Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Nov 10 2025
Data Analytics

Build Stronger Data Governance for State and Local Governments

Here is a checklist for refreshing a program and a starter plan for producing useful data sets.
Thomas Sinnott
by

Thomas Sinnott is a principal consultant for CDW.

I spend a lot of time with city and county teams trying to wrangle data into something we can trust and actually use. When folks ask where to start, I don’t point to a tool, I point to governance. Not a dusty policy binder, but a practical way of working that shapes how data is created, protected, shared and retired. Get governance right, and everything else — analytics, AI pilots, public trust — gets easier.

To me, governance is simply the rules of the road that people agree to follow for data. It covers ownership, security, privacy and the intended use of data across its lifecycle. Yes, there are policies and standards, but culture is the secret sauce. People need to know what the data means, why it matters, how to share it, and when and how to lock it down.

Click the banner below to explore AI governance and data management.

XS_Q225_AI_cta_desktop02 XS_Q225_AI_cta_mobile02

 

The Core Building Blocks of Data Governance

Here’s the checklist I run through when I stand up or refresh a program.

  • Lifecycle basics: How data is created, classified, stored and disposed.
  • Resilience by default: Backups, replication and recovery targets that are tested, not just documented. Ransomware is part of the plan, not an outlier.
  • Clear labels: Sensitivity labels that travel with the data and trigger controls — encryption, access limits, data loss prevention — not just pretty tags.
  • Real stewardship: Named owners and stewards who define terms, track lineage and can answer, “Which version is the official version?” without a scavenger hunt.
  • Practical architecture: Consolidation where it makes sense; unified controls and catalogs where consolidation isn’t realistic.
  • Security baselines: Least privilege, multifactor authentication, encryption at rest and in transit, continuous monitoring — rightsized to the classification.
  • Privacy by design: Collect less, mask when you can, log access and tie use to a legitimate purpose.

READ MORE: Small steps can make big gains in data management.

How to Tackle Common Pain Points

I always set up a cross-department governance committee. IT is there, but so are finance, human resources, public safety, health — whoever owns high-value data. This group approves policies, breaks logjams and prioritizes data improvements. Without this committee, agency fiefdoms win by default.

Here are some common pain points (and how to tackle them).

  • Fragmented ownership: I use a data catalog and a simple “responsible, accountable, consulted and informed” (RACI) model so every critical data set has a named business owner, steward and custodian. Ambiguity disappears.
  • Legacy systems: Cloud helps, but modernization is a journey. I introduce shared controls (identity, encryption, backup and logging) that work across old and new, then migrate by risk and value.
  • Limited cybersecurity bandwidth: Policies, baselines and guardrails reduce the need for an expert in every department. People follow patterns instead of reinventing them.

Steps for a Quick Readiness Scan

When I assess where you are, I’m looking for nine things:

  1. Executive sponsorship and a signed charter
  2. A lean policy set that includes classification, retention, acceptable use, access, encryption and recovery targets
  3. A catalog of your top 20 to 50 data sets with owners, stewards, classifications and systems of record
  4. Labels wired into productivity tools, data platforms and storage — enforced, not aspirational
  5. Identity hygiene, including role-based access, privileged access controls, multifactor authentication and periodic reviews
  6. Backup tiers that match classification, with recovery tests on the calendar
  7. Privacy controls, including purpose limitation, masking, auditing and defined response workflows
  8. Training that uses real scenarios, not generic slides
  9. Metrics, including quality scores, access audit exceptions, recovery test results and policy exception trends

DIVE DEEPER: States turn to automation to support identity management.

A Starter Plan for Stronger Data Governance

Mature programs have fewer shadow copies, faster time to accurate dashboards and fewer arguments over definitions. Incidents are smaller because sensitive data is labeled and protected. And when leaders want to try artificial intelligence, the foundation — curated, compliant, high-quality data — is already there.

Here’s a straightforward 90-day starter plan:

  • Days 1–30: Form the committee, approve the charter, adopt the minimal policies, pick the catalog or labeling technology and document your first 20 priority data sets.
  • Days 31–60: Turn on labels and role-based access for those data sets. Map backup tiers to classifications. Stand up basic privacy logging and a few pragmatic data-quality rules.
  • Days 61–90: Expand stewardship, publish a short data dictionary, run recovery tests and start a monthly scorecard so leaders can see progress and risks at a glance.

Strong data governance isn’t a massive reorganization or a silver-bullet platform. It’s steady, sensible guardrails that help people do the right thing with data, every day. Put those guardrails in place, and your analytics improve, your security posture strengthens and your citizens’ trust grows. That’s the outcome I’m building toward with every state and local team I support.

This article is part of StateTech’s CITizen blog series.

CITizen_blog_cropped_0.jpg

filadendron/Getty Images

More On

Related Articles