Data governance isn't about setting up a committee or buying a catalogue tool. It means assigning who decides the definitions, quality, access, retention and use of each data domain. An SME can start with customers, products, suppliers and finance, apply measurable rules, and resolve issues at the source.
Objectives
- One definition per critical data element.
- Quality sufficient for decision-making.
- Access on a need-to-know basis.
- Traceability.
- Compliance.
- Controlled reuse.
- Less dependency on individual staff.
The AEPD (Spanish DPA) links data governance to proactive accountability and the GDPR principles.
Scope by domain
Don't start with the whole company. It's better to prioritise:
- Customer.
- Product/service.
- Supplier.
- Employee.
- Finance.
- Operations.
Each domain has a business owner (data owner) and an operational steward.
Roles
| Role | Responsibility |
|---|---|
| Sponsor | Priority and resources |
| Data owner | Definition, access and quality |
| Data steward | Rules and issues |
| IT custodian | Platform and security |
| DPO | Privacy and rights |
| User | Correct use and reporting |
You don't need to create all these roles as new hires; you do need to assign the functions to specific people.
Glossary
Each critical term should include:
- Definition.
- Formula.
- Source.
- Owner.
- Frequency.
- Scope.
- Prohibited synonyms.
- Example.
“Active customer” must mean the same thing in the ERP, the CRM and the BI tool — or the differences between systems must be explained.
Minimum catalogue
A controlled spreadsheet can include:
- Dataset/table.
- Description.
- System.
- Owner.
- Sensitivity.
- Legal basis/purpose.
- Quality.
- Retention.
- Users.
- Lineage.
- Issues.
The tool is chosen after the process is defined, not before.
Quality
Dimensions worth controlling:
- Completeness.
- Accuracy.
- Uniqueness.
- Consistency.
- Timeliness.
- Validity.
- Traceability.
Each rule has a threshold and an associated action. For example: valid tax ID (NIF) at 99 % or above, duplicates below 0.5 %, addresses reviewed every two years.
Quality is fixed at the source, not only in the BI report.
Issue management
The data ticket records:
- Domain.
- Failed rule.
- Affected records.
- Impact.
- Root cause.
- Correction.
- Prevention.
- Owner.
- Date.
Recurrence is measured for each type of issue.
Access
Access is granted by role and purpose, with the data owner's approval. Periodic reviews, segregation of duties and automatic deactivation when a user's status changes should all be in place.
Technical access being possible does not mean it is authorised. Exports and local copies must also be governed.
Privacy
For personal data, the following must be considered:
- Purpose and legal basis.
- Data minimisation.
- Accuracy.
- Retention.
- Data subject rights.
- Security.
- Transfers.
- Data processors.
The DPO advises, but the data owner remains responsible for the process.
Lifecycle
- Creation/collection.
- Validation.
- Use.
- Sharing.
- Archiving/blocking.
- Deletion.
Each phase has its own controls. Nothing is kept just “in case it's useful for future analysis.”
Master data
Define the golden record and the matching rules. For customers, for example:
- Identifier.
- Name.
- Tax ID (NIF).
- Contact.
- Status.
- Source.
- Date.
Record merges require traceability and the ability to be reversed.
Lineage
For KPIs and critical data, the following must be known:
- Origin.
- Transformations.
- Destination.
- Owner.
- Version.
This makes it possible to fix errors and audit the data with confidence.
Suppliers and data sharing
Before sharing data with third parties, review:
- Purpose.
- Minimum data required.
- Each party's role.
- Contract.
- Security.
- Destination country.
- Term.
- Data return.
The Data Governance Act regulates specific areas of data sharing and aims to build trust and availability, but it does not replace the GDPR or internal data governance.
Governance for AI systems
Systems that use data to generate outputs need data with clear provenance, quality, permissions and boundaries. The inventory should link each model or system to the datasets it uses. If a piece of data changes, it must be possible to identify which models and reports that change affects.
Metrics
- Domains with an assigned owner.
- Catalogued elements.
- Active rules.
- Issues and resolution time.
- Duplicates.
- Reviewed access grants.
- Data with no defined retention period.
- Reports sharing a common definition.
Measuring the volume of metadata generated is not enough.
Lightweight committee
A monthly 45-minute meeting with this agenda:
- Critical issues.
- Pending definitions.
- Exceptional access requests.
- New projects.
- Metrics.
- Decisions and owners.
90-day plan
Days 1 to 30
Domains, owners, glossary and critical data.
Days 31 to 60
Rules, catalogue, access and lifecycle.
Days 61 to 90
Issues, metrics, AI governance and continuous improvement.
Common mistakes
- Starting with the tool.
- Covering the whole company from day one.
- Making IT solely responsible.
- Not defining the terms.
- Cleaning data only in reports.
- Not setting thresholds.
- Granting access for convenience.
- Not governing exports.
- Keeping data indefinitely.
- Having a committee that makes no decisions.
Checklist
- Domains prioritised.
- Owners and stewards assigned.
- Glossary drafted.
- Minimum catalogue in place.
- Rules and thresholds defined.
- Issue management in place.
- Access reviewed.
- Lifecycle controlled.
- Privacy integrated.
- Metrics and committee up and running.
Frequently asked questions
Do you need a CDO?
Not necessarily. What is needed is sponsorship and domain owners.
Is data governance the same as GDPR?
No. It is a broader concept, but it must incorporate the principles and obligations of data protection.
Which tool should you use?
Start with the minimum that allows you to make decisions, maintain traceability and exercise control; scale the tool once volume justifies it.
Sources
- AEPD (Spanish DPA): data governance and protection policy.
- AEPD: principles and proactive accountability.
- European Commission: Data Governance Act.
- Practical guide to the Data Governance Act.
Summum Consultoría can design the roles, glossary, quality rules and data governance framework in line with the GDPR and with the company's AI systems.