Build: Policies, Standards & Business Glossary

Develop the core governance artifacts: data policies, data standards, the business glossary, and data quality rules for priority domains.

🎯 Objectives

✓ Create the data policy hierarchy (policies, standards, procedures, guidelines)
✓ Build the enterprise business glossary for priority domains
✓ Define data quality rules and metrics for priority domains
✓ Establish data classification and handling standards
✓ Create data access and security policies

Build the Policy Hierarchy

Create a layered set of governance documents: **Policies** (5-10 enterprise-level) — High-level statements of intent. Examples: Data Quality Policy, Data Access Policy, Data Retention Policy, Data Privacy Policy, Metadata Policy. **Standards** (10-20) — Mandatory requirements implementing policies. Examples: naming conventions, data classification levels, retention schedules, quality thresholds. **Procedures** (as needed) — Step-by-step instructions. Examples: how to request data access, how to escalate a DQ issue, how to propose a new data standard. **Guidelines** (as needed) — Recommended practices. Examples: data modeling best practices, dashboard design guidelines.

💡 Consultant Tips

● Start with 5-7 core policies — you can always add more later
● Each policy should be 1-2 pages max — if it's longer, it's probably a standard or procedure
● Policies should answer WHY, Standards answer WHAT, Procedures answer HOW
● Review policies annually and standards semi-annually
● Get legal review on any policy related to privacy, security, or data retention

Create the Enterprise Business Glossary

The business glossary is often the single most valuable governance deliverable. It defines business terms in plain language so everyone speaks the same data language. For each term, capture: Term Name, Business Definition, Data Domain, Owner/Steward, Source System of Record, Related Terms, Synonyms, and Examples. Start with the priority domains and aim for 100-200 terms in the first phase.

💡 Consultant Tips

● The #1 mistake: letting IT define business terms — business users MUST write definitions
● Start with the terms that cause the most confusion or arguments (e.g., 'What is an active customer?')
● Include examples and counter-examples ('A customer IS... a customer IS NOT...')
● Link glossary terms to the data catalog so people can find the actual data behind the definition
● The glossary is never 'done' — establish a process for proposing and approving new terms

Define Data Quality Rules

For each priority domain, define measurable quality rules across key DQ dimensions: - **Completeness** — Required fields that must be populated (e.g., 'Customer email must be populated for all digital accounts') - **Accuracy** — Values must match real-world truth (e.g., 'Address must be USPS-validated') - **Consistency** — Same data, same value across systems (e.g., 'Customer name must match between CRM and billing') - **Timeliness** — Data must be current within SLA (e.g., 'Order status must update within 15 minutes') - **Validity** — Values must conform to allowed ranges/formats (e.g., 'Country code must be ISO 3166-1 alpha-2') - **Uniqueness** — No unintended duplicates (e.g., 'No duplicate customer records by SSN or email+name match')

💡 Consultant Tips

● Start with 10-15 critical rules per domain, not 200 — focus on the rules that matter most to the business
● Every rule must have a measurable threshold (e.g., 'Customer email completeness >= 95%')
● Define who is responsible for fixing violations — rules without accountability are worthless
● Prioritize rules that affect regulatory reporting, revenue, or customer experience

Establish Data Classification

Define data classification levels that determine how data should be handled, stored, and shared: **Level 1: Public** — Freely shareable (press releases, public financials) **Level 2: Internal** — For internal use only (org charts, internal memos) **Level 3: Confidential** — Restricted to need-to-know (customer PII, employee records, contracts) **Level 4: Restricted/Highly Confidential** — Strictest controls (SSN, health records, payment card data, trade secrets) Each level has specific handling requirements for storage, transmission, access, retention, and destruction.

💡 Consultant Tips

● 4 levels is the sweet spot — fewer is too coarse, more is too confusing
● Default to the higher classification when in doubt
● Classification drives everything: access controls, encryption requirements, retention periods, disposal methods
● Train all employees on classification — it's meaningless if people don't know how to apply it

📦 Phase Deliverables

☐ Enterprise Data Policies (5-7 core policies)

☐ Data Standards Document (naming, classification, quality thresholds)

☐ Enterprise Business Glossary (100-200 terms for priority domains)

☐ Data Quality Rules Catalog (10-15 rules per priority domain)

☐ Data Classification Standard (4 levels with handling requirements)

☐ Data Access and Sharing Policy

☐ Data Retention and Archival Policy

☐ Glossary Governance Process (how to propose/approve new terms)

← Back to Data Governance Implementation