What is a governance model? In data protection and information security

A governance model is an organisational recipe that answers the question: Who does what, when, how and why? In this article, we explain what a governance model should include and share two concrete examples from the world of data protection and information security.

Published: 
November 18, 2024
Jacob Høedt Larsen
PR & PA

Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.

Read more from the author

If you're unsure what governance means, you can read more here.

Why have a governance model?

A strong governance model brings clarity. It ensures consistency in who makes decisions and how those decisions are made—reducing grey areas and uncertainty.

At the same time, it helps strengthen collaboration between legal, IT and business functions, as it prompts valuable reflection on how they work best together.

Ultimately, a governance model supports risk management and compliance with frameworks like the GDPR, NIS2 and ISO 27001.

What does a governance model include?

A governance model typically includes:

  1. Roles and responsibilities
    1. Who has the authority to make which decisions?
    2. Who is responsible for day-to-day operations?
    3. Who needs to be involved, and when?
    4. Management, DPOs, CISOs, system owners and data processors are all examples of key roles in a governance structure for information security and data protection.
  1. Decision-making processes
    1. How are decisions made in different situations?
    2. Which committees or forums are involved? Common governance processes include procuring new systems, conducting risk assessments, and handling security incidents or data breaches.
  1. Policies and guidelines
    1. What principles guide your decisions?
    2. How are these implemented and enforced? Information security policies, privacy policies and access control policies are all examples relevant to governance in this space.
  1. Monitoring and control
    1. How do you measure and verify that the governance model is being followed? This might include audits, KPIs, risk assessments or regular reviews of your records of processing.
  1. Reporting and transparency
    1. How is governance reported to senior leadership?
    2. How are governance activities documented?

Tailoring your governance model to your organisation

Every organisation is different. That's why governance models must be adapted to your structure and needs. For data protection, legal requirements and recognised standards can be a useful source of inspiration.

We’ve prepared two sample governance models:

They might help spark ideas for your own setup.

📰 Stay Ahead in GRC

Get stories like this straight to your inbox. From GDPR to cybersecurity – we’ll keep you informed on what’s shaping the digital future.

👉 Sign up for the newsletter

You might also like

What is a GRC System? A Simpler Path to Compliance

Should we make money from our data? Top summer stories

GDPR has brought significant economic gains