This skill should be used when the user asks to "build a data catalog", "define data ownership", "classify sensitive data", "design retention policies", or mentions GDPR, CCPA, data stewardship, PII, or federated governance. [EXPLICIT] It produces governance frameworks covering catalog design, ownership models, classification taxonomies, retention policies, privacy compliance, and data mesh governance. [EXPLICIT] Use this skill whenever the user needs data governance strategy, even if they don't explicitly ask for "data-governance". [EXPLICIT]
From jm-adknpx claudepluginhub javimontano/jm-adk-alfaThis skill is limited to using the following tools:
agents/guardian.mdagents/lead.mdagents/specialist.mdagents/support.mdevals/evals.jsonknowledge/body-of-knowledge.mdknowledge/knowledge-graph.mdprompts/meta.mdprompts/primary.mdprompts/variations/deep.mdprompts/variations/quick.mdreferences/governance-frameworks.mdtemplates/output.docx.mdtemplates/output.htmlData governance defines how data assets are discovered, owned, classified, retained, and protected across an organization. This skill produces governance frameworks that enable trust in data, regulatory compliance, and scalable self-serve data access. [EXPLICIT]
Datos sin dueño son datos sin calidad. El modelo de ownership se establece ANTES de catalogar. La clasificación determina la protección — no al revés. Privacy by design no es un afterthought sino el punto de partida de cada pipeline. Cada activo de datos tiene un dueño con nombre y apellido, un nivel de clasificación, y una política de retención vinculada a regulación específica.
The user provides an organization or data domain as $ARGUMENTS. Parse $1 as the organization/domain name used throughout all output artifacts. [EXPLICIT]
Parameters:
{MODO}: piloto-auto (default) | desatendido | supervisado | paso-a-paso
{FORMATO}: markdown (default) | html | dual{VARIANTE}: ejecutiva (~40% — S1 catalog + S3 classification + S5 privacy compliance) | técnica (full 6 sections, default)Before generating governance artifacts, detect the data landscape:
!find . -name "*.sql" -o -name "*.py" -o -name "*.yaml" -o -name "*.json" -o -name "schema*" | head -30
Use detected schemas, pipelines, and data sources to tailor catalog structure, classification rules, and ownership recommendations. [EXPLICIT]
If reference materials exist, load them:
Read ${CLAUDE_SKILL_DIR}/references/governance-frameworks.md
Select or combine based on organizational context. These are complementary, not mutually exclusive. [EXPLICIT]
| Criterion | DAMA DMBOK 3.0 | DCAM (EDM Council) | ISO 38505 | COBIT |
|---|---|---|---|---|
| Scope | 11 knowledge areas, full data management lifecycle | Capability assessment and benchmarking | IT governance extension for data, board-level | IT governance + controls, risk-oriented |
| Best for | Comprehensive data management programs | Regulated industries needing peer comparison | Orgs with existing ISO governance | Compliance-driven, audit-heavy contexts |
| Maturity model | No built-in assessment | Yes — assessment-based, benchmarkable | Strategic guidance, less operational detail | CMMI-aligned capability model |
| Certification | CDMP (individual) | DCAM assessment (organizational) | ISO audit certification | COBIT Foundation (individual) |
| AI/Cloud readiness | DMBOK 3.0 (2025) adds AI governance, cloud-native | Updated for modern data platforms | Lags on modern architecture | Limited data-specific guidance |
| Typical combination | Use as overarching guide | Pair with DMBOK to measure maturity | Layer on for board-level accountability | Layer on for audit controls |
Practical recommendation: Use DAMA DMBOK as the knowledge base, DCAM to assess maturity, and supplement with ISO/COBIT for regulatory or board-level requirements.
Assess current state before prescribing solutions. 5-level model aligned with DAMA DMBOK and CMMI. [EXPLICIT]
| Level | Name | Characteristics | Governance Style | Acceptance Criteria |
|---|---|---|---|---|
| 1 | Initial | No formal governance, tribal knowledge, reactive | None — start with data inventory | <20% assets cataloged, no formal owners |
| 2 | Developing | Emerging awareness, fragmented policies, siloed ownership | Centralized — establish foundations | 20-50% assets cataloged, RACI drafted |
| 3 | Defined | Documented policies, cross-functional alignment, RACI in place | Centralized with domain input | >50% assets cataloged, policies enforced manually |
| 4 | Managed | Integrated into operations, metrics-driven, automated enforcement | Federated — domains adopt standards | >80% assets cataloged, automated classification |
| 5 | Optimizing | Continuous improvement, predictive compliance, self-serve | Computational — policy as code | >95% assets cataloged, <1% policy violations |
Assessment method: Score each criterion (policy documentation, ownership coverage, classification completeness, automation ratio, compliance incident rate) from 1-5. Average determines level. Target: advance one level per 6-12 months.
Maps data assets across the organization. [EXPLICIT]
Catalog platform selection criteria:
| Criterion | Atlan | Alation | DataHub (OSS) | OpenMetadata (OSS) |
|---|---|---|---|---|
| Deployment | SaaS | SaaS / On-prem | Self-hosted | Self-hosted |
| Auto-cataloging | Yes, 50+ connectors | Yes, broad connectors | Yes, plugin-based | Yes, 30+ connectors |
| Lineage | Column-level | Column-level | Table + column | Table + column |
| Search UX | Natural language, AI-powered | Business glossary-driven | Faceted search | Faceted search |
| Cost | $$$ (enterprise SaaS) | $$$$ (enterprise) | Free (infra cost) | Free (infra cost) |
| Best for | Modern data stack, mid-large orgs | Large enterprise, compliance | Engineering-led, cost-conscious | Small-mid orgs, Airflow-native |
Includes:
Key decisions:
Defines who is accountable for data assets and who maintains them. [EXPLICIT]
Includes:
Key decisions:
Assigns sensitivity tiers enabling proportional security and handling. [EXPLICIT]
Includes:
Key decisions:
Governs how long data is kept, when archived, when purged. [EXPLICIT]
Includes:
Key decisions:
Maps privacy regulations to data assets and operationalizes compliance workflows. [EXPLICIT]
Regulation mapping (specific provisions):
| Requirement | GDPR | CCPA | LGPD |
|---|---|---|---|
| Processing records | Article 30 — written records of processing activities | Section 1798.100 — disclosure of data categories | Article 37 — processing activity records |
| Right to access | Article 15 — 30-day response | Section 1798.110 — 45-day response | Article 18 — 15-day response |
| Right to delete | Article 17 — erasure unless legal basis | Section 1798.105 — deletion with exceptions | Article 18(IV) — elimination |
| Consent | Article 7 — explicit, granular, withdrawable | Opt-out model (no prior consent for most) | Article 8 — explicit, specific purpose |
| Breach notification | Article 33 — 72 hours to authority | Section 1798.150 — reasonable security | Article 48 — reasonable timeframe |
| Cross-border transfer | Articles 44-49 — adequacy, SCCs, BCRs | No restriction (but state laws vary) | Article 33 — adequate protection |
Includes:
Key decisions:
Applies governance as executable code in federated architectures. [EXPLICIT]
Data product thinking: Each dataset treated as a product with:
Computational policies (policy as code):
Global vs local policy boundary:
Key decisions:
| Decision | Enables | Constrains | When to Use |
|---|---|---|---|
| Centralized Governance | Consistency, simpler audits | Bottleneck, slower iteration | Small orgs, highly regulated, Level 1-2 |
| Federated Governance | Domain autonomy, scalability | Inconsistency risk, platform investment | Large orgs, data mesh, Level 4-5 |
| Automated Classification | Speed, coverage, consistency | False positives, tuning effort | Large data estates, frequent schema changes |
| Manual Classification | Accuracy, business context | Slow, doesn't scale | Small data estates, initial taxonomy |
| Aggressive Retention | Regulatory safety, historical analysis | Storage costs, privacy risk | Regulated industries, audit-heavy |
| Minimal Retention | Cost savings, privacy compliance | Lost historical data | Privacy-first orgs, GDPR-sensitive |
Greenfield Organization: No existing assets. Start with data inventory, assign initial owners, define minimum viable classification (3 tiers). Avoid over-engineering governance for data that doesn't exist yet.
Highly Regulated Industry (Financial, Healthcare): Multiple overlapping regulations. Map each regulation to specific data elements. Retention and privacy may conflict (keep for audit vs delete for privacy) -- document resolution with legal counsel and maintain decision log.
Data Mesh Transition: Moving from centralized to federated. Run parallel models during transition. Platform team codifies policies as automated checks. Domains adopt incrementally with clear criteria for autonomy (must meet Level 3 maturity before self-governing).
Multi-Cloud / Hybrid Data Estate: Catalog must abstract over cloud locations. Cross-cloud lineage requires integration adapters. Classification and retention policies must be location-aware for data residency compliance.
Mergers & Acquisitions: Combining data estates with different governance models. Prioritize asset discovery (inventory both estates within 30 days), then harmonize classification and ownership. Expect 6-12 months for full integration. Assign interim owners immediately.
Before finalizing delivery, verify:
| Format | Default | Description |
|---|---|---|
markdown | Yes | Markdown con Mermaid embebido (ownership model, classification flow). |
html | On demand | Branded HTML (Design System). Visual impact. |
dual | On demand | Both formats. |
Default output is Markdown with embedded Mermaid diagrams. HTML generation requires explicit {FORMATO}=html parameter. [EXPLICIT]
Primary: A-01_Data_Governance_Framework.html -- Data catalog design, ownership model, classification taxonomy, retention matrix, privacy compliance workflows, data mesh governance strategy.
Secondary: Classification taxonomy document, RACI matrix, retention policy matrix, DSAR workflow diagram, OPA/Rego policy templates, catalog evaluation scorecard.
Author: Javier Montano | Last updated: March 18, 2026
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.