Good governance is not paperwork. It is the precondition for trustworthy analytics, defensible AI adoption and clean exits.
A working framework you can implement without a full-time data team, scaled to your size and tuned to your sector. Framework, overlays, templates and a scored self-check. All open, all runnable in your browser.
What changes with scale is formality, not scope. Every governance programme covers the same six questions.
Who is responsible for each dataset and each decision about it?
At SME: one named person, usually the MD or FD. At mid-market: RACI per major dataset and a quarterly review. At enterprise: federated stewardship with a forum that can decide, not just discuss.
Named owner · Dispute resolution · Review cadenceWhat data do we hold, where, and how sensitive is it?
Start with the Data Systems Register. Include spreadsheets, pixels and shadow systems. Classify Public / Internal / Confidential / Restricted and let classification drive access.
Register · Classification · Living documentDo we trust the numbers, and does "revenue" mean the same thing everywhere?
Human-curated metric definitions with named source systems. The semantic layer your BI depends on. Auto-generated definitions look plausible and are frequently wrong.
Metrics dictionary · Lineage · Issue loggingWho can see and change what, and how do we know?
No shared logins. MFA on Confidential and Restricted systems. Leavers lose access same day. Restricted data reviewed twice a year with access actually removed.
Named users · MFA · Leaver checklistHow long do we keep data, and how does it get deleted?
Retention rules per category with stated reasons. Deletion tested, not just documented. Vendor exit plan: how data comes back and when it gets destroyed.
Retention schedule · Tested deletion · Vendor exitAre we meeting UK GDPR and sector obligations, and could we prove it?
Article 30 records matching the register. DPAs on every vendor processing personal data. DPIAs at design stage for high-risk processing, including AI. Breach and DSAR procedures rehearsed.
Article 30 · DPIA · Breach playbookIdentify your tier, apply the sector overlay, then populate the templates. The self-check tells you where the gaps actually are.
Under 4 hours a month or it will not run. Documented minimum, not a programme.
Make decisions once instead of relitigating them in every board meeting.
Coordination, not awareness. Governance that business units cannot route around.
The core framework is universal. The overlay tells you which domains matter most and what to check first.
You cannot govern what you have not mapped. The Data Systems Register is always step one.
Identify your tier: SME, mid-market or enterprise. Same six domains, different formality.
PE, ecommerce, construction or enterprise. Tells you where sector-specific risk concentrates.
Data Systems Register first. Then DPIA, vendor DD and RACI as your tier requires.
Thirty minutes, honest answers. Shows where to focus and which domain is blocking progress.
An LLM with access to a system inherits that system's data. If you cannot say what is in it, you cannot say what the model can leak.
Under UK GDPR, novel technology processing personal data at scale will almost always trip the high-risk threshold.
AI-generated metric definitions look plausible and are frequently wrong. Invest human time in the semantic layer.
Populated in order. The register unlocks everything else.
Every system holding business or personal data. The first document any DD team requests.
Mandatory for high-risk processing. Run at design stage, including every AI deployment.
Before any new system holding Confidential or Restricted data. DPA, transfers, exit clause.
Named owner per major dataset. Mid-market and enterprise.
A toolkit gets you to competent. It will not tell you which specific system is leaking margin or what to fix first with a limited budget. That requires someone looking at your actual data estate.
Six domains, four statements each, scored 0–3. Maximum 72. Self-checks are directionally useful and systematically generous.
Thirty minutes to a governance score you can take to your board. No sales call to see it.