| name | data-governance |
| description | Define data ownership, stewardship roles, data classification, retention policies, and access control frameworks. |
| allowed-tools | Read, Write, Glob, Grep, Task |
Data Governance Planning
When to Use This Skill
Use this skill when:
- Data Governance tasks - Working on define data ownership, stewardship roles, data classification, retention policies, and access control frameworks
- Planning or design - Need guidance on Data Governance approaches
- Best practices - Want to follow established patterns and standards
Overview
Data governance establishes the framework for managing data as a strategic enterprise asset. It defines who can do what with data, ensures compliance, and maintains data quality standards.
Governance Framework
DAMA-DMBOK Knowledge Areas
┌─────────────────────────────────────────────────────────────────┐
│ DATA GOVERNANCE │
│ (Planning, Control, Monitoring across all areas) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Data │ │ Data │ │ Data │ │
│ │ Architecture│ │ Modeling │ │ Storage │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Data │ │ Data │ │ Reference & │ │
│ │ Security │ │ Integration │ │ Master Data │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Document & │ │ Data │ │ Data │ │
│ │ Content │ │ Quality │ │ Warehousing │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
│ ┌─────────────┐ │
│ │ Metadata │ │
│ │ Management │ │
│ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Governance Roles
Role Definitions
| Role | Responsibility | Scope |
|---|---|---|
| Data Owner | Strategic decisions, policy approval | Domain-level |
| Data Steward | Day-to-day management, quality | Domain/system |
| Data Custodian | Technical implementation | System-level |
| Data Consumer | Appropriate use | Access-level |
| Data Protection Officer | Privacy compliance | Enterprise |
RACI Template
# Data Governance RACI Matrix
| Activity | Owner | Steward | Custodian | Consumer | DPO |
|----------|-------|---------|-----------|----------|-----|
| Define data standards | A | R | C | I | C |
| Approve access requests | A | R | I | I | C |
| Monitor data quality | I | R | A | I | I |
| Handle data breaches | A | C | R | I | A |
| Data classification | A | R | C | I | C |
| Retention enforcement | A | C | R | I | A |
| Privacy impact assessment | A | C | I | I | R |
| Metadata maintenance | I | R | A | I | I |
| Audit compliance | A | R | C | I | A |
A = Accountable, R = Responsible, C = Consulted, I = Informed
Role Assignment Template
# Data Domain: Customer
## Data Owner
- Name: Jane Smith
- Title: VP of Sales
- Authority: Approve policy, access, changes
- Contact: jane.smith@company.com
## Data Stewards
| System | Steward | Backup |
|--------|---------|--------|
| CRM | John Doe | Mary Brown |
| E-Commerce | Sarah Lee | Tom White |
| Marketing | Bob Jones | Amy Green |
## Data Custodians
| System | Team | Contact |
|--------|------|---------|
| CRM | Salesforce Admin Team | sf-admin@company.com |
| Data Warehouse | BI Team | bi-team@company.com |
Data Classification
Classification Levels
| Level | Description | Examples | Controls |
|---|---|---|---|
| Public | No restrictions | Marketing content | None required |
| Internal | Business use only | Org charts, policies | Authentication |
| Confidential | Need-to-know basis | Customer PII, financials | Encryption, access log |
| Restricted | Highly sensitive | PCI data, health records | Strong encryption, MFA, DLP |
Classification Tags Template
-- Data classification metadata table (PascalCase - SQL Server Convention)
CREATE TABLE DataClassification (
ClassificationId INT IDENTITY PRIMARY KEY,
TableSchema VARCHAR(100) NOT NULL,
TableName VARCHAR(100) NOT NULL,
ColumnName VARCHAR(100),
ClassificationLevel VARCHAR(20) NOT NULL,
DataCategory VARCHAR(50), -- PII, PHI, PCI, etc.
RetentionPolicy VARCHAR(50),
EncryptionRequired BIT,
MaskingRequired BIT,
Owner VARCHAR(100),
Steward VARCHAR(100),
LastReviewed DATE,
NextReview DATE,
CONSTRAINT CHK_ClassificationLevel
CHECK (ClassificationLevel IN ('Public', 'Internal', 'Confidential', 'Restricted'))
);
Classification Example
# Table: customers
| Column | Classification | Category | Controls |
|--------|---------------|----------|----------|
| customer_id | Internal | None | None |
| email | Confidential | PII | Masked in lower envs |
| full_name | Confidential | PII | Encrypted at rest |
| ssn | Restricted | PII/Sensitive | Encrypted, tokenized |
| phone | Confidential | PII | Masked in reports |
| address | Confidential | PII | Encrypted at rest |
| credit_card | Restricted | PCI | Tokenized, never stored |
| purchase_history | Internal | None | None |
Retention Policies
Retention Schedule Template
# Data Retention Schedule
| Data Category | Retention Period | Legal Basis | Disposal Method |
|---------------|-----------------|-------------|-----------------|
| Customer PII | 7 years post-relationship | GDPR, CCPA | Secure deletion |
| Transaction Data | 7 years | Tax regulations | Archive, then delete |
| Audit Logs | 7 years | SOX compliance | Archive, then delete |
| Marketing Consent | Duration of consent | GDPR | Delete on withdrawal |
| Employee Records | 7 years post-employment | Employment law | Secure deletion |
| Web Analytics | 26 months | GDPR | Automatic purge |
| Backup Data | 90 days | Business continuity | Overwrite |
Retention Implementation
public class DataRetentionService
{
private readonly IDataContext _context;
private readonly ILogger<DataRetentionService> _logger;
public async Task ApplyRetentionPolicies(CancellationToken ct)
{
var policies = await _context.RetentionPolicies
.Where(p => p.IsActive)
.ToListAsync(ct);
foreach (var policy in policies)
{
var cutoffDate = DateTime.UtcNow.AddDays(-policy.RetentionDays);
switch (policy.DisposalMethod)
{
case DisposalMethod.HardDelete:
await HardDeleteExpiredRecords(policy, cutoffDate, ct);
break;
case DisposalMethod.SoftDelete:
await SoftDeleteExpiredRecords(policy, cutoffDate, ct);
break;
case DisposalMethod.Archive:
await ArchiveExpiredRecords(policy, cutoffDate, ct);
break;
case DisposalMethod.Anonymize:
await AnonymizeExpiredRecords(policy, cutoffDate, ct);
break;
}
_logger.LogInformation(
"Applied retention policy {PolicyName} for data before {CutoffDate}",
policy.Name, cutoffDate);
}
}
}
Access Control Framework
Access Control Model
┌─────────────────────────────────────────────────────────────────┐
│ ACCESS CONTROL LAYERS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ ROLE-BASED ACCESS CONTROL (RBAC) │ │
│ │ Users → Roles → Permissions │ │
│ └─────────────────────────────────────────────────────────┘ │
│ ▲ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ ATTRIBUTE-BASED ACCESS CONTROL (ABAC) │ │
│ │ User Attrs + Resource Attrs + Environment → Decision │ │
│ └─────────────────────────────────────────────────────────┘ │
│ ▲ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ DATA-LEVEL SECURITY │ │
│ │ Row-Level Security + Column-Level Masking │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Access Request Template
# Data Access Request
## Requestor Information
- Name: [Employee Name]
- Department: [Department]
- Manager: [Manager Name]
- Business Justification: [Why access is needed]
## Access Details
| Data Asset | Access Type | Duration | Classification |
|------------|-------------|----------|----------------|
| Customer Database | Read | Permanent | Confidential |
| Sales Reports | Read | 6 months | Internal |
| Analytics Dashboard | Read/Write | Permanent | Internal |
## Approvals Required
| Approver | Role | Status | Date |
|----------|------|--------|------|
| Data Owner | Jane Smith | Pending | |
| IT Security | Security Team | Pending | |
| Manager | [Manager Name] | Approved | YYYY-MM-DD |
## Conditions
- [ ] Security training completed
- [ ] NDA signed
- [ ] Access will be reviewed in [X] months
Row-Level Security Example
-- SQL Server Row-Level Security
CREATE SCHEMA Security;
GO
CREATE FUNCTION Security.fn_CustomerAccess(@Region VARCHAR(50))
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS access_result
WHERE
@Region = USER_NAME()
OR IS_MEMBER('DataAdmin') = 1
OR @Region IN (
SELECT region
FROM dbo.UserRegionAccess
WHERE user_name = USER_NAME()
);
GO
CREATE SECURITY POLICY CustomerFilter
ADD FILTER PREDICATE Security.fn_CustomerAccess(region)
ON dbo.Customers
WITH (STATE = ON);
Data Catalog
Catalog Entry Template
# Data Asset: Customer Master
## Overview
| Property | Value |
|----------|-------|
| Asset Name | customer_master |
| Asset Type | Table |
| Database | DataWarehouse |
| Schema | dbo |
| Owner | Sales Domain |
| Steward | John Doe |
| Classification | Confidential |
## Description
Single source of truth for customer information, consolidated from CRM, E-commerce, and ERP systems.
## Schema
| Column | Type | Description | Classification | PII |
|--------|------|-------------|----------------|-----|
| customer_id | UUID | Primary key | Internal | No |
| email | VARCHAR | Contact email | Confidential | Yes |
| full_name | VARCHAR | Customer name | Confidential | Yes |
| segment | VARCHAR | Customer segment | Internal | No |
## Lineage
- Source: CRM.customers, Ecom.users, ERP.accounts
- Transforms: MDM matching/merging, standardization
- Consumers: BI Reports, Marketing, Sales
## Quality Metrics
| Metric | Target | Current |
|--------|--------|---------|
| Completeness | 98% | 96% |
| Accuracy | 99% | 97% |
| Timeliness | Daily | Daily |
## Related Assets
- customer_addresses
- customer_orders
- customer_preferences
Governance Metrics
Key Performance Indicators
| Metric | Description | Target |
|---|---|---|
| Data Quality Score | Composite quality rating | > 95% |
| Classification Coverage | % of data classified | 100% |
| Policy Compliance | % compliant with policies | 100% |
| Access Review Completion | % reviews completed on time | 100% |
| Issue Resolution Time | Avg days to resolve | < 5 days |
| Stewardship Coverage | % domains with stewards | 100% |
Validation Checklist
- Governance roles defined (owner, steward, custodian)
- RACI matrix created for key activities
- Data classification scheme established
- Retention policies documented
- Access control framework defined
- Data catalog structure planned
- Governance metrics identified
- Review cycles established
Integration Points
Inputs from:
conceptual-modelingskill → Data domains- Legal/Compliance teams → Regulatory requirements
- Business units → Ownership assignments
Outputs to:
data-quality-planningskill → Quality standardsschema-designskill → Security implementationmdm-planningskill → Stewardship model- Audit and compliance → Documentation