Skip to main content
Microsoft Security

3 strategies to launch an effective data governance plan

Aware of the potential risks of sensitive data if not managed properly, you’ve undertaken a data discovery process to learn where it’s all stored. You’ve classified this sensitive data—confidential information like credit card numbers and home addresses collected from customers, prospects, partners, and employees—as either non-business, public, general, confidential, or highly confidential. You’ve assessed the risks to better protect it from exposure and the risk of theft or loss. Your next step is to govern your data. But what does that mean and how do you launch a data governance plan?

Data governance is the process of managing data as a strategic asset. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy. All the preceding steps—data discovery, data classification, and data protection—are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.

To avoid those issues, ensure that you govern your data properly. Let’s explore three steps to take when building a data governance plan.

1. Set lifecycle controls on sensitive data

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.1

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only “adequate, relevant and limited” personal data that is “necessary.”2 GDPR also encourages you to pseudonymize and encrypt this personal information.

Your organization’s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it’s still in use or active. Another option is to have approvals in place before deleting documents to ensure you’re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.

2. Operationalize data governance

After setting lifecycle controls to manage your company’s sensitive data, it’s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn’t a set-it-and-forget-it situation. You’ll need ongoing processes to protect and govern sensitive data.

However, a company’s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company’s Data Governance Officer or legal department can offer guidance on what’s required.

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don’t properly label data as sensitive, you’ll be unable to locate, identify, or successfully govern it. 

3. Manage role-based access

A major tenet of Zero Trust, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don’t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance only at onboarding is that this doesn’t address changes in access necessary as employees change roles or leave the company.

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs—no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.

When deciding what data people need to access, consider both what they’ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It’s about ensuring that people have the right access to the right information at the right time.

Other questions to ask when building your plan include:

Organizations need to be able to prove to auditors and regulators that privacy policies are being followed and enforced within the company. Restricting network access based on the roles of individual users can assist with that.

Secure sensitive data with data governance

Data governance ensures that your data is discoverable, accurate, and trusted. Protect your sensitive data by launching a data governance plan that involves setting lifecycle controls of sensitive data, operationalizing data governance, and managing role-based access. As a follow-up to careful data discovery, data classification, and data protection, data governance can help you protect your sensitive data through its entire lifecycle according to industry regulations, which in turn will help you protect your employees, customers, prospects, and partners.

Read more about data governance and protecting sensitive data:

Read more about data security.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1GDPR personal data – what information does this cover?, GDPR.

2GDPR Article 5(1)(c), EUR-Lex. 2016.