kept. This person does not need to be an expert at writing SQL queries, but they do need to be able to converse with all stakeholders, and to understand data, risk, privacy, and cyber security.

Data governance is a team sport. It requires collaboration and coordination between data governance, risk management, privacy, and cyber security. Data governance is a critical foundation for a successful cyber security program. Start by asking the following questions about your data, adapted from Mike Burgess:

  1. Do you know the value of your data?
  2. Do you know who has access to your data?
  3. Do you know where your data is located?
  4. Do you know who is protecting your data?
  5. Do you know how well your data is protected?

These are great practical questions that will enable people to focus on meaningful contributions to the data governance program, instead of being confused by what data governance really means.

As you start to delve into these questions the interplay between data governance, risk and cyber security will become obvious.

Some of the other concerns of data governance include data quality, reference data management, data life-cycle management, cyber security, privacy, and metadata management. It is about controlling and protecting data, ensuring its adherence to standards and increasing its availability and usability for the organisation.

Developing an operating model

The best place to start is in developing a data governance operating model that includes:

  • Data governance policy framework — to provide a mandate for the program, and to ensure that it aligns with corporate strategy. This is critical because it provides the authority for the data governance program.
  • Data governance structure, including roles and responsibilities, and the data governance council or steering committee, as well as an agreed organisational decision-making process. The decision-making process is also critical, and it works in conjunction with the policy framework, because without it there will be disputes.
  • Data governance work flow and work practices, which outline which activities will be undertaken, and how they will be undertaken.
  • Definitions and asset types, including everything that is an organisational data asset, such as reports, systems, policies, databases, and database columns.

This is a good and practical starting point for a data governance program, and it will make sense to both business and technology folks. Business glossaries are also a useful component to start with, because they provide a focus that is relatively low tech, and they provide useful outputs quickly. They also provide a mechanism for implementing the data governance roles and responsibilities fairly quickly.


The metrics that you decide upon will depend upon your organisational context, but it is important to decide upon them and track them so as to substantiate the data governance program. Here are examples of some metrics that could be tracked:

Metadata — Technical Metrics

  • Data flow metrics — number documented, monitored
  • Data dictionary — number of terms, number of search term lookups
  • Orphaned data assets — number of unused reports

Metadata — Business Metrics

  • Response time in determining whether a question can be answered
  • The percentage of data elements where the lineage of a data item can be tracked
  • Number of data elements with an agreed upon business definition

Things to avoid

Some of the ways that data governance programs can fail to thrive include:

  • Analysis paralysis. Failure to just get started and to keep analysing and planning is a common issue. Just get going.
  • Believing that technology will solve everything. The idea that if you can simply find the best technology, then data governance nirvana will be yours, is simply not true.
  • No change management. Data governance is at its heart a change management problem, and this needs due cognisance.
  • Failure to focus on delivery of business value. If the data governance program does not have delivery of business value at its heart then it is guaranteed to fail.

Some final thoughts

There is no set place to start on your data governance journey, and there is certainly no rule book. It is important to ensure that the data governance program is a good fit for your particular organisational environment and culture. But the most important thing is to just get started.