Rodan Data Stack · Open toolkit

Data Governance Toolkit

Good governance is not paperwork. It is the precondition for trustworthy analytics, defensible AI adoption and clean exits.

A working framework you can implement without a full-time data team, scaled to your size and tuned to your sector. Framework, overlays, templates and a scored self-check. All open, all runnable in your browser.

The model

Six domains. Same scope at every size.

What changes with scale is formality, not scope. Every governance programme covers the same six questions.

Ownership & accountability
Who is responsible?
01
Inventory & classification
What do we hold, where?
02
Quality & definitions
Do we trust the numbers?
03
Access & security
Who can see and change what?
04
Lifecycle & retention
How long, and how deleted?
05
Privacy & regulatory
Could we prove compliance?
06
Domain 01

Ownership & accountability

Who is responsible for each dataset and each decision about it?

At SME: one named person, usually the MD or FD. At mid-market: RACI per major dataset and a quarterly review. At enterprise: federated stewardship with a forum that can decide, not just discuss.

Named owner · Dispute resolution · Review cadence
Domain 02

Inventory & classification

What data do we hold, where, and how sensitive is it?

Start with the Data Systems Register. Include spreadsheets, pixels and shadow systems. Classify Public / Internal / Confidential / Restricted and let classification drive access.

Register · Classification · Living document
Domain 03

Quality & definitions

Do we trust the numbers, and does "revenue" mean the same thing everywhere?

Human-curated metric definitions with named source systems. The semantic layer your BI depends on. Auto-generated definitions look plausible and are frequently wrong.

Metrics dictionary · Lineage · Issue logging
Domain 04

Access & security

Who can see and change what, and how do we know?

No shared logins. MFA on Confidential and Restricted systems. Leavers lose access same day. Restricted data reviewed twice a year with access actually removed.

Named users · MFA · Leaver checklist
Domain 05

Lifecycle & retention

How long do we keep data, and how does it get deleted?

Retention rules per category with stated reasons. Deletion tested, not just documented. Vendor exit plan: how data comes back and when it gets destroyed.

Retention schedule · Tested deletion · Vendor exit
Domain 06

Privacy & regulatory

Are we meeting UK GDPR and sector obligations, and could we prove it?

Article 30 records matching the register. DPAs on every vendor processing personal data. DPIAs at design stage for high-risk processing, including AI. Breach and DSAR procedures rehearsed.

Article 30 · DPIA · Breach playbook
Scale

Three tiers. One framework.

Identify your tier, apply the sector overlay, then populate the templates. The self-check tells you where the gaps actually are.

Tier 1

SME

~£1m–£10m · under 50 staff

Under 4 hours a month or it will not run. Documented minimum, not a programme.

  • One named owner for data decisions
  • Systems register: 10–20 systems, reviewed twice a year
  • 5 key metrics defined with single source
  • Named users only, same-day leaver access removal
Tier 2

Mid-market

~£10m–£500m

Make decisions once instead of relitigating them in every board meeting.

  • Data Ownership RACI and quarterly data review
  • Living register with classification applied
  • Metrics dictionary for every board-pack figure
  • DPIAs for AI and high-risk processing
Tier 3

Enterprise

£500m+

Coordination, not awareness. Governance that business units cannot route around.

  • Federated stewardship with deciding authority
  • Lineage from source to board slide
  • Data quality SLAs on critical pipelines
  • Breach playbook rehearsed annually
Sector overlays

Where the real risk sits in your industry.

The core framework is universal. The overlay tells you which domains matter most and what to check first.

How to use it

Four steps. Start with the register.

You cannot govern what you have not mapped. The Data Systems Register is always step one.

01

Read the framework

Identify your tier: SME, mid-market or enterprise. Same six domains, different formality.

02

Apply your overlay

PE, ecommerce, construction or enterprise. Tells you where sector-specific risk concentrates.

03

Populate templates

Data Systems Register first. Then DPIA, vendor DD and RACI as your tier requires.

04

Score yourself

Thirty minutes, honest answers. Shows where to focus and which domain is blocking progress.

All tiers

Where AI changes the picture

1

Classify before you connect

An LLM with access to a system inherits that system's data. If you cannot say what is in it, you cannot say what the model can leak.

2

DPIA any AI touching personal data

Under UK GDPR, novel technology processing personal data at scale will almost always trip the high-risk threshold.

3

Human-curated definitions beat auto-generated ones

AI-generated metric definitions look plausible and are frequently wrong. Invest human time in the semantic layer.

Templates

The working documents.

Populated in order. The register unlocks everything else.

The short version
Map what you hold. Define what you trust. Prove you can comply.

A toolkit gets you to competent. It will not tell you which specific system is leaking margin or what to fix first with a limited budget. That requires someone looking at your actual data estate.

Maturity self-check

Thirty minutes. Honest answers.

Six domains, four statements each, scored 0–3. Maximum 72. Self-checks are directionally useful and systematically generous.

Score each statement: not true, partly true, documented, or documented and tested in the last year. You get a band (Exposed, Aware, Managed or Governed), a domain breakdown and priority flags for any domain under 6 out of 12.

Runs entirely in your browser. Nothing sent anywhere unless you choose to contact us with your result.

  • 0–18 Exposed. Informal and person-dependent. Start with the register and a named owner.
  • 19–36 Aware. Foundations exist but are not systematic. Prioritise lowest domains.
  • 37–54 Managed. Documented and mostly working. Close last-mile gaps.
  • 55–72 Governed. Rare air. Shift from control to leverage.

Find out where you stand.

Thirty minutes to a governance score you can take to your board. No sales call to see it.

lucide.createIcons(); const items = Array.from(document.querySelectorAll('#domain-visual .d-item')); const rows = Array.from(document.querySelectorAll('#domain-detail .dd-row')); function focusDomain(n) { items.forEach(i => { i.classList.toggle('hot', i.dataset.domain === n); i.classList.toggle('dim', i.dataset.domain !== n); }); rows.forEach(r => r.classList.toggle('hot', r.dataset.domain === n)); } function clearDomain() { items.forEach(i => { i.classList.remove('hot'); i.classList.remove('dim'); }); rows.forEach(r => r.classList.remove('hot')); } [...items, ...rows].forEach(el => { el.addEventListener('mouseenter', () => focusDomain(el.dataset.domain)); el.addEventListener('mouseleave', clearDomain); });