Data Governance
for Leadership
A 12-week programme for executives and senior managers who want to build data they can trust, comply with confidence, and govern without micromanaging the technical team.
VPs, Directors, C-suite executives, and senior managers who own data assets, make data policy decisions, or are accountable for regulatory compliance — but don't run the technical infrastructure themselves.
A working governance framework, a data quality operating model, a clear accountability structure, and the confidence to lead your organization through audits, regulations, and data-driven transformation.
Self-paced. Each module includes reading, a real-world case study, and a leadership application exercise.
Governance Foundations
Build the mental model that separates data governance from data bureaucracy.
Leaders who understand governance ask better questions of their data teams, set clearer policy expectations, and stop confusing governance with restriction.
1.1 What Data Governance Actually Is (and Is Not) Self-paced reading + reflection Reading · 20 min Workshop · 45 min
Data governance is the most misunderstood function in the modern data organization. This module builds the foundation: what governance covers, what it does not cover, and why the "data police" framing always fails.
- 1 Governance = the rules, roles, and responsibilities that make data trustworthy at scale.
- 2 The four pillars: Data Quality · Data Security · Data Privacy · Data Lifecycle.
- 3 What governance is not: not an IT initiative, not a compliance checkbox, not a one-time project.
- 4 Why "we will govern it later" is the most expensive decision most organizations make.
Accurate, complete, consistent? Owner: Data Stewards. Metric: error rate per domain.
Who can access it, controlled how? Owner: CISO / IT Security. Metric: access audit findings.
Personal data handled lawfully? Owner: Privacy Officer / Legal. Metric: consent coverage.
How long kept, how retired? Owner: Data Engineering. Metric: data age / stale %.
- Assess your organization's governance maturity using the spectrum above.
- Identify which of the four pillars has the weakest ownership today.
- Ask: "If a journalist asked us tomorrow where our customer data lives, could we answer in under an hour?"
87 million user profiles were harvested through a third-party app without meaningful governance controls. The failure was not technical — the data was accessible by design. It was a governance failure: no policy on third-party data access, no ownership of consent data, no lifecycle controls. The cost exceeded $5 billion in regulatory fines.
1.2 Data Ownership: Assigning Accountability Without Confusion Workshop with your own organization Reading · 25 min Workshop · 1.5 hrs
The single most common governance failure is not a technical one — it is the absence of a named human being who is accountable for the accuracy and trustworthiness of a specific dataset. This module establishes the ownership model that prevents that.
- 1 Data Owner vs. Data Steward vs. Data Custodian — three roles that must not be confused.
- 2 Domain-based ownership: who owns Customer, Financial, Product, and HR data.
- 3 The governance council: when to create one, who sits on it, and how to keep it from becoming bureaucratic.
- 4 RACI for data: making accountability visible without creating bottlenecks.
Business executive · accountable for the domain.
"Should this data exist and be used this way?" — e.g. CFO owns Financial data.
Domain expert · responsible for quality rules.
"Is this data accurate and complete?" — e.g. Finance Analyst.
Technical implementer · responsible for storage and access.
"Can this data be accessed by this person?" — e.g. Data Engineer.
- Map your five most critical datasets to a Data Owner — by name, not by title.
- Identify datasets with no named owner — those are your highest governance risk.
- Draft a one-page RACI for your primary business domain.
Walmart's governance council assigns domain ownership across merchandise, supply chain, finance, and customer data — with each domain having a VP-level owner accountable to the CDO. When a data quality issue surfaces in any domain, the accountability path is clear within minutes. The model reduced "who owns this?" escalation by 70%.
1.3 The Data Governance Charter: What to Write, What to Skip Framework exercise Reading · 25 min Workshop · 2 hrs
Most governance charters are written to satisfy an auditor and never opened again. This module shows you how to write a charter that actually governs — short enough to be read, specific enough to be actionable, and flexible enough to survive organizational change.
- 1 The five sections every governance charter needs (and the ten it doesn't).
- 2 How to write a data definition that survives a change of system.
- 3 Policy vs. standard vs. guideline — and why the distinction matters for enforcement.
- 4 How to get executive sign-off without a three-month approval cycle.
- Review your existing governance charter (if one exists) against the five-section template.
- Identify the most outdated section.
- Write the Purpose section for a charter that covers your primary data domain.
Organizations that had invested in data governance before GDPR came into force spent an average of 40% less on compliance implementation than those starting from scratch. A governance charter — particularly a data inventory and ownership matrix — was the single most valuable artifact in the compliance process.
Not sure where to start with governance? We can run a governance readiness assessment for your organization. Talk to our team →
Data Quality & Trust
Establish what data quality means in measurable terms, and the operating model that keeps data trustworthy day to day.
Leaders who can define and measure data quality stop accepting 'the data is wrong' as a fact of life and start holding a specific, owned standard.
2.1 Defining Data Quality: The Six Dimensions That Actually Matter Framework + assessment exercise Reading · 25 min Workshop · 1.5 hrs
"The data is bad" is a complaint, not a diagnosis. This module gives you the six dimensions that turn a vague distrust of data into a specific, measurable, fixable problem.
- 1 The six dimensions: Accuracy, Completeness, Consistency, Timeliness, Uniqueness, Validity.
- 2 How to assess each dimension without a specialist tool.
- 3 Prioritising which dimension to fix first by downstream decision impact.
- 4 Why a dataset can be 100% accurate and still untrustworthy.
matches reality
no missing values
agrees across systems
fresh enough to use
no duplicates
conforms to rules
- Rate one critical dataset on each of the six dimensions.
- Identify which dimension, if fixed, would most improve a real decision.
- Name the owner responsible for the weakest dimension.
Data quality failures in NHS patient record systems, where duplicate records were created for the same individual, contributed to medication errors and care delays. The root issue was a uniqueness failure — and it showed that a quality dimension most leaders never name can carry life-or-death consequences.
2.2 Data Quality Metrics: Measuring What You Cannot Afford to Ignore Workshop + scorecard exercise Reading · 25 min Workshop · 2 hrs
You cannot manage data quality you do not measure. This module turns the six dimensions into a running scorecard with thresholds that trigger action before a quality problem reaches a customer or a board pack.
- 1 Building a data quality scorecard: error rate by domain, null rate by critical field, duplicate rate, freshness SLA.
- 2 Setting quality thresholds that trigger escalation automatically.
- 3 The difference between monitoring quality and merely reporting it.
- 4 Why a single blended quality score hides the failures that matter.
- Define three quality metrics for your most important domain.
- Set a threshold and an owner for each.
- Decide what escalation happens the moment a threshold is breached.
In American Airlines' operational data programs, even a 1% error rate in flight scheduling data had a measurable impact on on-time performance. The lesson for leaders: at scale, a quality figure that sounds trivial in percentage terms can translate directly into operational and financial damage.
2.3 Root Cause Analysis for Data Issues: Finding the Source, Not the Symptom Workshop + post-mortem exercise Reading · 25 min Workshop · 1.5 hrs
Most teams fix the broken report, not the broken process that produced it — so the same issue returns next quarter. This module gives leaders a structured way to find and fix the real source of a data problem.
- 1 Five-Whys applied to a data issue, not a manufacturing defect.
- 2 Distinguishing a data-entry problem, a process problem, and a system-integration problem.
- 3 How to run a data quality post-mortem without blame.
- 4 Why the symptom and the source are often in different systems.
capture / entry
logic / rules
integration
report / use
A problem visible at Consume usually originates upstream. Trace it back, don't patch it forward.
- Take one recurring data issue and run a Five-Whys on it.
- Classify the root cause as source, transform, load, or consume.
- Decide the one process change that would stop it recurring.
A bank attributed duplicate customer records to a recent CRM migration — until a proper root cause analysis revealed the real source: a deduplication rule that had been written incorrectly six years earlier. Fixing the migration would have changed nothing; the symptom and the source were years and systems apart.
Struggling with data quality you can't trust? We build the quality frameworks and monitoring that make data reliable. Talk to our team →
Compliance, Privacy & Risk
Build privacy and compliance into how your organization handles data — before a regulator or a breach forces the question.
Leaders who understand the regulatory landscape make architecture and policy decisions that prevent fines, not just react to them.
3.1 Privacy by Design: What Leaders Must Build In, Not Bolt On Framework + intake exercise Reading · 25 min Workshop · 1.5 hrs
Privacy added at the end of a project is expensive, fragile, and usually incomplete. This module shows leaders how to make privacy a design input — a question asked at intake, not a control bolted on before launch.
- 1 The seven Privacy by Design principles, in plain language.
- 2 Embedding privacy assessment into product and data-project intake.
- 3 Anonymisation vs. pseudonymisation vs. encryption — and when each is appropriate.
- 4 The Privacy Impact Assessment trigger: when a project must stop for review.
Identity removed irreversibly. Best for analytics and sharing.
Identity replaced, re-linkable with a key. Best for processing with safeguards.
Readable only with a key. Best for storage and transmission.
- Add a privacy question to your project or data-request intake process.
- Define when a Privacy Impact Assessment is mandatory in your organization.
- Identify one current dataset where anonymisation would reduce risk with no loss of value.
Apple's differential privacy approach collects aggregate insight from large populations while adding mathematical noise that protects any individual's data. It is a working example of privacy designed into the architecture from the start — capturing the value of data without the exposure that bolt-on controls leave behind.
3.2 Regulatory Landscape: GDPR, PIPEDA, CCPA, and What They Require of You Workshop + applicability exercise Reading · 30 min Workshop · 2 hrs
You do not need to be a lawyer, but you do need to know which laws apply to your data and what they demand. This module maps the major regimes and the rights you must be able to honour on request.
- 1 GDPR (EU/UK), PIPEDA (Canada), CCPA (California): who each governs.
- 2 Data controller vs. data processor — and why the distinction changes your obligations.
- 3 Lawful basis for processing, in plain terms.
- 4 Data subject rights you must operationalise: access, deletion, portability.
EU / UK residents' data
Canadian commercial activity
California consumers
Applicability follows where your customers are, not only where your company is.
- Map which regulations apply to your organization based on where your customers are.
- Confirm whether you act as a controller, a processor, or both, for each major dataset.
- Test whether you could fulfil a deletion request within the legal window today.
British Airways received a £20M GDPR fine after a breach of around 500,000 customer records, traced to a third-party script injected into the booking flow. The penalty reflected not only the breach but governance gaps in how third-party code and customer data were controlled — exactly the obligations the regulation places on a data controller.
3.3 Data Breach Response: The Governance Leader's Playbook Tabletop exercise Reading · 25 min Workshop · 2 hrs
The quality of a breach response is decided long before the breach. This module gives leaders the decision tree for the first 72 hours and shows how governance posture beforehand determines the outcome afterward.
- 1 The first 72 hours: containment, assessment, notification decision.
- 2 Who must be notified — regulators, individuals, the board — and within what timeframes.
- 3 How pre-breach governance posture determines post-breach outcome.
- 4 Why the notification decision is a governance call, not just a legal one.
stop the bleeding
scope & data types
regulators, people, board
close the gap
Each step needs a named owner before the breach, not assigned during it.
- Confirm who owns the breach-notification decision in your organization.
- Check the legal notification windows that apply to your regulated data.
- Run a 30-minute tabletop on a hypothetical breach of your most sensitive dataset.
The NotPetya ransomware attack forced Maersk into roughly 10 days of shutdown, an estimated $300M loss, and a rebuild of its entire IT estate from scratch. The scale of the damage — and the heroic recovery — turned on governance fundamentals: backups, recovery plans, and clear ownership of the response.
Preparing for GDPR, PIPEDA, or CCPA compliance? We help leadership teams build privacy into the architecture, not just the policy. Talk to our team →
Data Lineage, Cataloguing & Lifecycle
Gain the architecture literacy to know where your data comes from, how people find it, and how it should be retired.
Leaders who can read lineage and lifecycle stop trusting numbers blindly and start asking the questions that catch errors before the board does.
4.1 Data Lineage: Knowing Where Your Data Comes From and Where It Goes Reference + applied exercise Reading · 25 min Workshop · 1.5 hrs
Every number in a board pack has a journey behind it. Data lineage is the map of that journey — and the leader who can read it knows which numbers to trust and which to question.
- 1 What lineage is: the audit trail from source system to final report.
- 2 Why lineage matters for debugging, compliance, and impact analysis.
- 3 How to read a lineage diagram without being a data engineer.
- 4 The lineage questions to ask before trusting a number in a board pack.
If you cannot trace a number back to a source system, you cannot defend it.
- Pick one board-level number and trace its lineage back to a source system.
- Identify any transformation step where the definition could change.
- Note any number in your reporting whose origin no one can fully explain.
After the "London Whale" trading loss, JP Morgan faced regulatory pressure to trace every number in a risk report back to its source. The lineage initiative that followed made end-to-end traceability a governance requirement — because a number no one can trace is a number no regulator will accept.
4.2 The Data Catalogue: Making Data Findable and Trustworthy at Scale Framework + adoption exercise Reading · 25 min Workshop · 1.5 hrs
As an organization grows, the biggest data problem stops being "do we have it?" and becomes "can anyone find and trust it?" This module covers the catalogue that solves discovery — and the metadata that makes found data trustworthy.
- 1 What a data catalogue is and why discovery matters at scale.
- 2 Business metadata (definitions, owners, quality ratings) alongside technical metadata.
- 3 How to evaluate whether a catalogue is actually being adopted.
- 4 Why an unused catalogue is worse than none — it implies a trust that isn't there.
% assets catalogued
% with named owner
% with a definition
active users / searches
- Assess whether your critical datasets are discoverable to those who need them.
- Check whether business definitions, not just technical schemas, are captured.
- Identify one high-value dataset that is effectively invisible today.
Airbnb built Dataportal, an internal data catalogue that made datasets, metrics, and their owners searchable across the company. By surfacing what existed and who owned it, it reduced time-to-insight for analysts substantially — turning tribal knowledge into a shared, trustworthy resource.
4.3 Data Lifecycle Management: From Creation to Deletion Framework + retention exercise Reading · 25 min Workshop · 1.5 hrs
Data you keep forever is not an asset — it is a liability accruing silently. This module covers the lifecycle decisions, from retention schedules to right-to-be-forgotten, that keep your data footprint defensible.
- 1 Retention policies and legal holds: keeping what you must, no longer.
- 2 Operationalising the right to be forgotten.
- 3 The real cost — and risk — of keeping data longer than necessary.
- 4 Building a retention schedule that balances regulation, business need, and storage cost.
minimum you must keep
value of keeping it
cost of keeping it
Retain for the longest of regulatory and genuine business need — then delete. "Just in case" is a liability, not a strategy.
- Identify one data domain with no defined retention period.
- Check whether you can actually delete a record when required to.
- Estimate the liability of data you are keeping with no business or legal reason.
A healthcare organization retained patient data indefinitely on a "just in case" basis — until a GDPR audit made the liability visible. Data that had long since lost its business value had quietly become a compliance and breach risk, simply because no one had ever decided when to delete it.
Need to know where your data comes from and how long to keep it? We map lineage, catalogues, and lifecycle for leadership teams. Talk to our team →
Building a Governed Data Culture
Choose the operating model, agreements, and metrics that make governance a habit rather than a one-time project.
Leaders who get the operating model right make governance scale with the organization, instead of becoming a bottleneck everyone learns to route around.
5.1 Federated vs. Centralised Governance: Finding the Right Model for Your Scale Framework + decision exercise Reading · 25 min Workshop · 1.5 hrs
There is no universally right governance structure — only the one that fits your scale and maturity. This module helps leaders choose between centralised, federated, and hybrid models before a poor structural choice calcifies.
- 1 Centralised governance: consistent standards, with bottleneck risk.
- 2 Federated governance: domain ownership and speed, with drift risk.
- 3 Hybrid: a platform team plus domain stewards — where most large organizations land.
- 4 The Data Mesh model for large, multi-domain enterprises.
- Identify which model your organization runs today — by design or by accident.
- Name the biggest pain your current model creates.
- Decide whether a hybrid model would reduce that pain without losing control.
ING Bank's move from centralised to federated data ownership reduced its time-to-data-product from around 18 months to roughly 6 weeks. By pushing ownership into domains while keeping a shared platform, the bank kept consistency where it mattered and gained speed where it counted.
5.2 The Data Contract: Making Agreements Between Teams Explicit Framework + drafting exercise Reading · 25 min Workshop · 1.5 hrs
Most data breakages between teams are not technical failures — they are broken agreements that were never written down. This module introduces the data contract: a formal pact between a data producer and consumer that ends silent breaking changes.
- 1 What a data contract is: schema, quality expectations, SLAs, and change notification.
- 2 Why informal cross-team agreements fail as an organization scales.
- 3 The producer's obligation to notify before a breaking change.
- 4 How a contract turns a vague dependency into an accountable one.
- Identify one critical cross-team data dependency with no written agreement.
- Capture the schema and quality expectations the consumer actually relies on.
- Define how the producer will announce a breaking change.
Uber's internal data contract initiative reduced "silent breaking changes" in data pipelines by roughly 60% in its first year. By making producer-consumer expectations explicit and enforced, the company turned a constant source of downstream breakage into a predictable, governed relationship.
5.3 Governance Metrics: Measuring Whether Your Framework Is Working Workshop + dashboard exercise Reading · 25 min Workshop · 1.5 hrs
A governance framework no one measures quietly becomes theatre. This module gives leaders the metrics that prove governance is working — and the dashboard to put them in front of the CDO or CTO.
- 1 The metrics that matter: quality score trend, policy violation rate, incident MTTD.
- 2 Catalogue adoption rate and steward engagement as leading indicators.
- 3 Building a governance dashboard for the CDO or CTO.
- 4 Tying governance outcomes to accountability without creating fear.
improving?
policy breaches
time to detect
active use
active owners
quarter on quarter
- Choose three governance metrics you could start tracking this quarter.
- Set a baseline for each so you can show a trend, not a snapshot.
- Decide who reviews the governance dashboard and how often.
A global insurer tracked governance maturity quarterly and tied steward performance reviews to the data quality scores in their domains. Making governance measurable — and connecting it to accountability — turned stewardship from a nominal title into an active, performance-relevant role.
Ready to make governance a habit instead of a project? We help leaders design the operating model, contracts, and metrics that scale. Talk to our team →
Capstone & Application
Bring it together: a governance audit, a 90-day roadmap, and a personal commitment to one standing ritual.
Learning without application fades. This capstone turns the framework into an audit, a roadmap, and a habit your organization will feel long after the course ends.
6.1 The Governance Framework Audit: From Assessment to Action Plan Hands-on audit project Reading · 30 min Workshop · 2.5 hrs
The capstone opens with a full picture. You will run a governance maturity audit across all five framework areas and produce a heat map that shows leadership exactly where the organization is well-governed and where it is exposed.
- 1 A maturity audit across all five framework areas from this course.
- 2 Turning an assessment into a heat map leadership can read at a glance.
- 3 Distinguishing well-governed domains from at-risk ones.
- 4 Moving from assessment to a prioritised action plan.
Rate each area by domain. The red cells are your action plan.
- Run a maturity audit across all five framework areas.
- Produce a heat map of which domains are well-governed and which are at risk.
- Prioritise the at-risk cells into a short action list.
The organizations that improve governance fastest rarely start with new tooling — they start with an honest heat map that makes the gaps undeniable. A clear picture of where the red cells are turns a vague sense of risk into a specific, prioritised plan the leadership team can actually fund.
6.2 Building Your Data Governance Roadmap Roadmap development Reading · 25 min Workshop · 2 hrs
A heat map shows the gaps; a roadmap closes them. This module turns your audit into a 90-day governance roadmap with three priority initiatives, each owned and each measurable at the board level.
- 1 Translating audit findings into three priority initiatives.
- 2 Giving every initiative an owner, a success signal, and a board-reportable metric.
- 3 Sequencing for early wins that build governance credibility.
- 4 Keeping the roadmap to 90 days so it survives contact with reality.
Owner · success signal · board metric
Owner · success signal · board metric
Owner · success signal · board metric
- Select three governance initiatives from your heat map's reddest cells.
- Give each an owner and a board-reportable metric.
- Sequence at least one early win in the first 30 days.
Governance roadmaps fail when they try to fix everything at once. The leaders who make durable progress pick three priorities, deliver an early visible win, and use the credibility it earns to fund the next wave. Focus, not ambition, is what moves a governance programme forward.
6.3 Personal Data Leadership Commitment Reflection + action planning Reading · 20 min Workshop · 1.5 hrs
The course ends with you. You will assess your own governance leadership across the six phases, commit to a 90-day sprint, and choose one standing ritual that keeps governance alive after the enthusiasm fades.
- 1 Self-assessment across the six course phases, scored honestly.
- 2 A 90-day governance sprint: audit, change, measure.
- 3 Choosing one standing ritual — weekly quality review, monthly steward sync, quarterly charter review.
- 4 Why a single sustained ritual beats a dozen abandoned initiatives.
Complete the heat map. Name owners for your weakest pillar.
Ship one roadmap initiative. Stand up one quality metric.
Re-score maturity. Embed one standing governance ritual.
- Complete a personal governance leadership self-assessment across all six phases.
- Write a 90-day governance sprint plan.
- Commit to one standing ritual you will not skip.
Durable governance cultures are rarely built by a big-bang programme — they grow from one leader who protects a single recurring ritual, such as a monthly steward sync or a quarterly charter review, until it becomes simply how the organization works. Consistency, not intensity, is what makes governance stick.
Need help building a data-driven organization?
Infra IT Consulting helps leadership teams design data strategy, implement analytics infrastructure, and develop the internal capabilities to make better decisions.