- 29
- April
What Is Data Governance? — A Practical Guide for Executives Before Starting an ERP Project
Data Governance is the framework of policies, roles, and processes that defines how organizational data is created, stored, used, shared, and destroyed — so that data remains accurate, secure, and trustworthy. Before an ERP system can deliver its full value, the organization must first answer two questions: "Who owns the data?" and "What is the source of truth?"
Why Is Data Governance Critical for Your ERP Project?
Many organizations invest millions in ERP, yet fail to capture the value because the data fed into the system has no quality controls. Common pitfalls include:
- Duplicate customer records — one customer with five different IDs across departments, breaking sales reports
- Master data drift — sales and warehouse use different SKU codes for the same product
- No accountability — when an error appears, no one knows who is allowed to fix it
- Data leaks — staff can access information unrelated to their duties
- Unintentional PDPA breaches — personal data is stored without a supporting policy
Establishing data governance before the ERP project starts makes data migration dramatically smoother and reduces remediation costs significantly.
Data Governance vs Data Management — What's the Difference?
The two terms are often confused. Here is a quick comparison:
| Aspect | Data Governance | Data Management |
|---|---|---|
| Core question | "What" and "why" | "How" |
| Level | Policy, strategy | Operations, technical |
| Owner | Executives, Data Owner | IT, DBA, Data Engineer |
| Example | Define who can see salaries | Configure RBAC in the system |
| Change frequency | Annually (policy-driven) | Daily / weekly |
Plain analogy: Data Governance is the "law"; Data Management is the "police" enforcing it. You cannot have one without the other.
The 5 Pillars of Data Governance
A complete Data Governance framework rests on five pillars:
| Pillar | Definition | Example in ERP |
|---|---|---|
| 1. Data Quality | Data is accurate, complete, current, non-duplicate | Tax-ID validation rules, no-blank required fields |
| 2. Data Stewardship | Each dataset has a named caretaker | HR owns employee data; Finance owns Chart of Accounts |
| 3. Data Privacy & Security | Protect personal data and prevent unauthorized access | Encryption at rest, MFA, 2FA, audit trail |
| 4. Data Architecture | Storage standards and structure | Master data definitions, code standards, organization-wide date format |
| 5. Data Lifecycle | Define how data is born, lives, archives, and dies | Delete customer records 10 years per PDPA, archive closed POs |
Key Roles in a Data Governance Program
A working program needs clear role separation — owner, steward, custodian, consumer:
| Role | Responsibility | Typical Holder |
|---|---|---|
| Data Governance Committee | Approve organization-wide policy | C-suite committee, meets quarterly |
| Chief Data Officer (CDO) | Top accountable executive for data | Large enterprise: Deputy CEO / Deputy DG |
| Data Owner | Accountable for accuracy and access of a domain | HR Director owns workforce data |
| Data Steward | Day-to-day data quality enforcement | Officer who maintains employee records |
| Data Custodian | Operates infrastructure that stores data | IT / DBA who runs backups and servers |
| Data Consumer | Uses data for decisions | Executives, analysts, end users |
Important principle: the Data Owner must come from the business unit that owns the process, not from IT. IT is a custodian, never the owner of business data.
Data Classification — Tiering Sensitivity
Not all data carries equal risk. Classification lets you apply proportionate controls:
| Tier | Description | Examples | Required Controls |
|---|---|---|---|
| Public | Open to anyone | Website content, public tenders | No encryption needed |
| Internal | For employees only | Meeting minutes, internal SOPs | Login required |
| Confidential | Disclosure causes business harm | Salaries, strategy, customer data | RBAC + audit trail + encryption |
| Restricted | Highest tier — disclosure is illegal or catastrophic | Card numbers, health records, passwords | Encryption + MFA + access auditing |
Classification prevents both "over-protection" (slowing the business) and "under-protection" (data leaks).
The Data Lifecycle
Every dataset moves through six stages, each requiring policy:
| Stage | Activity | Policy Decisions |
|---|---|---|
| 1. Create | Data is created or imported | Who can create, required format, validation rules |
| 2. Store | Data sits in the system | Storage location, encryption, backup, redundancy |
| 3. Use | Data is read and acted on | RBAC, audit log, no download for confidential data |
| 4. Share | Data flows internally and externally | Secure APIs, signing, encryption in transit |
| 5. Archive | Cold-storage older records | Retention age, archive location, restore procedure |
| 6. Destroy | Permanently delete data | Secure-delete method, certificate of destruction |
A well-designed ERP supports the whole lifecycle — especially archive and destroy, which most organizations neglect, leaving 10 years of stale records that slow the database and create PDPA exposure.
PDPA + Data Governance — Why They Belong Together
Thailand's Personal Data Protection Act (PDPA) requires organizations to govern personal data — which is exactly what a Data Governance program delivers:
| PDPA Requirement | How Data Governance Fulfills It |
|---|---|
| Right to Access | ERP must export a person's data on demand |
| Right to Rectification | Data Stewards correct records on request |
| Right to Erasure | Real "destroy" workflow — not merely an "inactive" flag |
| Security obligations | Classification + encryption + access control |
| 72-hour breach notification | Audit trail + abnormal-access monitoring |
| Data Protection Officer (DPO) | Maps directly to Data Owners per domain |
Organizations that already practice Data Governance can cut PDPA compliance cost by 60-70% because the foundation is already in place.
Data Governance in Saeree ERP
Saeree ERP supports data governance from the architectural level:
- Master Data Management — single source of truth for customers, products, accounts
- RBAC + ABAC — access by role and attribute (department, level)
- Tamper-proof audit trail — who, when, what changed, source IP — cannot be deleted
- Data validation rules — checks at the moment of data entry
- Retention policy support — automatic archive based on configured rules
- PDPA-ready — supports Right to Access / Rectification / Erasure
These are not just features — they are a framework that lets you operationalize your governance policies without bolt-on systems.
Executive Checklist: 7 Questions Before Signing the ERP Contract
- What is the master data of our organization? — customers, products, employees — list them
- Who is the Data Owner for each domain? — name the position
- Do we have a 4-tier classification? — and is each dataset mapped to a tier?
- What is our retention policy? — how long do we keep, archive, delete?
- Are we PDPA-ready? — DPO appointed? Can a customer request deletion?
- Do we have a breach response process? — who is notified, within how many hours?
- How often does the Data Governance Committee meet? — if there isn't one, form it before the ERP project begins
If you cannot confidently answer four or more of these — pause the ERP project and build the data governance framework first. Implementing ERP on top of ungoverned data is a known recipe for failure.
Summary
Data Governance is not "shelf-ware" produced for compliance. It is an executive mindset that recognizes data as one of the organization's most valuable assets — comparable to cash in the bank — and managed with equivalent discipline.
Starting Data Governance before the ERP project pays back in better ROI, lower legal risk, and a culture that respects information from day one. Executives who delay typically pay 3-5× more in remediation later.
"Data without an owner is like money without an owner — both will disappear soon enough."
Related Articles from Knowledge Center
- ERP and Enterprise Risk Management Executive
- Is Your Organization Ready for ERP? 10 Questions to Answer Executive
- What Is Data Migration? — Moving Data When Switching ERP Systems Implementation
- What Is RBAC? — Role-Based Access Control in ERP Systems End User
- ERP Security Basics Every User Must Know End User
- Data Warehouse and ERP — Storing Data So You Can Use It Article
