How governance operates across cloud, SaaS and unstructured data

Article
Published: 

Data governance rarely fails because policy is unclear. It fails because it doesn’t reflect how data is actually created, used and shared.

On paper, governance can look mature. There are policies, frameworks and assigned owners. But in practice, many organisations still can’t answer fundamental questions with confidence such as: What sensitive data do we hold? Where is it today? Who has access to it? What should we keep, and what should we remove? 

That gap becomes more difficult to manage as data spreads across cloud platforms, SaaS applications and large volumes of unstructured content. The way information is created and reused has changed. In many cases, governance hasn’t kept pace.

Governance hasn’t failed - it needs to adapt 

Traditional data governance models were built for more controlled environments. Data sat within systems, ownership was clearer, and controls could be applied at the application level. That model no longer reflects how data is created and used today.

Today, data moves across platforms, teams and formats. It is copied, shared, exported and reused, often in ways that are hard to track. Much of it sits in unstructured formats (documents, emails and working files) where visibility is limited and risk is often highest. 

This is where governance starts to break down. It’s not because the organisation lacks intent. It’s because the model no longer aligns with how data behaves. 

Moving from frameworks to practical models 

Most organisations already have a data governance framework. The challenge is making it work in practice. 

The shift is from governance as a set of principles to governance as an operating model embedded in day-to-day decision making.

That means focusing less on what is documented and more on what can be consistently demonstrated: 

  • A clear, current view of what data exists across the organisation 
  • Meaningful ownership of data risk, not just systems 
  • Consistent decisions around access and retention 
  • The ability to act on those decisions, not just report on them.

This is what turns governance from a compliance exercise into something the business can rely on. 

What works in practice 

There is no single model that fits every organisation. But the ones that work tend to share some common characteristics. 

They focus on the data, not just the system. Ownership is tied to the data itself - what it is, how sensitive it is and how it is used - rather than the application it happens to sit in. This is critical in SaaS and unstructured environments, where the same data can exist in multiple places. 

They bring unstructured data into scope early. This is often where the highest volumes of sensitive data sit, yet its governance is weakest. Treating it separately or retrospectively limits the effectiveness of the overall model. 

They rely on continuous visibility. A point-in-time view is quickly outdated. Effective models maintain an ongoing view of the data environment across cloud, SaaS and on-prem platforms, allowing decisions to be based on what exists now, not what existed months ago. 

They prioritise where it matters. Trying to address everything at once rarely delivers results. Progress is usually made by focusing on areas that materially change risk - over-permissioned access, duplicated data, long retention periods or high-risk data combinations. 

They connect insight to action. Visibility alone does not reduce risk. Governance becomes effective when organisations can act with confidence by removing data that is no longer required, tightening access and assigning clear accountability. 

Fragmentation is the real barrier 

In many organisations, the challenge isn’t a lack of capability. It’s that governance is spread across multiple teams and systems. 

Different platforms have different controls. Privacy, cyber, data and records functions each bring their own perspective. While each area is important, they don’t always align in practice. 

The result is inconsistent decisions, duplication of effort and gaps in accountability. 

Stronger governance models bring these views together. They create a shared understanding of: 

  • What data exists 
  • Where it resides 
  • How sensitive it is 
  • Who is responsible for it 
  • What needs to change. 

That doesn’t require replacing existing tools. In many cases, the more effective approach is connecting what’s already in place so governance becomes part of how the organisation operates, rather than a parallel process.

Why this matters now 

Expectations are changing. Regulators are looking for demonstrable control, not just policy intent. 

Cyber responses require speed and clarity. AI adoption depends on knowing what data is being used and how it is governed. 

Without a practical model in place, organisations are forced into reactive cycles - one-off clean-ups, workarounds and ongoing uncertainty. 

With the right model, the benefits are clearer: 

  • Reduced data risk and exposure 
  • Lower storage and management costs 
  • Stronger compliance confidence 
  • Faster progress across cloud and digital initiatives 
  • A more controlled path to AI adoption. 

Governance shifts from being a constraint to an enabler of better decisions.

Making governance sustainable 

Short-term clean-ups will only take you so far. 

Data environments change quickly. Without an underlying model, most organisations find themselves revisiting the same issues within a relatively short period of time. 

What holds is simpler, but more disciplined: 

  • Clear ownership and accountability 
  • Consistent, repeatable processes 
  • Ongoing visibility into the data environment 
  • Practical decision-making embedded in day-to-day operations.

Governance doesn’t need to be perfect, but it must be practical, consistent, and aligned to how the organisation actually operates. 

How BDO and BigID can help 

BDO’s approach to data governance is advisory-led. We start with risk, regulation, and operating model considerations, then work with organisations to strengthen visibility, accountability, and control in a way that is practical and sustainable. 

Through our partnership with BigID, we combine our advisory approach with technology-enabled data visibility and control, helping organisations translate privacy obligations into measurable, evidence-based action. 

This includes moving from fragmented or manual processes to more consistent, evidence-based data management practices that support privacy, cyber, and broader regulatory obligations. 

If your organisation is reviewing how well its current data governance model reflects today’s data landscape, BDO’s digital specialists can help you identify where risk sits today and prioritise the actions that will have the greatest impact, whether through a targeted review or as part of a longer-term governance program. Contact our team to find out more. 

Key takeaways

Governance fails when it doesn’t match data reality
  • Many organisations have policies in place, but governance breaks down when it doesn’t reflect how data is actually created, shared and reused across cloud, SaaS and unstructured environments.
Effective governance requires an embedded operating model
  • Moving beyond frameworks to practical, day-to-day decision-making - including clear data ownership, consistent access and retention decisions, and the ability to act - turns governance into something the business can rely on.
Visibility and action are critical to reducing data risk
  • Continuous visibility of data across environments, combined with the ability to prioritise risks and take action, enables organisations to reduce exposure, strengthen compliance and support digital and AI initiatives.

Authors

Subscribe to receive the latest insights.

Filter by: