← Back
Content Adaptation · Audience Localization

Everything you need is here. Good luck finding it.

I developed a comprehensive data governance framework for the team. Then I adapted it for every other audience that had to understand it. The information doesn't change. The structure, pacing, and entry points do.

Mae MendozaContent Adaptation
Scroll
01

I wrote the complex technical documentation for the immediate team.

The original ran 34 pages, crafted for the people that owned the process and structured around how they think about it. The excerpt below shows where each audience stops reading.

data-governance-framework-v2.4.docx
Section 3.2
Data Classification Tiers

All organizational data assets are classified into four tiers based on sensitivity, regulatory exposure, and business impact upon unauthorized disclosure.

Tier 1 — Restricted: Data subject to explicit regulatory mandate GDPR Art. 9, CCPA §1798.140(o)(1), HIPAA PHI or contractual obligation with liquidated damages provisions. Includes PII with re-identification risk above threshold (see Appendix C, §C.4 for k-anonymity parameters). Unauthorized disclosure triggers mandatory breach notification within 72 hours per applicable jurisdiction.
Executive stopped here. Already got what they needed: legal risk exists, there are timelines.
Tier 2 — Confidential: Data whose disclosure would cause material business harm but does not trigger mandatory regulatory notification. Includes aggregated analytics with potential for competitive inference, pre-release financial projections, vendor contract terms with MFN clauses, and internal audit findings prior to board review. Access restricted to named roles; see §4.1 for RBAC matrix.
Tier 3 — Internal: Data intended for organizational use with low disclosure risk. Departmental planning documents, internal communications not subject to litigation hold, de-identified research datasets meeting Safe Harbor criteria 45 CFR §164.514(b). Standard access controls; no additional encryption at rest required beyond baseline AES-256.
Everyone else stopped here. Too much policy architecture. They need to know what to do, not why.
Tier 4 — Public: Data cleared for external distribution through the approved release process (see §6.3). Reclassification from Public to any restricted tier requires DGC approval and retroactive access audit.
Section 5.1
Data Incident Response Protocol

Upon identification of a suspected data incident — defined as any unauthorized access, disclosure, modification, or destruction of data classified Tier 1 or Tier 2 — the discovering party initiates the response protocol by filing a Data Incident Report (DIR) through the GRC platform within 4 hours of discovery.

The DIR triggers automatic notification to the Data Governance Council (DGC) duty officer, the relevant Data Domain Owner (DDO), and the Information Security Incident Response Team (ISIRT). The DGC duty officer performs initial triage within 2 hours of DIR receipt, classifying the incident as Category A (confirmed breach of Tier 1 data with external exposure), Category B (confirmed breach of Tier 2 data or Tier 1 with contained internal exposure), or Category C (suspected but unconfirmed incident requiring investigation).

34 pages. Three audiences. None of them will read it like this.
02

Then, I adapted it for specific audiences in formats tailored for their needs.

Each version restructures what the reader sees first and how much detail surfaces at each level.

“You found the breach. Here's exactly what to do in the next four hours.”

34 pages of policy, and the people who reference it daily need answers in ten seconds. This version strips the reasoning and surfaces the actions: color-coded tiers, inline response steps, and a clear escalation path.

Every section tells the reader exactly what to do and who to contact. It's the version a data steward actually keeps open at their desk.

View the full reference →
What?Vertical reference document
Who?Data stewards, governance practitioners
Why?Strip the reasoning, surface the actions. Every tier tells the reader exactly what to do.

“The company's data practices were built for a smaller operation. The operation grew.”

Leadership doesn't need the procedural detail. They need the case for why this matters and why now.

This version leads with risk exposure and cost of inaction, walks through the classification framework at a high level, and closes on what the company gains. The format is a scrollytelling narrative designed to earn budget approval, not explain implementation.

Read the full narrative →
What?Scrollytelling narrative
Who?Senior leadership, budget decision-makers
Why?Lead with the problem. Bury the procedural detail. End on what the company gains.

“We're changing data handling this quarter. Here's what you need to know about the new framework.”

The department needs to know what's changing and what it means for their daily work.

This deck covers the classification system, the incident response protocol, and the new ownership model in seven slides designed for async review. Before/after framing makes the shift concrete. No speaker notes — it's built to stand on its own.

View the full deck →
What?Horizontal slide deck
Who?ICs and managers, department-wide
Why?Before/after framing. No speaker notes — designed to stand on its own.
03

I make sure each audience finds what they need in the first ten seconds.

Everything rides on the first ten seconds. Whether someone scans for a tier definition, reads for the business case, or clicks through slides before a Monday standup — they've already decided if this document is for them. I figure out what those ten seconds need to look like for each reader, then build backward from there.
Mae Mendoza · maemendoza.com