Data governance has a reputation problem. Mention it in a meeting and watch people's eyes glaze over. Propose a governance initiative and hear the groans about "more process" and "slower delivery."
This reputation is, unfortunately, often earned. Too many governance programmes become bureaucratic exercises that slow innovation without improving outcomes.
But it doesn't have to be this way.
The Governance Trap
Traditional governance programmes fail because they're designed around control rather than enablement.
The pattern typically goes:
- An executive mandates governance after a compliance scare
- A team creates extensive policies and processes
- Every data request now requires approvals and documentation
- Delivery slows to a crawl
- Teams start working around governance
- The programme is quietly abandoned
The fundamental mistake: treating governance as a gate rather than a guide.
If your governance programme is primarily experienced as "things I can't do," it's already failing.
Principles for Enabling Governance
1. Governance Should Be Invisible When It Works
Good governance is like good infrastructure — you only notice when it's broken.
This means:
- Automating policy enforcement rather than manual reviews
- Embedding governance into tools people already use
- Making compliant paths the easiest paths
When someone needs to access data, they shouldn't have to think about governance. The system should guide them to appropriate data automatically.
2. Start With Outcomes, Not Policies
Before writing policies, ask: what are we actually trying to achieve?
Common governance outcomes:
| Outcome | Measure | |---------|---------| | Data findability | Time to find relevant data | | Data trust | % of datasets with quality scores | | Compliance | Audit findings, breach count | | Access efficiency | Time from request to access | | Data consistency | Cross-report variance |
Define success metrics first, then design policies that drive those outcomes.
3. Tiered Governance Based on Risk
Not all data needs the same governance rigour. A tiered approach:
Tier 1: Public/Low Sensitivity
- Self-service access
- Basic documentation requirements
- Automated quality checks
Tier 2: Internal/Medium Sensitivity
- Role-based access
- Data owner approval (automated where possible)
- Quality thresholds enforced
Tier 3: Restricted/High Sensitivity
- Explicit access requests with business justification
- Enhanced audit logging
- Periodic access reviews
Most data should be Tier 1 or 2. If everything is Tier 3, you've over-classified.
4. Governance as a Product
The best governance programmes treat their outputs as products:
- Users: Data producers and consumers
- Product: Policies, tools, and enablement
- Feedback: Regular user research and iteration
- Metrics: Adoption, satisfaction, outcomes
Product Thinking
Ask: would people use our governance tools if they weren't mandatory? If no, you have a product problem, not a compliance problem.
Practical Implementation
The Minimal Viable Governance Stack
Start with these five capabilities:
1. Data Catalogue
Every dataset should be findable and documented. At minimum:
- What data exists
- Where it lives
- Who owns it
- What it means (definitions)
Tools: DataHub, Atlan, Alation, or Snowflake's native cataloguing.
2. Automated Classification
Don't rely on humans to classify data sensitivity. Use tools that:
- Scan for PII patterns
- Detect sensitive fields
- Apply default classifications
- Flag for human review only when uncertain
3. Policy-as-Code
Express policies in code, not documents:
- Access policies in your data platform
- Quality rules in dbt or Great Expectations
- Masking rules in your data warehouse
When policies are code, they're enforceable, testable, and version-controlled.
4. Self-Service Access
Reduce governance friction with:
- Role-based defaults (new analyst automatically gets access to X)
- Pre-approved data products (vetted, documented, safe to use)
- Automated approval workflows for standard requests
5. Quality Dashboards
Make data quality visible:
- Quality scores for each dataset
- Trend lines over time
- Alerts when quality degrades
- Clear ownership of issues
Governance Workflows That Work
For Data Access
Old way: Request form → Manager approval → Data team approval → Security review → 2 weeks later, access granted
New way:
- Tier 1/2 data: Automatic based on role
- Tier 3 data: Automated request → Data owner notification → 24-hour SLA → Audit trail
For New Data Products
Old way: Extensive documentation → Governance review board → Weeks of back-and-forth
New way:
- Automated checks (naming, documentation, quality)
- Self-certification by data owner
- Governance review only for Tier 3 or cross-domain products
For Policy Changes
Old way: Policy drafted → Circulated for comment → Committee review → Published → Ignored
New way:
- Policies implemented as code
- Changes tested in non-production
- Deployed with monitoring
- Rolled back if problematic
Measuring Success
Track these metrics to know if your governance is enabling:
Enabling Metrics
- Time to first access: How long from request to usable data?
- Self-service rate: What percentage of access is granted without manual intervention?
- Adoption rate: Are people using your governance tools voluntarily?
Protection Metrics
- Audit findings: Are issues decreasing?
- Breach count: Are you preventing incidents?
- Compliance scores: Are you meeting regulatory requirements?
Quality Metrics
- Documented datasets: What percentage are catalogued?
- Quality coverage: What percentage have quality scores?
- Issue resolution time: How fast are problems fixed?
If your enabling metrics are poor (slow access, low self-service), people will work around governance. Fix enablement first.
Common Pitfalls
1. Governance by Committee
Committees slow everything down. Instead:
- Empower data owners to make decisions
- Reserve committees for cross-domain disputes
- Time-box decisions (no response = approved)
2. Over-Documentation
Not every field needs a paragraph description. Focus on:
- Ambiguous or commonly misused terms
- Business-critical definitions
- Fields with complex derivation logic
3. Compliance Theatre
Don't create policies just to have policies. Every policy should:
- Address a real risk
- Be enforceable
- Be measurable
If you can't say yes to all three, don't create the policy.
Getting Started
If you're starting from scratch:
- Week 1-2: Catalogue your top 20 most-used datasets
- Week 3-4: Classify them by sensitivity tier
- Week 5-6: Implement role-based access for Tier 1/2
- Week 7-8: Set up basic quality monitoring
- Week 9-12: Build self-service access workflows
Start small, measure outcomes, and expand based on what works.