Choosing the Right Data Governance Approach for your Needs

Author: Jim Barker

There is much debate around the term “data governance.” There are many firms that try to position the term around the software or services they try to deliver. They often have this discussion about traditional data governance as “command and control” in a way aligned with either DAMA or the Data Governance Institute definitions. 


Those definitions are as follows: 


  • DAMA via Dataversity: The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets 
  • Data Governance Institute: A system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods 


These definitions are good and apply to some firms or to specific classes of data for nearly all firms. Employee or personal information is a great example of data that needs a more audit-centric approach to data governance. Yet, software companies that struggle to be successful in the data governance space try to scare people into a more limited definition, start with “we’re not the command-and-control data governance company,” and focus on search and discovery. 


Other packaged software firms that have been challenged delivering use this to convince us that, due to the failure rates shared by firms like Gartner and Forrester, you don’t want to focus on the compliance side of data governance. This is a bad look. 


They come up with catchy slogans about governance as enablement, governance without governing, or active data governance. The reality is that governance is a lot about investing in an efficient manner to do the things with your data that are required to secure your data, your business, and your future. 


From a pragmatic point of view, there is a middle ground that nearly all companies need to operate and execute in. 


All firms need open, accessible, and searchable data that is trusted and widely available. Additionally, data needs to be brought together in a manner that is auditable and compliant across legal and regulatory disciplines. 


This notion of the promoted, firm-wide use of quality data or more focused compliance or audit activities can be discussed as “offensive” versus “defensive” data governance.


Offensive versus defensive data governance 

Offensive data governance, or the more data democratization or open data access approach, could be defined as data governance to gain advantages through the strategic and effective use of data – helping companies get the most out of our data. 


Defensive data governance, or the more audit and compliance approach, can be defined as data governance to demonstrate due diligence in the use of data – helping companies prove data is used in the right way. 


The beauty of this model is that most firms will be clearly aligned with one or the other as their core or top priority. In time, they will need to grow beyond their primary focus, either safety and security or market benefits, and aspire to complete their vision with a more comprehensive approach. 


Here are some examples of offensive versus defensive data governance approaches: 

Offensive examples 

Data democratization 

  • Search and discover for the data available 
  • Visualize trusted data upon request 
  • Have mechanisms to ask for help when data cannot be found or requires assistance, clarification, or improvement 


Data literacy 

  • Align definitions for reduced confusion 
  • Assist with providing guidance for common understanding and improved use of data 


Appropriate use of data 

  •  Encourage the ability to share data across stakeholders 
  •  Share the details of sensitive data based on privacy regulations 


New needs and capabilities for data 

  • Ideation of new data needs 
  • Initialize data requests 
  • Articulate ownership and interest 


AI capabilities 

  • Generative AI for creating content 
  • Natural language processing (NLP) for transformative capabilities and efficiency 
  • Machine learning (ML) for automating tasks and optimizing activities 

Defensive examples 

Data security 

  • Establish and publish data security policies and procedures 
  • Monitor and enforce data security policies 



  • Define the privacy regulations in play 
  • Document the privacy categories and classifications 
  • Verify that data is used in alignment with data privacy regulations for domicile of data 



  • Regularly review and adjudicate data policies and ethical use of data 
  • Provide audit support for all data objects across functional, legal, and legitimate data concerns 
  • Establish reporting capabilities to align with all established policies 


Lineage enumeration 

  • Establish the provenance of data processing 
  • Develop and provision lineage reports that show that proper data execution exists 
  • Share the flow of data to auditors upon request 


Data quality 

  • Ensure quality through stewardship or AI automation 
  • Work across organizations to address data drift, decay, and operational needs 


The definition of data governance is important, but the understanding of focus on offensive versus defensive governance is even more impactful. Firms that establish a focused vision of the approach to data governance and establish the elements of offensive or defensive that they are going to focus on are years ahead of the firms that don’t. 


Remember, data governance requires a focused set of activities, and having a data governance vision, a related roadmap, and an execution strategy makes all the difference. Don’t try to do it all from the start, but focus on your data priorities, improve data literacy, and build out that culture of data that builds the muscle memory that brings data into daily challenges as they appear. 


To learn more about offensive and defensive data governance strategies or other data topics, get in touch with experts at Wavicle.