This is the first post in a three-part series on building a mature data governance model. Whether you're a startup scaling fast or an established organisation that's never formalised how it manages data, this series gives you a practical, step-by-step path from zero to a working governance model — with the NZ regulatory landscape firmly in mind.
Why Data Governance Has Finally Become Impossible to Ignore
For years, data governance sat comfortably at the bottom of the priority list. IT teams knew it mattered. Leadership nodded politely during audits. And then everyone moved on.
That era is over.
In New Zealand, the pressure is now coming from multiple directions at once. The Privacy Act 2020 raised the bar significantly — mandatory breach notifications, stronger individual rights, and real enforcement teeth from the Office of the Privacy Commissioner (OPC). Meanwhile, the NZ Government's Data and Digital Strategy is pushing agencies to treat data as a strategic asset. For organisations in banking and finance, the Reserve Bank of New Zealand (RBNZ) and the Financial Markets Authority (FMA) are increasingly scrutinising how data underpins risk decisions and reporting.
And then there's AI. As organisations rush to explore machine learning and AI-driven decisions, they are discovering a painful truth: AI is only as trustworthy as the data underneath it. Rubbish in, rubbish out — at scale.
The good news? You do not need a multi-million dollar programme to start. You need clarity, commitment, and the right sequence. This post gives you that sequence.
First, What Is Data Governance — Really?
Before we get practical, let's put a simple definition on the table, because "data governance" means very different things to different people.
Data governance is the system of rules, roles, and processes that determines who can do what with data — and ensures that data is accurate, protected, available, and used responsibly.
It is not just a technology problem. It is not just a compliance checkbox. And it is definitely not something that only large enterprises need.
Think of it like financial governance. Every organisation — regardless of size — needs to know who controls the budget, how spending decisions are made, and what the rules are. Data governance applies the same discipline to your data assets.
The Three Most Common Starting Points (and Their Hidden Risks)
Most organisations find themselves in one of three situations when they decide to get serious about data governance:
"We have data everywhere but no one knows where anything is." This is the most common starting point. Spreadsheets on desktops, databases no one's touched in three years, customer records in three different systems. The risk here is not just inefficiency — it's that a Privacy Act breach could be lurking in a forgotten shared drive.
"We have policies on paper but no one follows them." The documents exist. The training never happened. The policies haven't been reviewed since 2019. This is arguably more dangerous than having nothing, because it creates a false sense of security during audits.
"We're starting fresh." A new organisation, a digital transformation initiative, or a decision to finally do this properly. This is actually the best position to be in — there's no legacy to fight.
Regardless of which situation sounds familiar, the foundation is built the same way.
Step 1: Understand Why You're Doing This (Before You Do Anything Else)
The single biggest reason data governance programmes fail is that they start with tools and technology instead of purpose. Before you buy a data catalogue, appoint a Chief Data Officer, or write a single policy, answer these three questions as an organisation:
What decisions are we making with data today? Think about pricing decisions, credit assessments, hiring, marketing segmentation, reporting to regulators, or operational scheduling. List the ten most important ones.
Where is our data risk actually concentrated? Under the Privacy Act 2020, personal information about identifiable individuals carries the most regulatory exposure. But commercially sensitive data, financial records, and intellectual property also carry risk. Where is yours?
What does "good" look like for us in 12 months? Not in five years. Not world-class maturity. In twelve months. A specific, achievable outcome — like "we know exactly where all personal information is stored and who has access to it" — is far more useful than an aspirational vision statement.
Documenting honest answers to these three questions is your governance charter. It will guide every decision that follows.
Step 2: Map What You Actually Have
You cannot govern what you cannot see. The next step is a data inventory — a structured exercise to understand what data your organisation holds, where it lives, who is responsible for it, and how sensitive it is.
In the NZ context, this exercise has a dual purpose. It satisfies the spirit of Privacy Principle 4 (which requires that personal information is kept secure) and Principle 5 (retention limits). But more immediately, it gives you a map — and you cannot navigate without one.
A practical approach to your data inventory
Start with the systems that matter most. Resist the urge to boil the ocean. Ask your team:
- What are the five systems we could not run the business without?
- What customer or employee personal information do we hold, and in which systems?
- Who currently "owns" the data in each system — meaning, who is responsible if something goes wrong?
For each major data source, capture the following fields in a simple spreadsheet:
| Field | What to document |
|---|---|
| Data domain | e.g. Customer, Financial, HR, Operational |
| System / location | Where it lives (CRM, ERP, shared drive, cloud storage) |
| Data owner | The business leader responsible |
| Data sensitivity | Low / Medium / High / Restricted |
| Personal information? | Yes / No |
| Retention period | How long you keep it |
| Last reviewed | Date |
This does not need to be perfect. It needs to exist.
A useful NZ-specific reference here is the OPC's Privacy by Design guidance, which encourages organisations to map data flows as part of building privacy into their operations from the start.
Step 3: Establish Ownership — The Most Political Step
Here is where many organisations stumble. Data governance requires someone to be accountable for data — and accountability makes people uncomfortable.
The typical organisational instinct is to hand this entirely to IT. That is a mistake. IT can build and maintain systems. But the question of whether a piece of data is accurate, whether it should be retained, and how it should be used is a business question, not a technical one.
The roles you need at the start
You do not need a large governance team on day one. You need three things clearly defined:
Executive sponsor. A senior leader — ideally CEO, COO, or CFO — who owns the mandate for data governance and will resolve conflicts when they arise. In New Zealand, under the Privacy Act 2020, organisations are also expected to have a Privacy Officer (not necessarily a dedicated role, but a designated responsibility). In many smaller organisations, the executive sponsor and Privacy Officer function overlap.
Data owners. These are business leaders who are accountable for specific data domains. The Head of Finance owns financial data. The HR Director owns people data. The Head of Sales owns customer data. They are responsible for defining what "correct" looks like in their domain.
Data stewards. These are the operational people who actually manage the data day-to-day — running quality checks, raising issues, and implementing the decisions that data owners make. In a small organisation, a single person might wear multiple hats. That is fine.
A lightweight RACI (Responsible, Accountable, Consulted, Informed) matrix mapping these roles to your key data domains will save you significant pain later.
Step 4: Establish Your First Governance Principles
Before writing a 40-page policy document, establish a short set of guiding principles that your whole organisation can understand and remember. These should reflect both your organisational values and your legal context.
Here is a starting point that fits the NZ environment well:
- Data is a shared organisational asset, not departmental property. No team "owns" data in isolation — they steward it on behalf of the organisation.
- Personal information will be handled with respect for individual rights. This reflects the values behind the Privacy Act 2020 — not just compliance, but genuine respect for the people whose data you hold.
- Data quality is everyone's responsibility. Accuracy, completeness, and timeliness are not IT problems. They are business problems.
- Data will be retained only as long as necessary. Aligned with Privacy Principle 9 — don't keep what you no longer need.
- Access to data will follow the principle of least privilege. People should have access to the data they need to do their job — no more.
These five principles can fit on a single page. Post them where people can see them.
Step 5: Pick Three Quick Wins
Nothing kills a governance programme faster than two years of planning before anything changes. Alongside your foundational work, identify three things you can fix in the next 90 days that visibly demonstrate the value of governance.
Good candidates for NZ organisations include:
- Completing a privacy impact assessment (PIA) for one high-risk process or new system. The OPC provides a free PIA tool.
- Auditing access permissions on your most sensitive data system — who actually has access versus who needs access.
- Retiring or archiving one set of outdated records you know you're holding beyond their useful life.
These are not glamorous. But they build credibility — internally with your team, and externally with regulators if you're ever asked to demonstrate your governance maturity.
What Part 2 Will Cover
In the next post, we move from foundation to operation. We'll look at how to turn your principles into enforceable policies, build a data quality framework your team will actually use, and operationalise stewardship so governance becomes part of how people work — not an extra burden on top of it. We'll also go deeper on the NZ compliance landscape, including what the Privacy Act 2020 means operationally and how governance intersects with the RBNZ's and FMA's expectations for regulated entities.
Key Takeaways from Part 1
- Start with purpose, not technology. Understand why you're governing data before you decide how.
- A data inventory — even a simple spreadsheet — is non-negotiable. You cannot govern what you cannot see.
- Ownership must sit with the business, not just IT. Define executive sponsors, data owners, and stewards from day one.
- Keep your governing principles short enough that people can remember them.
- Build credibility with three quick wins in the first 90 days.