Data Governance

What is Data Governance?

Data governance is the framework of policies, processes, ownership structures, and controls that define how data is managed across an organisation and who can access it, how it must be handled, what retention and deletion requirements apply, and how compliance obligations are met throughout the data lifecycle.

It's not a technology. It's not a tool category. It's the organisational and operational structure that determines what data security programmes are actually trying to protect and enforce.

That distinction matters. Security enforces governance. Without governance policies defining who should have access to what data, under what conditions, and for what purpose, access controls have nothing meaningful to enforce. Without ownership structures defining who is accountable for each data asset, nobody can remediate a misconfiguration finding. Without retention policies, nobody knows when to delete data or when keeping it creates liability.

Governance is the decision layer. Security is the enforcement layer. Neither works well without the other.

What data governance covers

Data governance spans six distinct domains that together define how an organisation manages data as a governed asset rather than an accumulation of unmanaged bits.

Data ownership and accountability

Every data asset should have a designated owner: a business role accountable for defining appropriate use policies, approving access requests, validating the data's accuracy, and making retention decisions. Ownership isn't just an administrative label. During incident investigations, unclear ownership is one of the most consistent causes of response delays. When an analyst identifies suspicious access to a sensitive dataset and needs to validate whether the access pattern was legitimate for that specific business workflow, the data owner is who they call. Without a reachable, accountable owner, that validation takes hours instead of minutes.

Data quality and accuracy

Governance defines standards for data accuracy, completeness, and consistency. For security and compliance contexts, data quality matters specifically because inaccurate classification or incomplete data inventory creates governance gaps. A governance programme that has accurate records of every data asset is more defensible than one with gaps and approximations.

Data classification and sensitivity labelling

Governance defines the classification scheme: what sensitivity levels exist, what types of data fall into each level, what handling requirements apply to each level, and what regulatory frameworks each level maps to. Classification is where governance and security directly intersect: the policies that govern data handling are defined by governance and enforced by security controls that read classification labels.

Access control policy

Governance defines who should have access to what data, at what level of privilege, for what business purposes. Least privilege access is a governance principle before it's a technical control: the decision that a given role needs read-only access to customer records for support operations, but not export rights, is a governance policy decision that identity management and access control systems then enforce technically.

Data lifecycle management

Data doesn't need to be retained forever. Governance defines how long different data types should be kept, what happens when retention periods expire, and what deletion or archiving processes apply. Under GDPR, DPDP, and similar frameworks, data minimisation is a legal requirement: personal data must not be retained longer than necessary for the purpose it was collected. Lifecycle management is the governance function that operationalises that requirement.

Compliance mapping and regulatory alignment

Governance translates legal and regulatory requirements into operational policies. GDPR requires data minimisation, purpose limitation, and data subject rights fulfilment. HIPAA requires specific handling controls for PHI. PCI DSS requires specific controls around payment card data. Governance maps those requirements to internal policies and controls, defines who is responsible for each requirement, and maintains the evidence that requirements are being met.

Data governance vs data management vs data security

These three terms are frequently conflated. Each describes a different level of the same overall problem.

Data management is the broadest category: all the processes and technologies that organisations use to acquire, store, organise, and use data effectively. It includes data architecture, database administration, data quality management, ETL processes, and data analytics infrastructure. Data management is primarily a quality and usability discipline making data accurate, accessible, and useful for the business.

Data governance is the policy and accountability layer within data management: the framework that defines how data must be handled, who is responsible for each data asset, what rules apply to its use, and how compliance obligations are met. Governance sits above the operational layer; it defines the rules that operations must follow.

Data security is the enforcement layer: the technical and operational controls that ensure data is handled in accordance with governance policies. Access controls enforce governance's least-privilege policies. DLP enforces governance's data handling policies at egress points. DSPM monitors whether the current state of the data estate is consistent with governance's classification and access requirements. Security operationalises governance.

The practical implication: if an organisation has strong security tools but weak governance, the security tools are enforcing against poorly defined policies with unclear ownership. The access control policy doesn't specify precisely who should have access to what, so access controls are configured too broadly. Classification policies don't specify how to handle edge cases, so classifiers either miss sensitive data or over-classify everything. Security's enforcement is only as good as governance's policy design.

Why governance is increasingly a security and compliance requirement

Historically, data governance was primarily a data quality and business intelligence discipline: ensuring data was accurate enough for business decision-making. Regulatory frameworks changed that framing.

GDPR created explicit governance requirements as legal obligations: organisations must demonstrate accountability for how personal data is processed, maintain records of processing activities, implement data protection by design, and appoint responsible parties for data protection. That's a governance framework, mandated by law.

DPDP, India's Digital Personal Data Protection Act, follows the same pattern: requiring organisations to know where personal data exists, to demonstrate appropriate safeguards, to respond to data subject rights requests, and to maintain demonstrable control over how personal data is used. Compliance isn't documentation. Under DPDP's framing, it's continuous control.

The security consequence of these regulatory frameworks is that governance has acquired an operational urgency it didn't have before. A governance programme that consists of policy documents and annual reviews can't meet the requirements of frameworks that demand demonstrable, current control over personal data. Governance must be operationalised — continuously monitored, continuously evidenced, continuously enforced.

That's the connection between data governance and the security capabilities that matter: continuous discovery keeps the data inventory current. Continuous classification maintains accurate sensitivity labels. Access reviews validate whether current access configurations match governance policies. Audit evidence generated continuously provides the demonstrable compliance that regulators require.

Governance defines what should be true. Continuous monitoring confirms whether it is.

The data governance failure mode security teams encounter most

Security teams who work with governance frameworks repeatedly encounter the same failure: governance that exists on paper but isn't operationalised.

The policy says: sensitive data should have an identified owner with quarterly access reviews. In practice, ownership is documented for the primary production databases but not for the analytics copies, development environments, or SaaS integrations where most of the sensitive data ends up sitting. Nobody reviews access to those environments because they're not in the ownership register.

The policy says: personal data should be deleted after the retention period expires. In practice, automated retention enforcement exists for the primary systems but not for the data exports, shadow copies, and backup archives that contain the same personal data. The retention clock in the governance records runs out. The data persists.

The policy says: access to sensitive data should follow least privilege. In practice, access provisioning is controlled, but access is never formally revoked when employees change roles or leave. Permissions accumulate. People with roles that no longer require access to sensitive datasets retain that access indefinitely.

Each of these is a governance gap — the distance between the policy that exists and the operational state it describes. Closing those gaps requires continuous monitoring that detects when the operational state diverges from the governance policy, not periodic audits that assess the state at a point in time.

Frequently asked questions

What is data governance?

Data governance is the framework of policies, processes, ownership structures, and controls that define how data is managed across an organisation and who can access it, how it must be handled, how long it should be retained, and how regulatory obligations are met. It's the policy and accountability layer that data security tools enforce technically.

What is the difference between data governance and data security?

Data governance defines the policies: who should have access to what data, how sensitive data must be handled, what retention requirements apply. Data security provides the technical enforcement of those policies: access controls, DLP, encryption, and monitoring. Governance defines what should be true. Security enforces it and monitors whether it actually is.

What is the difference between data governance and data management?

Data management is the broad discipline of acquiring, storing, organising, and using data effectively, primarily focused on quality and usability. Data governance is the policy and accountability framework within data management that defines rules, ownership, and compliance obligations. Data governance is a subset and the policy layer of the broader data management discipline.

Why is data governance important for compliance?

GDPR, DPDP, HIPAA, PCI DSS, and similar frameworks create legal requirements that are fundamentally governance requirements: records of processing activities, data minimisation, data subject rights fulfilment, accountability, and demonstrable safeguards. Compliance with these frameworks requires operational governance and policies that are continuously monitored and enforced, not just documented.

What is Data Under Governance (DUG%)?

Data Under Governance percentage is a metric that measures what proportion of an organisation's sensitive data estate is not just discovered, but actively governed: with identified ownership, accurate classification, access controls aligned to policy, and continuous monitoring in place. It measures whether governance control persists as data moves and accumulates, rather than just whether a governance programme exists.