AboutBlogBusiness First AIFounder FreedomBook a conversation

Right-sized data governance for small teams

May 18, 2026
Person at a desk reviewing documents in a naturally lit office
TL;DR

Right-sized data governance for a small UK services firm means documenting three to five critical data sets, assigning a named owner to each, and writing four short policies covering classification, access, retention, and incident response. The ICO requires this of every UK organisation processing personal data. A focused starter setup, using tools you already have, takes a few days rather than months.

Key takeaways

- Right-sized governance starts with three to five critical data sets, not full coverage from day one. Customer records, employee data, finance, and supplier details are the common starting point. - The ICO requires every UK organisation to document what personal data it holds, why it holds it, and how long it will keep it, regardless of size. - Half of UK businesses experienced a cyber breach or attack in the past year, with weak access controls and poor data classification among the most common contributing factors. - For a typical 5-50 person services firm, four short policies and a named data steward per business domain cover the basics the ICO requires. - Data governance, data quality, data retention, and AI governance share the same foundations, so work in one area compounds into the others.

A managing director at a 15-person professional services firm receives a subject access request from a former client. Under UK GDPR, she has 30 days to respond. The problem: no one in the business knows exactly what data they hold on that person, which systems it lives in, or who is responsible for locating it. Nothing malicious has happened. There are simply no agreed rules about where client data sits or who looks after it.

That gap is what data governance exists to close. And for a small team, closing it does not require an enterprise framework.

What is right-sized data governance?

Data governance is the set of decisions a business makes about what data it collects, who can access it, how long it keeps it, and who is accountable when something goes wrong. For a small services firm, right-sized governance means applying those decisions to a small number of critical data sets rather than attempting to cover everything at once.

The standard guidance for businesses at this scale is to start with three to five “crown jewel” data sets: customer records, employee data, financial information, and supplier details. These carry the highest legal obligations and the most risk if they are lost, leaked, or misused. Everything else can follow once the foundation is in place.

The UK government’s National Data Strategy describes a deliberately proportionate approach. It aims for a regime that is pro-growth, not one that loads administrative burden on firms without the resources to carry it. The ICO’s guidance for small organisations echoes this: every business must map its personal data, define retention periods, and control access, but a 15-person consultancy is not expected to operate like a regulated bank.

Why does data governance matter for your business?

The 2024 NCSC Cyber Security Breaches Survey found 50% of UK businesses experienced a breach or attack in the past year. For small firms, incidents that escalate rarely trace to sophisticated external attacks. They more often start with gaps in the basics: who has access to which systems, where data sits, and whether the business would notice if something went wrong.

The regulatory consequences of those gaps are documented. In 2020, the ICO fined a small London pharmacy £275,000 for storing around 500,000 medical documents in unlocked containers without adequate organisational controls. The enforcement was not about a technical failure. It was about an absence of process. The firm had no documented approach to how sensitive data should be stored, protected, or destroyed, and that absence was what the ICO cited.

For businesses regulated by the FCA, the standard is higher. Financial advisers, insurance brokers, and others under FCA supervision must demonstrate effective governance and oversight of data used in regulated activities, including data held in cloud systems and AI tools. The FCA has been explicit: boards remain accountable for data quality and model governance even when third-party technology is doing the processing.

There is a productivity case here too. When your data is accurate, well-classified, and covered by clear retention rules, your client reporting is faster, your records are cleaner, and any AI tools you deploy produce better outputs. Governance pays forward.

Where will you actually meet data governance in practice?

Data governance tends to show up in the day-to-day operational moments rather than as a discrete project. A new employee joins and needs CRM access. A client asks to be removed from your mailing list. Someone’s Microsoft 365 account needs revoking when they leave. Your accountant asks how long you should keep client financial records. These are the moments when having clear answers matters.

The practical point is that governance lives inside the tools you already use. Microsoft 365’s sensitivity labels and Purview retention policies can classify and restrict documents without custom infrastructure. Your CRM has role-based access controls that may not yet be configured. Your cloud accounting tool has an audit trail. Using what you already pay for is the right first step.

UK services firms commonly over-collect and under-delete, keeping records indefinitely because it feels safer. UK GDPR’s storage limitation principle says otherwise: personal data should be kept only as long as necessary and then securely deleted or anonymised. Automating retention rules in M365 or your records management system removes the manual policing, reduces your legal exposure, and cuts the volume of data you need to protect in the event of a breach.

When is a lighter approach enough, and when is it not?

For a 5-50 person services firm with no regulatory licence and no AI deployments processing sensitive personal data, four short policies and a named data steward in each business area cover the ground the ICO requires. A data classification policy, an access and acceptable use policy, a retention schedule, and a brief incident response plan are the foundation.

The lighter approach has clear limits. FCA-regulated firms face more prescriptive expectations around operational resilience, oversight of cloud providers, and documented governance for data used in regulated activities. A framework designed for a small management consultancy will not meet that standard without additional controls.

The EU AI Act introduces a second trigger worth knowing. If your business develops or deploys high-risk AI systems, credit scoring, HR screening, and clinical decision support are examples that fall into scope, the Act requires documented governance over training and validation data even if your processing happens in the UK. For firms whose AI use is limited to a CRM assistant or a document summariser, this does not apply. But if AI is central to your product or your advice, it is worth checking early rather than late.

The practical question to ask is: does your sector, your AI ambitions, or your current scale push you into a category that needs more than the four-policy framework? If none of those apply, the lighter approach is sufficient. Start there and build as those things change.

What else connects to data governance?

Data governance sits at the intersection of three related disciplines: data quality, data retention, and AI governance. You cannot assess data quality without knowing who owns each data set and who is accountable for keeping it accurate. You cannot apply meaningful retention rules without knowing what you hold and where. You cannot govern how your AI tools use data without first governing the data itself.

The benefit of treating these as one body of work is that progress compounds. When you classify your customer data and assign a data steward, you have also laid the groundwork for a retention schedule, for defining which AI tools can access that data, and for answering a subject access request in a day rather than a month. The governance overhead does not multiply as you add each layer. It stacks.

For businesses thinking about AI adoption, the ICO’s guidance on profiling and automated decision-making assumes a firm already knows what data it holds and how accurate it is. Data governance and AI readiness draw on the same foundations, started at different points. The firms that find AI adoption straightforward are usually the ones that have already done this work.

Sources

- ICO (2024). Data protection advice for small organisations (SME hub). Covers UK GDPR obligations for small firms including record of processing activities, retention schedules, and data subject rights. https://ico.org.uk/for-organisations/sme-web-hub/ - UK Government (2020). UK National Data Strategy. Sets out the government's proportionate, pro-growth approach to data governance across UK organisations of all sizes. https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy - UK Government / NCSC (2024). Cyber Security Breaches Survey 2024. Reports that 50% of UK businesses experienced a cyber breach or attack in the previous 12 months, with access control failures among key contributing factors. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024 - FCA (2016). FG16/5: Guidance for firms outsourcing to the cloud and other third-party IT services. Sets out FCA-regulated firms' obligations around data governance, oversight, and accountability for outsourced systems including AI. https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf - NCSC. Small business guide: cyber security. Covers access control, backup, and data management disciplines that intersect directly with data governance for small organisations. https://www.ncsc.gov.uk/collection/small-business-guide - ICO (2020). Doorstep Dispensaree Ltd monetary penalty notice. The ICO fined this small London pharmacy £275,000 for storing 500,000 unprotected medical documents without adequate organisational or technical measures. https://ico.org.uk/action-weve-taken/enforcement/doorstep-dispensaree-ltd-mpn/ - F1 Group (2026). Top 10 Data Governance Best Practices for UK Businesses. Recommends a four-tier classification scheme and a small data governance council for UK SMEs on Microsoft 365. https://www.f1group.com/data-governance-best-practices/ - Storetec. A Practical Guide to Data Governance for SMEs. Covers identifying crown-jewel data assets, automating retention rules, and building accessible policies for small organisations. https://storetec.net/blog/practical-guide-to-data-governance-for-smes/ - European Parliament and Council (2024). Regulation on Artificial Intelligence (AI Act). Mandates data governance and documentation for training and validation data in high-risk AI systems, relevant to UK firms supplying into the EU market. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2021:206:FIN

Frequently asked questions

Does a small business really need a data governance policy under UK GDPR?

Yes. The ICO expects every UK organisation to maintain a record of what personal data it holds, why it holds it, and how long it is kept. A small firm does not need a formal programme, but it does need documented answers to those questions for each data set it processes and a named person responsible for each area. The ICO's SME hub sets out the baseline expectations in plain language.

What is the difference between data governance and data security?

Data security covers the technical controls that protect your data from unauthorised access: passwords, encryption, and access permissions. Data governance is a layer above that. It defines who owns each data set, what the data is for, how long it is kept, and what the rules are around using and sharing it. Security protects the data; governance sets the terms on which it is held and by whom.

How much does it cost to set up basic data governance in a small firm?

For many small services firms, the main cost is staff time rather than software. Using existing tools such as Microsoft 365 sensitivity labels, your CRM's access controls, and a shared document for your retention schedule, you can build a working framework in a few focused days. Specialist help from a records management provider is useful for the first pass, but ongoing maintenance is light once the foundations are in place.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two colleagues reviewing a document structure on a laptop at an office table

What a small business knowledge management system should include

A practical guide for owner-managed businesses on when a knowledge management system is worth the investment, what features actually drive adoption, and what questions to ask before you sign anything.

A business owner at a desk reviewing documents on a laptop with a folder of papers nearby

RAG versus large context windows: which suits your business?

Know whether RAG or a large context window fits your business's documents before your vendor decides for you.

A business owner sitting at a desk reviewing data on a laptop with printed documents beside them

Practical rules for deduplicating data without causing harm

A practical playbook for cleaning duplicate records in your CRM and marketing data, safely, without deleting consent history or triggering a UK GDPR breach.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd