Design the Target Level | Part 3/4
Unstructured data is growing rapidly, and without a clear governance strategy, organisations risk being overwhelmed by outdated, unmanaged, and potentially
Execute and Maintain the Target | Part 4/4
Data Governance in Action – Implementation and Maintenance
Designing a data governance strategy is only the beginning. To truly manage unstructured data, organisations must implement their plans, monitor compliance, and continuously improve. Execution and maintenance are where theory meets reality—and where many organisations struggle.
Access Control – Who Can See What?
One of the most overlooked risks in unstructured data management is access control. On network drives, permissions are often misconfigured. For example:
- A folder may grant “Full Control” to the group “Everyone”
- File-level permissions may include “Domain Users”
This effectively gives all employees the ability to access, modify, or delete sensitive files. Such basic misconfigurations are often the root cause of internal data breaches.
In cloud environments like Microsoft 365 or SharePoint, external sharing adds another layer of risk. Without proper controls, users may accidentally share personal data outside the organisation.
Best Practices for permissions:
- Replace “Everyone” with “Authenticated Users”
- Limit access at both share and file levels
- Regularly audit permissions and remove unused access
- Use identity management tools (IDM) to enforce policies
File Sharing – Internal and External Risks
File sharing is essential, but tools such as Box, Dropbox, or WeTransfer must be vetted. Conduct a Data Protection Impact Assessment (DPIA) and ensure data processing agreements are in place.
In Microsoft 365 and Google Workspace, sharing settings can be controlled at site or folder level. However, users must be trained to:
- Set expiration dates for shared links
- Avoid anonymous or external sharing unless explicitly allowed
- Understand what data is safe to share
A real-world example: In a municipal education environment, over 16,000 internal sharing links were identified. The major concern was anonymous and external links, some of which exposed personal data to third parties.
Content Classification and Labelling
Governance begins with understanding what you are managing. Content classification tools can detect sensitive information—such as personal identifiers, financial records, or regulated terms. Labels (e.g. “Contains SSN”, “PII”, “Contractual”) enable automation, retention enforcement, and risk mitigation.
Organisational labels (e.g. “HR”, “Internal”, “Confidential”) help contextualise data for access control and policies. These can be applied manually or automatically, based on metadata or folder structure.
AI Without Data Awareness Is a Risk
AI tools such as Microsoft Copilot or ChatGPT are powerful—but risky if used without a clear view of your data landscape.
If unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.
Cloud Migration Doesn’t Equal Modernisation
Migrating legacy data “as-is” to Microsoft 365 or Google Workspace is common—but risky. Simply moving unmanaged files to the cloud does not reduce risk. Old formats remain unsupported, and sensitive data remains exposed unless actively governed.
Migration must be paired with classification, clean-up, and policy enforcement.
Environment Limitations
Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing. Legacy file servers lack classification, access auditing, and retention enforcement by default. Third-party tools can help, but require planning and investment.
Conclusion
Executing and maintaining a data governance strategy requires more than policies—it demands tools, training, and ongoing oversight.
By automating clean-ups, auditing permissions, and educating users, organisations can turn governance plans into sustainable practices.
And remember: AI can be transformative, but only when built on a foundation of clean, classified, and controlled data.
This is the final part of our 4-part series on unstructured data. Read all posts in the series here.
Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!
Would you like to discuss how to put these practices into action in your organisation? Contact our experts
What's new?
In the blog you will find current information, interesting articles and a lot of detailed information related to data protection.
Read these also
Identify the Data – Even in Legacy Archives | Part 2/4
Introduction Legacy data often hides in plain sight—stored in personal folders, shared drives, or temporary locations. These files may contain
Unstructured Data and Its Challenges | Part 1/4
Introduction Unstructured data makes up the majority of information in organisations—often more than 80%. Unlike structured data in databases, unstructured