The GC’s Guide to Good Data Governance

The GC's Guide to Good Data Governance.

Following our successful and informative Shift Advisory and Shift GC Network event month, 'A GC's Guide to Data Governance', we've captured insights from our powerhouse panel: 

Rachel O'Brien – Director at O'Brien Legal
Tim Fletcher – Chief Legal and People Officer at Modica Group
Rebecca Holdsworth – Head of Privacy and Responsible AI at One NZ
Caroline Wishart – Head of Information Management at Fonterra 

In this article, we share some of their key perspectives on how GCs can navigate the challenges and opportunities of data governance with confidence. 

Data has become the engine driving every organisation's strategy, customer trust, and competitive advantage. For General Counsel (GCs), this presents both immense opportunity and real risk. We're swimming in data, from customer records to AI-enabled analytics, and legal teams are expected to help their organisations unlock its value while navigating complex regulatory, contractual, and ethical challenges. 

Below are five priorities for GCs looking to lead confidently in this space.

1. Understand who owns and uses data in your business — and build strong relationships there

In some organisations, there's a dedicated data team with its own leadership, budget, and direct line to the board. In others, data sits within IT, marketing, product, or operations — but is still a critical driver of business decisions. 

As GC, it pays to understand where and how your organisation is using data, what types of data are most valuable, and who the key decision-makers are. Whether it's a formal data function or a handful of people championing data use, invest time in building trust and a shared understanding. 

Boost your own data literacy by learning about the tools, platforms, and processes in play. Recognise that the mindset of people working with data often differs from legal's — they may move fast, test new approaches, and iterate quickly. Being part of these conversations early allows you to spot legal and ethical issues before they escalate, while also helping your organisation unlock data's value with confidence. 

 2. Start with a manageable inventory of your most critical data

It's easy to feel overwhelmed by the sheer volume of data flowing through the business. Many legal teams postpone engagement because they think they need to map everything perfectly before taking action. But you don't need to boil the ocean. 

Focus first on identifying and documenting your most critical data categories—the five or so datasets your business absolutely depends on. This could be accurate customer contact information, financial records, or core intellectual property. Look at where this data is held, who is responsible for it, and how it moves through the business. 

A practical way to approach this is to chunk the task into manageable pieces: do a risk assessment on each critical dataset, then expand your mapping over time. Even an incomplete inventory will help highlight priorities and clarify who needs to be involved.

3. Anchor policies and decisions in your company's values

While technology moves quickly, enduring values don't. A values-based framework helps you navigate fast-evolving risks—particularly with AI and automation. 

Begin by having a conversation with your executive team and board about your organisation's appetite for risk. Not all data or AI use cases carry the same level of exposure. For example, sharing anonymised operational data with a vendor may be acceptable, while sending sensitive customer records into an AI platform might be strictly off-limits. 

By agreeing early on the principles—privacy, security, fairness, respect for human dignity—you create a reference point for assessing new tools and scenarios. If your policies and processes have been endorsed at board level, they become part of the corporate governance fabric rather than ad hoc decisions.

4. Educate the board and executives—and make it practical.

Many boards are understandably excited about the "shiny opportunities" of AI and data analytics. But enthusiasm can sometimes outpace an understanding of the risks. 

As GC, you play a crucial role in balancing this tension. Find ways to make risks tangible: for example, illustrate what could happen if a customer's personal data were misused or inadvertently disclosed. Consequence-scanning exercises can help leaders see how different scenarios would play out in practice. 

Consider bringing in external experts to present to your board and create opportunities for them to engage hands-on with AI tools. When decision-makers can see and test new technologies themselves, they are more likely to understand both their benefits and their limitations. Framing discussions in familiar governance language—risk appetite, reputational exposure, compliance obligations—also makes these conversations less intimidating.

5. Strengthen supplier contracts and oversight

Even the best internal policies won't protect you if your third-party vendors don't share your standards. As organisations increasingly rely on external partners for AI and data processing, supplier governance is critical. 

At a minimum, ensure your contracts include robust privacy, security and data handling obligations,  and rights to audit. Given how quickly vendors' terms can change, try to secure termination for convenience clauses, so you're not locked into arrangements if circumstances evolve. 

Don't forget to think beyond the immediate vendor. Fourth- and fifth-party subcontractors can introduce hidden vulnerabilities. While it's often impractical to monitor all subcontractors directly, your agreements should include provisions that flow obligations down the chain. Requiring suppliers to maintain up-to-date lists of their own partners and adhere to external standards such as ISO certifications or your Supplier Code of Conduct can provide an added layer of assurance. 

6. Final Thoughts 

Data governance is a core part of corporate governance and an essential enabler of trust. For GCs, this is a moment to step into a leadership role, shaping how data is managed, protected, and leveraged responsibly. 

Start by building strong relationships with your data colleagues, mapping what matters most, and embedding clear values in every decision. Equip your board with practical understanding, and don't hesitate to push for high standards with your suppliers. While the landscape will continue to evolve, these foundations will help you navigate change confidently and protect your organisation's most valuable asset: trust.