Data Governance Policy
To use this template, simply replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.
Policy Owner Name the person/group responsible for this policy’s management.
Policy Approver(s) Name the person/group responsible for implementation approval of this policy.
Related Policies Name other related enterprise policies both within and external to this manual.
Related Procedures Name other related enterprise procedures both within and external to this manual.
Storage Location Describe physical or digital location of copies of this policy.
Effective Date List the date that this policy went into effect.
Next Review Date List the date that this policy must undergo review and update.
Purpose
Describe the factors or circumstances that mandate the existence of the policy. Also state the policy’s basic
objectives and what the policy is meant to achieve.
This policy establishes uniform data governance standards and identifies the shared responsibilities for assuring
the integrity of the data and that it efficiently and effectively serves the needs of [Company Name]. [Company
Name] values access to timely, accurate, and consistent information while fully appreciating the basic security
and privacy requirements involved. Controlled access by employees to administrative information is necessary
to support business functions.
This policy provides direction on the classification, ownership, and retention of data and information for [Company
Name] as well as clarifying accountability for data and information. Data and information as pertaining to this
policy includes both electronic and non‐electronic data.
[Company Name] is reliant upon the confidentiality, integrity, availability, security, and privacy of its data and
information to successfully conduct its operations, meet internal and external stakeholders expectations, and
provide services. Therefore, all staff, contractors, users, and external parties of [Company Name] have a
responsibility to protect organizational data and information from unauthorized generation, access, modification,
disclosure, transmission, or destruction and are expected to be familiar with and comply with this policy.
Scope
Define to whom and to what systems this policy applies. List the employees required to comply or simply indicate
“all” if all must comply. Also indicate any exclusions or exceptions, i.e. those people, elements, or situations that
are not covered by this policy or where special consideration may be made.
This policy applies to all critical data and information in [Company Name], including data and information
hosted outside of [Company Name] stored in a cloud service. “Critical data,” in this context, includes
email, personal and shared files, specific application system records, website contents, and operating
system–level information and data. The definition of critical data and scope of this policy will be reviewed
annually. The policy covers the Summary of Information Collected or Produced as listed in Appendix A.
1
Info-Tech Research Group
� This policy applies to [staff] who may be creators and/or users of such data. The policy also applies to
third parties who access and use [Company Name] systems and IT equipment or who create, process, or
store data owned by [Company Name].
Definitions
Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is
sufficient. Refer to Appendix B for Glossary of Terms.
Governing Laws & Regulations
If applicable, list any laws or regulations that govern the policy or with which the policy must comply. Confirm with
the legal department that the list is full and accurate. If there are no pertinent governing laws or regulations, delete
this section.
Data Governance Roles
The following table provides the roles and responsibilities in relation to this policy at [Company Name]:
Related Data
Role Accountabilities and Responsibilities
Asset(s)
Governance Enterprise Review and approve the policy on regular basis
Body: [] data
Executive Enterprise Retain records used in the decision-making process for key decisions to
Board (EB): [] data demonstrate best practice and risk assessment
Review and approval of this policy and any updates to it as
recommended by the Governance Body
Ensure ongoing compliance with the [GDPR] in their respective areas of
responsibility
Ensure oversight of data protection issues either through their own work
or a Data Protection Oversight Committee or other governance
arrangement
Ensure the Policy mandate to the entire organization
Data Owners Information of Final approval for protected [Company Name] information
(also known as [Company Final approval for protected [Company Name] data assets
Trustees): Name] and its Final approval for [Company Name] data classification schemes
[CFO, CRO, business data Data governance policy, processes, and procedures
CHR] assets Ensure the proper usage of data assets within compliance/legal
requirements and [Company Name] internal objectives
Approve user roles/profiles/classes
Review access including application data held in network directory
locations
Responsible for data classification, data retention, and master data
changes
Ensure availability of information
Promote the use of data as a strategic asset
Play a critical sponsorship role in those projects that create or improve
data services pertinent to the data for which the data owner is
accountable
Provide final decision-making authority to data escalations
2
Info-Tech Research Group
� Product ownership of data services pertinent to the data for which the
data owner is accountable including but not limited to MDM services,
reference data management services, and data quality services
Maintain data ownership throughout the data or information lifecycle,
from operational system to data lake to analytics
Approve data standards
Approve business rule models
Data Stewards: Various Authorize access to their data assets as per data governance principles
[Dir of specific data and instructions
Marketing, assets Develop documentation, business rules, data standards, and data
SMEs] pertaining to quality rules for the use and development of their data assets with the
their area of assistance of the subject matter experts and the architects
responsibility Act as first point of contact for all data governance issues and change
such as HR, control processes for their data assets
payroll, Assess impact of any high-risk data governance issues and escalate to
reporting, etc. relevant Data Owners with supporting recommendations
Assist in creating data standards and data operational procedures
Assist in creating data rules
Assist in creating data classification schemes
Define master data and reference data sets and mappings
Accountable for data glossary and data catalog maintenance and
publication and communication of those artifacts
Contribute to the creation of data policy and data standards operating
procedures
Be a data literacy champion within [Company Name]
Approve data visualizations containing data for which the Data Steward
is responsible
Data Enterprise Maintain and administer technical security and audit trails of the data
Custodians: data Responsible for data availability, capacity, accuracy, and consistency
[E.g. maintained by Oversee and implement data operations and database backup and
Application IT teams, e.g. restore
Developers, data Responsible for technical standards and policies
ETL Engineers, warehouse
DBA]
Data Protection Enterprise Lead the data protection compliance and risk management function,
Officer: [E.g. data with responsibility for advising how to comply with applicable privacy
CISO, legislation and regulations, including the [BCB, GDPR]
Compliance Advise on all aspects of data protection and privacy obligations
Officer] Monitor and review all aspects of compliance with data protection and
privacy obligations
Act as a representative of data subjects in relation to the processing of
their personal data
Report directly on data protection risk and compliance to executive
management
Policy Statements
Describe the rules that compose the policy. This typically takes the form of a series of short prescriptive and
proscriptive statements. Dividing this section into subsections may be required depending on the length or
complexity of the policy.
3
Info-Tech Research Group
�1. All corporate data is owned by [Company Name] and, as such, all staff of [Company Name] are
responsible for appropriately respecting and protecting the asset.
2. In order for [Company Name] to effectively manage and safeguard the data assets, procedures must be
in place to guide appropriate data access, ensure the security of the data, and provide a means to
address procedural exceptions.
3. Roles, including both those of individuals with data responsibilities like data ownerships, stewardships,
and custodianships and those of eligible users, are necessary to support data integrity and security.
4. Sharing information across organizational boundaries should be facilitated, where appropriate, in
compliance with the data-sharing policy, where applicable.
5. A sustained data administration function should reinforce a set of definitions for commonly consumed
data, with the understanding that there may be multiple valid definitions.
6. Data integration across [Company Name] should be encouraged to foster data accuracy and uniformity
and to demonstrate an understanding of [Company Name’s] institutional complexity, various data
systems, and differing data formats.
7. Data should be safeguarded to maintain the confidentiality and privacy of personally identifiable
information; such safeguards should be balanced and reflect the necessity for [Company Name] to
conduct its business. Data should be classified based on an agreed-upon data classification scheme and
approved by Data Owners.
8. Access to [Company Name] data should be based on the business needs of the organization and should
enhance the ability of [Company Name] to achieve its mission. Employees should have access to the
data needed to perform their responsibilities, without regard to arbitrary barriers. In many cases, that data
need not be individually identifiable. Follow the data sharing policy guidelines for data usage and sharing
purposes.
9. Before individuals will be allowed to access [Company Name] data, training in the use and attributes of
the data, functional area data policies, and [Company Name] policies regarding data is mandatory.
10. A terminology/taxonomy shall be developed by the [Data Stewardship Advisory Group], or an appropriate
subset, to provide a framework for requesting and producing consistent data across all levels of the
enterprise. The definitions shall be accessible to all [Company Name] data users and shall be included in
training.
11. Data, as a [Company Name] asset, must be safeguarded and managed at all points and across all
systems, from creation to archive, through coordinated efforts and shared responsibilities to ensure its
accuracy. Each functional area will develop and implement processes for identifying and correcting
erroneous or inconsistent data. When and if erroneous or inconsistent data is identified, the [Data
Steward] from the corresponding functional area shall within five business days either correct the data or
escalate the issue to the appropriate Data Owner and [the Data Governance Steering Committee].
Information technology services will develop and implement data auditing processes.
12. Any exceptions to this policy will be fully documented and approved by [the IT Steering Committee].
13. Extraction, manipulation, and reporting of [Company Name] data must be done only for [Company Name]
business purposes:
4
Info-Tech Research Group
� Personal use of [Company Name] data, including derived data, in any format and at any location, is
prohibited.
Where appropriate, before any information is used outside the Data User's functional unit, verification
with the functional area manager and data owner is recommended.
14. Before decisions are made concerning data retention and data archiving, the appropriate Data Users
must be consulted.
15. Individuals seeking permission to access data outside of the access plan and defined roles must submit a
written request for nonstandard access.
This request should include a statement indicating the access being sought and the reason for the
request and should be submitted to [the Chair of the Data Governance Steering Committee].
[The Chair] will send the request to the appropriate Data Steward for review and decision. The Data
Steward will report the decision to the appropriate Data Owner and to the requestor's manager.
Noncompliance
Clearly describe consequences (legal and/or disciplinary) for employee noncompliance with the policy. It may be
pertinent to describe the escalation process for repeated noncompliance.
Violations of this policy will be treated like other allegations of wrongdoing at [Company Name]. Allegations of
misconduct will be adjudicated according to established procedures. Sanctions for noncompliance may include,
but are not limited to, one or more of the following:
1. Disciplinary action according to applicable [Company Name] policies
2. Termination of employment
3. Legal action according to applicable laws and contractual agreements
Agreement
Include a section that confirms understanding and agreement to comply with the policy. Both signatures and
dates are required. A sample statement is provided below.
I have read and understand the [Name of Policy]. I understand that if I violate the rules explained herein, I may
face legal or disciplinary action according to applicable laws or company policy.
___________________________________________
Employee Name
___________________________________________ _______________________________________
Employee Signature Date
5
Info-Tech Research Group
�Appendix A: Summary of Data and Information
Rationale/Purpose
Information Category Level of Detail Data Owner
of Data
Appendix B: Standard definitions
Terms Definitions
Content Content is information with relevant metadata that has a specific use or is used for a
particular business purpose.
Metadata Metadata is a set of data that describes and gives information about the data. It is a
description and context of the data. Examples of metadata include:
Title and description
Tags and categories
Who created it and when
Who last modified and when
Who can access or update
Data A method or process whereby information/data is classified in accordance with the impact
Classification of data being accessed inappropriately and/or data being lost.
Appendix C: Supporting Documents
The below is a list of policies, procedures, and guidelines that may be used in conjunction with this policy.
Data Protection Policy
Data Protection Procedures
Data Retention Policy
Asset Disposal Policy
Data Classification Policy
Information Security Policy
Network Security Policy
Systems Development Life Cycle Policy
Data Access Management Policy
Data Handling & Clean Desk Policy
Data Encryption & Data Anonymization and Pseudonymization Policy
Privileged User Policy
IT Architecture Security Management Policy
Data Protection Incident Response & Breach Notification Policy
6
Info-Tech Research Group
�The above list is not exhaustive, and other [Company Name] policies, procedures and standards, and documents
may also be relevant.
Revision History
Date of
Version ID Author Rationale
Change
_____________________________________________________
For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.
7
Info-Tech Research Group
