A management consultant I spoke with recently found the same client registered under four different names across her CRM, accounting system, and project tool. The quarterly revenue report had never reconciled. Fixing the duplicates took an afternoon once she identified the authoritative record. The harder problem was underneath: nobody knew when the records had diverged, who had created the extras, or which fields were supposed to be current. The first is a master data problem. The second is a metadata problem. The two almost always travel together.
What is master data, and what is metadata?
Master data is the stable, core information your business runs on: client legal names and billing addresses, service price bands, staff roles and charge-out rates. These records do not change often, but when they are wrong, everything downstream goes wrong with them. Metadata is the layer that describes those records: where each one came from, who last updated it, what it means, and how long you are required to keep it.
A concrete example helps. The master data record for a client might be: “Barker & Sons Ltd, company number 09281374, invoicing email finance@barkersons.co.uk, fee rate Band B.” The metadata about that same record might be: “Created via Xero import, 14 March 2022. Last reviewed Q1 2026 by the operations lead. Verified against Companies House. Retention: six years after final invoice.” The record itself is the master data. The context around it, who created it, when it was verified, how long to keep it, is the metadata.
Atlan and OvalEdge both frame the relationship this way: master data describes the key entities in your business, and metadata provides the context that makes those entities trustworthy and usable across systems. Stibo Systems puts the operational definition clearly: master data is “critical data that is core to the operation of an organisation.” Metadata is what lets you govern it with confidence.
Why does the distinction matter for your business?
The practical reason to separate the two is that they point you at different problems. Inconsistent master data explains why invoices go to the wrong address, why reports contradict each other, and why a new team member searching for a client finds three records that all look plausible. Weak metadata explains why you cannot tell which version to trust, when any of them were last validated, or who is responsible for keeping them accurate.
IBM has estimated that poor-quality data costs organisations around US$3.1 trillion per year globally. For a small firm, the figure lands as billing errors, rework, and reports that nobody quite believes. Dataversity notes that metadata management specifically improves data quality by enabling lineage tracing and consistent field definitions, which raises confidence in reports and any analysis built on them.
There is also a direct compliance dimension. UK GDPR requires personal data to be accurate and, where necessary, kept up to date. The ICO requires controllers to document processing activities, data sources, retention periods, and security controls. That documentation is metadata. Two enforcement actions from 2020 illustrate what is at stake: the ICO fined British Airways £20 million following security failures affecting around 400,000 customer records, and fined Marriott £18.4 million following failures across some 339 million guest records globally, including around 7 million in the UK. Both cases turned on inadequate governance of client and contact data, the same kind of records that every small services firm holds.
Where will you actually come across these in a small firm?
For a 5-50 person firm, master data lives in the tools you already use: your CRM for client and contact records, your accounting system for client accounts and service codes, your HR or payroll system for staff roles and charge-out rates. These are your systems of record. The practical issue is that the same entity often ends up stored slightly differently across each one, because nobody has explicitly agreed which version is authoritative.
Metadata is already embedded in those tools too, though you may not be using it deliberately. CRM timestamps tell you when a record was last updated and by whom. Audit logs in accounting software track every change to a client record. Column names and data types in a spreadsheet are structural metadata. Security roles, specifying who can edit a particular field, and retention rules in a document management system are governance metadata.
Conduktor’s analysis distinguishes between technical metadata, covering schema and data lineage, and business metadata, covering definitions and ownership. Both types support data governance and discoverability. For a small firm, this usually surfaces as a practical question: does the “client type” field in your CRM mean the same thing as the “customer category” field in your billing system, and are both populated consistently? A short data dictionary answers that question and makes the answer visible to everyone who needs it.
When is tighter governance worth the effort, and when is it not?
The level of formality you need depends on your size, your system count, and what you are asking your data to do. A firm with fewer than ten staff, one primary system, and a stable client base can usually manage with a tidy CRM and one person responsible for data quality. The bar rises quickly once you are connecting multiple systems, building dashboards, running regulated activities, or feeding data into any AI tool.
For regulated services firms, the threshold is lower. The FCA’s SYSC rules require authorised firms to maintain adequate risk management systems and orderly records. FCA operational resilience guidance published in 2021 explicitly requires firms to understand their data and system interdependencies. The NCSC’s 10 Steps to Cyber Security frames asset management and data security as baseline hygiene: knowing what information you hold, where it is stored, and who can access it. These requirements describe what basic metadata and master data management makes possible.
There is also a useful counterpoint for firms not yet at that scale. If you are still switching tools every few months, formal data modelling is probably premature. Stable platforms come first. If your services are entirely bespoke with no repeatable reporting, the immediate returns from sophisticated metadata management are lower, though basic UK GDPR documentation is required regardless. The EU AI Act, finalised in 2024, adds a further consideration for firms using AI tools in EU-facing contexts: high-risk AI systems are expected to use training and validation data that is relevant, representative, and free of errors as far as possible, with documented data governance practices in place.
What do practical first steps actually look like?
You do not need a dedicated data team or enterprise-grade software. For a 5-50 person services firm, three focused actions cover the bulk of it: name one authoritative system for each of your main data domains, create a short data dictionary for your most important fields, and use the metadata features already built into your existing tools rather than leaving them switched off.
For systems of record, Precisely recommends naming 3-5 data domains and identifying one primary system for each. For a services firm, that typically means: clients and contacts in your CRM, services and price bands in your billing system, and staff with charge-out rates in HR or payroll. Once each domain has a named home, you have a starting point for deduplication and a clear answer to “which system wins?” when records differ.
For the data dictionary, a shared document works well. OvalEdge frames the core question as “which customer definition is the current standard?” and “which systems rely on this master record?” A simple table covering field name, definition, allowed values, system of record, data owner by role, and retention period answers both. The retention column directly supports your ICO documentation obligations for personal data.
For tools, use what is already available. Turn on audit logging if you have not already. Set required fields and use dropdown menus to enforce consistent status codes. Tag marketing contacts with source and consent type. If you are feeding any AI tools from your data, feed them from these agreed datasets rather than ad-hoc spreadsheets. Atlan and Profisee both note that master data management underpins analytics and AI applications. “Where did this number come from?” becomes a question with a clear answer rather than a conversation that ends with someone looking uncertain. If you want to talk through what this looks like in your firm, Book a conversation.
