Data Governance Foundations: Practical Actions for SMEs and Not-For-Profits

These businesses often hold sensitive information like donor records, payroll data, personal details of clients or service users, and financial or grant information. 

Yet, many smaller organisations operate with: 

• Limited internal IT expertise. 
• Fragmented systems or spreadsheets. 
• Staff wearing multiple hats. 
• Tight budgets with competing operational demands. 

As the AICD’s Data Governance Foundations for Boards highlights, these constraints don’t remove responsibility – they simply make it more critical to get the basics right. 

Without basic governance: 

• Client and donor trust can be lost. 
• Regulators may intervene. 
• Service delivery can falter. 
• Increased exposure to cyber risks. 
• And funding partners may question credibility. 

This guide draws directly from the AICD’s recommendations for SMEs and NFPs and translates data governance principles into practical, achievable actions any small organisation can take today. 

Five Data Governance Principles for SMEs and Not-For-Profits

• Identify what data is critical for your clients, customers, operations, and reporting. 
• Understand how that data drives decisions, funding, or service delivery. 
• Review whether staff can use data confidently and effectively. 
• Use accessible analytics tools (e.g. Microsoft Power BI, Google Looker Studio). 
• Support strategic investments to build capability over time. 

• Appoint a senior staff member (or external partner) responsible for key data governance functions. 
• Consider whether a board member or subcommittee should oversee cyber and data risk. 
• Identify key digital platforms (CRMs, financial tools, grant systems) and review their settings. 
• Ensure clear documentation of who can access what. 
• Establish 2–3 core metrics to monitor how data is being used and protected. 

• Map where data is stored, how it moves, and who has access. 
• Use secure, reputable cloud platforms wherever possible. 
• Avoid staff storing work data on personal devices. 
• Minimise the collection of sensitive information and delete it when no longer needed. 
• Regularly review and update access controls and backup procedures. 

• Provide basic data literacy training to staff and volunteers. 
• Select one visible challenge or process to improve data and celebrate the results. 
• Ask for data to inform board or management discussions. 
• Nominate “data champions” who can encourage best practice among their teams. 
• Recognise and reward efforts that show responsible or innovative use of data. 

• Develop a simple incident response plan covering data and cyber events. 
• Test that plan through a tabletop exercise (e.g. a simulated breach scenario). 
• Communicate honestly and clearly with affected stakeholders if something goes wrong. 
• Consider ways to rebuild trust such as offering compensation or improved controls. 
• Document lessons learned and use the incident to strengthen your data practices. 

Veracity works with small organisations to develop simple, fit-for-purpose IT and data governance strategies that protect your reputation, meet obligations, and support your goals. We can run tailored phishing and cyber breach simulations, conduct staff training, and provide support and guidance on cost-effective technology controls and management you can adopt in your organisation. Read more about how we support NFPs via the link below or get in touch or directly via [email protected].