Data Governance
Data & TrackingAlso: data management policy · marketing data governance
Quick definition
The framework of policies, standards and responsibilities that govern how an organisation collects, stores, uses and protects data. For marketers, data governance defines what customer data you can collect, how long you keep it and what you can do with it.
Where it shows up in the data
Collecting only the data you actually need for a stated purpose. The opposite of 'collect everything and figure it out later.' Legally required under Australian Privacy Principles.
Documenting how and when customers consented to data collection and use. Particularly important for email marketing, retargeting and data sharing with third parties.
How long you keep personal data. Keeping data indefinitely is both a liability (breach risk) and a legal issue. Define retention periods per data type and build deletion processes.
Knowing where your data came from, how it was transformed and where it flows. Critical for audit trails and for understanding attribution data quality.
What it actually means
Data governance is the organisational practice of treating data as an asset with responsibilities attached. Every piece of customer data you hold — an email address, a phone number, a purchase history, a behavioural profile — carries legal obligations under the Privacy Act and ethical obligations to the customer who provided it. Data governance means having clear answers to: what data do we hold, where does it live, who has access to it, why do we have it, and what is our plan when something goes wrong.
You cannot protect data you don't know you have. Data governance starts with a data inventory.
How it shows up
Data governance appears in your privacy policy, consent forms, email unsubscribe processes, data retention schedules and platform access controls. Marketers interact with data governance most visibly through consent management platforms (cookie banners), email permission management and the rules about what data can be shared with ad platforms.
The Australian context
The Australian Privacy Act 1988 and Australian Privacy Principles (APPs) govern how personal information is handled. Proposed reforms from the Privacy Act Review (2023) include stricter consent requirements, a direct right to erasure and increased penalties. Australian businesses with any EU customers are also subject to GDPR. OAIC (Office of the Australian Information Commissioner) is the enforcement body.
Where people get this wrong
Related terms
Common questions
Does my small Australian business need a data governance policy?
If you have annual turnover over A$3M, or if you handle sensitive information (health records, financial data, employee data), the Privacy Act applies. Even below this threshold, if you have EU customers GDPR applies. A basic data governance policy is advisable for any business that collects email addresses or runs retargeting ads.
What is the difference between data governance and data security?
Data security is about protecting data from unauthorised access (encryption, access controls, breach prevention). Data governance is broader — it covers the policies about what data you collect, why, for how long and how it can be used. Security is a component of governance, not the whole thing.
Keep exploring
About New Rebellion
New Rebellion is a marketing intelligence consultancy. We build tools, score Australian businesses on how their marketing actually performs, and publish Debrief every day. This dictionary is part of how we work in the open.
How we think →