← Back to case study
Portfolio sample · Arcline is fictional
Arcline · Internal · Data Governance

Data Governance Framework

What the framework covers, how it's structured, what changes for your team. Designed for async review across the department.

Prepared by the Data Governance CouncilQ2 2025
01 · The Challenge

Arcline handles sensitive data across every business unit. No unified system governs how.

Data handling currently depends on team-level norms. Those norms vary across departments, and new hires inherit them without documentation. The company's regulatory obligations have expanded; the practices have not kept pace.

02 · Classification

Four tiers, based on what happens if the data is exposed.

Every data asset the company holds falls into one of these categories. The tier determines the protections and response timeline, with accountability assigned at each level.

Tier 1 — Restricted

Regulatory notification required

Health records, financial credentials, government-issued IDs. Exposure triggers mandatory reporting within 72 hours.

Tier 2 — Confidential

Material business harm

Unreleased financials, vendor contract terms, pre-board audit findings. No regulatory mandate but significant organizational damage.

Tier 3 — Internal

Standard protections

Departmental planning docs, internal communications. Baseline encryption and standard access controls.

Tier 4 — Public

Cleared for distribution

Press releases, published financials. Already through the approval process.

03 · Incident Response

When something goes wrong, the timeline is already defined.

Every incident follows the same escalation path. The tier of the affected data determines the speed and scope of the response.

Category Trigger Timeline What happens
Category A Tier 1, external exposure 6 hours Full breach protocol. Executive briefing. Regulatory notification begins.
Category B Tier 2 or Tier 1 contained 48 hours Domain Owner leads response. Contained investigation, remediation plan.
Category C Suspected, unconfirmed 5 business days Security team investigates. Classify or close within the window.
04 · Ownership Model

Every data domain has three roles. Your first contact is your steward.

The framework separates governance decisions from implementation. Each role has a defined scope and a clear escalation path.

Domain Owner

VP-level accountability

Sets classification policy for their domain. Accountable for regulatory compliance. Makes the final call during an incident.

Data Steward

Day-to-day governance

Your first point of contact for any data question. Maintains access lists, runs quarterly reviews, coordinates with legal as needed.

Custodians

Technical implementation

Implements the controls. Manages encryption and access provisioning based on steward and owner directives.

Governance decisions flow down. Incident reports flow up. The steward is the bridge.
05 · What Changes

Starting this quarter, data handling follows the framework.

The shift is structural. Individual judgment gets replaced by classification-driven protections with a defined escalation path.

Current state

Team norms and individual judgment

  • Data handling varies by department
  • Incident response assembled on the fly
  • No documented classification for most assets
  • Access decisions made by whoever is closest to the data
Under the framework

Classification determines protections

  • Every asset assigned a tier with defined controls
  • Incident response follows a documented protocol
  • Named owners and stewards for each data domain
  • When in doubt, treat as confidential and contact your steward
06

Two things to remember from this deck: your steward's name and when to file a report.

The full technical reference is available on the governance wiki. Reach out to your department's data steward with questions.

Arcline · Data Governance Framework · Internal
Image credits: Dan Nelson and Josh Hild via Pexels.