Data governance framework — catalog, ownership, classification, retention, privacy compliance, data mesh. Use when the user asks to "build a data catalog", "define data ownership", "classify sensitive data", "design retention policies", "ensure privacy compliance", "implement data mesh governance", or mentions GDPR, CCPA, LGPD, data stewardship, PII, data lineage, or federated governance.
From pmnpx claudepluginhub javimontano/mao-pm-apexThis skill is limited to using the following tools:
examples/README.mdexamples/sample-output.htmlexamples/sample-output.mdprompts/metaprompts.mdprompts/use-case-prompts.mdreferences/body-of-knowledge.mdreferences/governance-frameworks.mdreferences/knowledge-graph.mmdreferences/quality-patterns.mdreferences/state-of-the-art.mdSearches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Data governance defines how data assets are discovered, owned, classified, retained, and protected across an organization. This skill produces governance frameworks that enable trust in data, regulatory compliance, and scalable self-serve data access.
Datos sin dueño son datos sin calidad. El modelo de ownership se establece ANTES de catalogar. La clasificación determina la protección — no al revés. Privacy by design no es un afterthought sino el punto de partida de cada pipeline. Cada activo de datos tiene un dueño con nombre y apellido, un nivel de clasificación, y una política de retención vinculada a regulación específica.
The user provides an organization or data domain as $ARGUMENTS. Parse $1 as the organization/domain name used throughout all output artifacts.
Parameters:
{MODO}: piloto-auto (default) | desatendido | supervisado | paso-a-paso
{FORMATO}: markdown (default) | html | dual{VARIANTE}: ejecutiva (~40% — S1 catalog + S3 classification + S5 privacy compliance) | técnica (full 6 sections, default)Before generating governance artifacts, detect the data landscape:
!find . -name "*.sql" -o -name "*.py" -o -name "*.yaml" -o -name "*.json" -o -name "schema*" | head -30
Use detected schemas, pipelines, and data sources to tailor catalog structure, classification rules, and ownership recommendations.
If reference materials exist, load them:
Read ${CLAUDE_SKILL_DIR}/references/governance-frameworks.md
Select or combine based on organizational context. These are complementary, not mutually exclusive.
| Criterion | DAMA DMBOK 3.0 | DCAM (EDM Council) | ISO 38505 | COBIT |
|---|---|---|---|---|
| Scope | 11 knowledge areas, full data management lifecycle | Capability assessment and benchmarking | IT governance extension for data, board-level | IT governance + controls, risk-oriented |
| Best for | Comprehensive data management programs | Regulated industries needing peer comparison | Orgs with existing ISO governance | Compliance-driven, audit-heavy contexts |
| Maturity model | No built-in assessment | Yes — assessment-based, benchmarkable | Strategic guidance, less operational detail | CMMI-aligned capability model |
| Certification | CDMP (individual) | DCAM assessment (organizational) | ISO audit certification | COBIT Foundation (individual) |
| AI/Cloud readiness | DMBOK 3.0 (2025) adds AI governance, cloud-native | Updated for modern data platforms | Lags on modern architecture | Limited data-specific guidance |
| Typical combination | Use as overarching guide | Pair with DMBOK to measure maturity | Layer on for board-level accountability | Layer on for audit controls |
Practical recommendation: Use DAMA DMBOK as the knowledge base, DCAM to assess maturity, and supplement with ISO/COBIT for regulatory or board-level requirements.
Assess current state before prescribing solutions. 5-level model aligned with DAMA DMBOK and CMMI.
| Level | Name | Characteristics | Governance Style | Acceptance Criteria |
|---|---|---|---|---|
| 1 | Initial | No formal governance, tribal knowledge, reactive | None — start with data inventory | <20% assets cataloged, no formal owners |
| 2 | Developing | Emerging awareness, fragmented policies, siloed ownership | Centralized — establish foundations | 20-50% assets cataloged, RACI drafted |
| 3 | Defined | Documented policies, cross-functional alignment, RACI in place | Centralized with domain input | >50% assets cataloged, policies enforced manually |
| 4 | Managed | Integrated into operations, metrics-driven, automated enforcement | Federated — domains adopt standards | >80% assets cataloged, automated classification |
| 5 | Optimizing | Continuous improvement, predictive compliance, self-serve | Computational — policy as code | >95% assets cataloged, <1% policy violations |
Assessment method: Score each criterion (policy documentation, ownership coverage, classification completeness, automation ratio, compliance incident rate) from 1-5. Average determines level. Target: advance one level per 6-12 months.
Maps data assets across the organization.
Catalog platform selection criteria:
| Criterion | Atlan | Alation | DataHub (OSS) | OpenMetadata (OSS) |
|---|---|---|---|---|
| Deployment | SaaS | SaaS / On-prem | Self-hosted | Self-hosted |
| Auto-cataloging | Yes, 50+ connectors | Yes, broad connectors | Yes, plugin-based | Yes, 30+ connectors |
| Lineage | Column-level | Column-level | Table + column | Table + column |
| Search UX | Natural language, AI-powered | Business glossary-driven | Faceted search | Faceted search |
| Cost | $$$ (enterprise SaaS) | $$$$ (enterprise) | Free (infra cost) | Free (infra cost) |
| Best for | Modern data stack, mid-large orgs | Large enterprise, compliance | Engineering-led, cost-conscious | Small-mid orgs, Airflow-native |
Includes:
Key decisions:
Defines who is accountable for data assets and who maintains them.
Includes:
Key decisions:
Assigns sensitivity tiers enabling proportional security and handling.
Includes:
Key decisions:
Governs how long data is kept, when archived, when purged.
Includes:
Key decisions:
Maps privacy regulations to data assets and operationalizes compliance workflows.
Regulation mapping (specific provisions):
| Requirement | GDPR | CCPA | LGPD |
|---|---|---|---|
| Processing records | Article 30 — written records of processing activities | Section 1798.100 — disclosure of data categories | Article 37 — processing activity records |
| Right to access | Article 15 — 30-day response | Section 1798.110 — 45-day response | Article 18 — 15-day response |
| Right to delete | Article 17 — erasure unless legal basis | Section 1798.105 — deletion with exceptions | Article 18(IV) — elimination |
| Consent | Article 7 — explicit, granular, withdrawable | Opt-out model (no prior consent for most) | Article 8 — explicit, specific purpose |
| Breach notification | Article 33 — 72 hours to authority | Section 1798.150 — reasonable security | Article 48 — reasonable timeframe |
| Cross-border transfer | Articles 44-49 — adequacy, SCCs, BCRs | No restriction (but state laws vary) | Article 33 — adequate protection |
Includes:
Key decisions:
Applies governance as executable code in federated architectures.
Data product thinking: Each dataset treated as a product with:
Computational policies (policy as code):
Global vs local policy boundary:
Key decisions:
| Decision | Enables | Constrains | When to Use |
|---|---|---|---|
| Centralized Governance | Consistency, simpler audits | Bottleneck, slower iteration | Small orgs, highly regulated, Level 1-2 |
| Federated Governance | Domain autonomy, scalability | Inconsistency risk, platform investment | Large orgs, data mesh, Level 4-5 |
| Automated Classification | Speed, coverage, consistency | False positives, tuning effort | Large data estates, frequent schema changes |
| Manual Classification | Accuracy, business context | Slow, doesn't scale | Small data estates, initial taxonomy |
| Aggressive Retention | Regulatory safety, historical analysis | Storage costs, privacy risk | Regulated industries, audit-heavy |
| Minimal Retention | Cost savings, privacy compliance | Lost historical data | Privacy-first orgs, GDPR-sensitive |
| Caso | Estrategia de Manejo |
|---|---|
| Organizacion greenfield sin activos de datos | Iniciar con inventario de datos; asignar owners iniciales; definir clasificacion minima viable (3 tiers); evitar sobre-ingenieria de gobernanza para datos que aun no existen |
| Industria altamente regulada (financiero, salud) | Multiples regulaciones superpuestas; mapear cada regulacion a elementos de datos especificos; documentar resolucion de conflictos retencion-vs-privacidad con legal counsel |
| Transicion a data mesh | Modelos paralelos durante transicion; platform team codifica politicas como checks automatizados; dominios adoptan incrementalmente (Level 3 minimo antes de auto-gobernarse) |
| Multi-cloud / hybrid data estate | Catalogo abstrae sobre ubicaciones cloud; lineage cross-cloud requiere integration adapters; clasificacion y retencion location-aware para data residency |
| Fusiones y adquisiciones (M&A) | Priorizar descubrimiento de activos (inventariar ambos estates en 30 dias); harmonizar clasificacion y ownership; asignar owners interinos inmediatamente; 6-12 meses para integracion completa |
| Decision | Alternativa Descartada | Justificacion |
|---|---|---|
| Ownership model establecido ANTES de catalogar | Catalogar primero, asignar owners despues | Datos sin dueno son datos sin calidad; el modelo de ownership determina quien es responsable de la clasificacion, retencion y calidad |
| Clasificacion a nivel de columna (no solo tabla) | Clasificacion solo a nivel de tabla | GDPR Article 30 requiere granularidad a nivel de campo para PII; tabla-level no cumple y no permite masking selectivo |
| Privacy by design integrado en pipelines | Privacy como retrofit post-implementacion | Retrofit es 5-10x mas costoso y deja ventanas de exposicion; privacy by design es el punto de partida de cada pipeline |
| Gobernanza federada para organizaciones Level 4+ | Gobernanza centralizada para todos los niveles | La gobernanza centralizada no escala en organizaciones grandes; la federada habilita autonomia de dominio con estandares globales |
graph TD
subgraph Core["Core: Data Governance"]
CAT[Data Catalog & Discovery]
OWN[Ownership & Stewardship]
CLS[Classification & Sensitivity]
RET[Retention & Lifecycle]
PRIV[Privacy & Compliance]
COMP[Computational Governance]
end
subgraph Inputs["Inputs"]
SCHEMA[Schemas & Sources]
REG[Regulatory Requirements]
ORG[Organizational Structure]
EXIST[Existing Policies]
end
subgraph Outputs["Outputs"]
CATOUT[Data Catalog Design]
RACI[RACI Matrix]
TAX[Classification Taxonomy]
POLICY[Retention & Privacy Policies]
end
subgraph Related["Related Skills"]
DQ[data-quality]
DENG[data-engineering]
SEC[security-architecture]
ENT[enterprise-architecture]
end
SCHEMA --> CAT
REG --> PRIV
ORG --> OWN
EXIST --> RET
CAT --> OWN --> CLS --> RET --> PRIV --> COMP
COMP --> CATOUT
COMP --> RACI
COMP --> TAX
COMP --> POLICY
DQ --> CLS
CATOUT --> DENG
CLS --> SEC
COMP --> ENT
| Formato | Nombre | Contenido |
|---|---|---|
| Markdown | A-01_Data_Governance_Framework.md | Framework completo con catalog design, ownership model, classification taxonomy, retention matrix, privacy compliance workflows y data mesh governance strategy. Diagramas Mermaid de ownership model y classification flow. |
| XLSX | A-01_Data_Governance_Matrix.xlsx | Matriz interactiva con inventario de activos, clasificacion por columna, owners asignados, politicas de retencion por regulacion, y compliance status por dataset. |
| HTML | A-01_Data_Governance_Framework_{cliente}_{WIP}.html | Mismo contenido en HTML branded (Design System MetodologIA v5). Light-First Technical, self-contained, WCAG AA, responsive. Incluye classification taxonomy visual, ownership RACI interactivo, y retention policy matrix filtrable por regulacion. |
| DOCX | {fase}_Data_Governance_Framework_{cliente}_{WIP}.docx | Documento formal via python-docx (Design System MetodologIA v5). Cover page, TOC auto, headers/footers branded, tablas zebra. Poppins headings (navy), Montserrat body, gold accents. |
| PPTX | {fase}_Data_Governance_Framework_{cliente}_{WIP}.pptx | Via python-pptx con MetodologIA Design System v5. Navy gradient slide master, Poppins titles, Montserrat body, gold accents. Máx 20 slides ejecutivo / 30 técnico. Speaker notes con referencias de evidencia. |
| Dimension | Peso | Criterio |
|---|---|---|
| Trigger Accuracy | 10% | Descripcion activa triggers correctos (data catalog, ownership, classification, GDPR, data mesh, PII) sin falsos positivos con data-quality o enterprise-architecture |
| Completeness | 25% | Las 6 secciones cubren catalogo, ownership, clasificacion, retencion, privacy y computational governance sin huecos; todos los dominios de datos representados |
| Clarity | 20% | Instrucciones ejecutables sin ambiguedad; clasificacion con tiers y handling rules claros; regulaciones mapeadas a provisiones especificas; RACI con roles concretos |
| Robustness | 20% | Maneja greenfield, regulacion estricta, transicion data mesh, multi-cloud y M&A con estrategias diferenciadas |
| Efficiency | 10% | Proceso no tiene pasos redundantes; variante ejecutiva reduce a S1+S3+S5 sin perder catalogo, clasificacion y compliance |
| Value Density | 15% | Cada seccion aporta valor practico directo; maturity model y regulation mapping son herramientas de posicionamiento y compliance inmediata |
Umbral minimo: 7/10.
Before finalizing delivery, verify:
| Format | Default | Description |
|---|---|---|
markdown | Yes | Markdown con Mermaid embebido (ownership model, classification flow). |
html | On demand | Branded HTML (Design System). Visual impact. |
dual | On demand | Both formats. |
Default output is Markdown with embedded Mermaid diagrams. HTML generation requires explicit {FORMATO}=html parameter.
Primary: A-01_Data_Governance_Framework.html -- Data catalog design, ownership model, classification taxonomy, retention matrix, privacy compliance workflows, data mesh governance strategy.
Secondary: Classification taxonomy document, RACI matrix, retention policy matrix, DSAR workflow diagram, OPA/Rego policy templates, catalog evaluation scorecard.
Autor: Javier Montaño | Última actualización: 12 de marzo de 2026