Forum Discussion
Data Governance... who, how, why?
In our organization, we’ve defined the teams responsible for Data Security (Cybersecurity) and Data Compliance (Records Management). However, there is still uncertainty around which department should own and manage Data Governance. How is is permissioned?
6 Replies
Hey, Data Governance Specialist here 👋
From a DAMA perspective, Data Governance is a core business function, not a subset of Security or Compliance.
Who owns Data Governance
According to DAMA, Data Governance sits at the top of the data management framework and provides direction and oversight for all other data management functions. Ownership typically lies with:
- A Data Office / CDO organization
- Enterprise Information Management
- A cross-functional data governance council representing the business
Security and Compliance are key stakeholders, but not owners. They execute controls based on governance decisions.
Why Data Governance exists
Data Governance ensures:
- Clear data ownership and accountability
- Consistent definitions and business concepts
- Agreed quality standards
- Approved usage rules
Without governance, security and compliance operate in isolation, often enforcing controls on data that is poorly defined or inconsistently owned.
How it is permissioned
DAMA does describe multiple operating models. Centralized, federated, and decentralized models are all valid, depending on organizational maturity and culture. What matters is that:
- Decision rights are clearly defined
- Roles such as data owner, steward, and custodian are formally assigned
- Tools reflect these roles, but authority comes from governance, not technology
Key distinction
- Governance decides who is allowed to decide
- Security decides how data is protected
- Compliance decides how long data is kept and why
If you’re interested in going deeper into this, I strongly recommend the DAMA-DMBOK 2.0, which lays out this operating model in detail.
Also worth noting: DAMA-DMBOK 3.0 is currently in development.
This is the classic question in DG. Most standards bodies say.
This is my personal opinion: if it resides on the IT side, it will be challenging to get business involvement at the proper levels. The business side can't do it on its own. If IT has only technicians and developers with no teams for data quality, data security, etc., it will also be a struggle to get commitment from the IT side.
I saw this at the weekend - https://www.linkedin.com/posts/john-wernfeldt-82894b58_most-executives-say-data-governance-and-mean-activity-7415295344407887872-y1pN?utm_source=share&utm_medium=member_desktop&rcm=ACoAAADSYgAB7W7Kb5SpkEv7Cv40Gf6YJxEKoHw
The way I see our customers are working with this is most often in Data offices as sashakorniakUK is mentioning.
The main challenge is adoption when working with Data Governance, I always suggest to start small and slow, and scale with time. Have good change management material is key, do everyone know what a data product is?
You need to build your data map in a way that it will supports different scenarios incl environment segregation, and then make sure that people are not able to edit eachothers assets in their collections.
Then its all about the unified catalog and how you structure the governance domains as well as identifying who should be responsible managing the catalog.https://www.linkedin.com/feed/update/urn:li:activity:7412826777921802240 - Stop scanning Purview data assets (by default) without ownership!
Microsoft Purview Data Map Approach to scan | Microsoft Community Hub
This https://www.linkedin.com/feed/update/urn:li:activity:7412818351070027776 will provide you with an overview of Microsoft Purview Solutions. Purivew is not just one tool!
Data Governance is typically owned by a central data or business-led function (such as a Data Office), with permissions and responsibilities clearly defined through role-based access so that policy setting, stewardship, and oversight are shared across business, IT, security, and compliance rather than sitting with a single technical team.
Its a multidisciplinary team.
There are a few personas within the Data Governance Purview Unified Catalogue.
- Data Consumers are individuals or teams who access and use data for reporting, analytics, operations, or decision-making, and are responsible for using that data!
- Data Owners are responsible for specific data products and, in most cases, also own the corresponding Microsoft Purview governance domains and Data Stewards (Purview defined, not DAMA)
- Data Architects and Data Governance professionals should be involved in defining and overseeing access and permissions, with all access enforced through RBAC (Role-Based Access Control) to ensure consistency, security, and compliance across the organisation.
- Finally, Data Custodians typically operate at the data map level, where they manage data map domains (usually up to five) and collections, register data sources, and oversee the scanning of Microsoft Purview data assets such as databases, tables, or files that sit within the defined data products.
Do not scan everything indiscriminately like it’s Pokémon; Microsoft Purview is not a data vacuum cleaner.
Scanning data assets without clear ownership simply creates a well-presented, beautiful chaos in your enterprise data catalogue within the unified Purview catalogue. - Get your Gov domains and ownership sorted first and ensure everybody understands what an EDC does
