Data Governance for SMEs: Who Owns What, and How Long Should You Keep It?

Data is now one of your most valuable business assets—whether you run a B2B services firm, a retail operation, or a healthcare practice. Yet many SMEs still treat data as an afterthought: files everywhere, no clear ownership, and “just keep everything” as the default.

This is where data governance comes in.

Data governance is the set of rules and responsibilities that tell your organisation:

• Who is responsible for which data
• How that data is classified and protected
• How long it is kept
• When and how it is securely deleted

You do not need a large IT or compliance team to get started. SMEs can adopt a practical, lightweight approach that reduces risk, improves efficiency, and strengthens trust with clients and patients.

Disclaimer: This article provides general guidance only. Data and record retention rules vary by country and sector. Always check your local regulations and consult a qualified legal or compliance professional before finalising policies.

1. Why Data Governance Matters for SMEs

For small and medium-sized businesses, good data governance delivers four main benefits:

1. Risk reduction

Clear rules on who can access what, and for how long, lower the chances of data breaches, privacy violations, or accidental leaks.

2. Compliance

Many laws (such as GDPR in the EU/UK and sector-specific healthcare regulations) expect organisations to know what data they hold, why they hold it, and how long they keep it. A simple governance framework helps you demonstrate this.

3. Efficiency and cost control

Storing everything forever—especially in multiple systems and backups—drives up storage costs and makes it harder for staff to find what they need.

4. Trust and reputation

Clients and patients are increasingly aware of privacy and data protection. Showing that you handle data responsibly builds confidence and can differentiate you from competitors.

SMEs rarely have dedicated data governance teams, but you don’t need one. With a few clear roles, basic rules, and simple processes, you can cover the essentials.

2. Data Ownership: Who Is Responsible for What?

A common problem in SMEs is that nobody is clearly responsible for specific data. That leads to confusion over who approves access, who decides retention, and who acts when there is an incident.

Two simple roles help here: data owners and data stewards.

Data Owners (Business Responsibility)

A data owner is the business person ultimately accountable for a specific set of data. They:

• Decide who should have access
• Approve how the data is used
• Agree on how long it should be kept (in line with legal advice)
• Escalate decisions in case of incidents or disputes

Data owners are typically senior managers, not IT.

Example – Client data in a typical B2B SME

Imagine a B2B software or consulting company:

• Sales owns sales pipeline and CRM data (leads, opportunities, contact details, communication history). Usually the Head of Sales or Sales Director is the data owner.
• Marketing owns marketing contact lists and campaign data (email lists, website form submissions, newsletter subscriptions). Typically the Head of Marketing is the data owner.
• Customer Success / Account Management owns ongoing client relationship data (renewals, support notes, usage information). Typically the Head of Customer Success or Operations Manager is the data owner.

IT supports the systems, but business leaders own the data and decisions about it.

Example – Patient data in a small healthcare practice

For a small clinic, dental practice, or GP surgery:

• Patient medical records (diagnoses, treatment plans, test results, clinical notes) are usually owned by the Medical Director, Clinical Lead, or equivalent senior clinician.
• Administrative patient data (appointment history, billing information, insurance details) may be owned by the Practice Manager.

Again, IT may operate the electronic health record (EHR) system, but they are not the owners of the patient data. Clinical and business leaders are.

Data Stewards (Operational Responsibility)

A data steward is the person who looks after data on a day-to-day basis. They:

• Ensure data is entered correctly and consistently
• Follow the rules set by the data owner
• Help respond to access requests, corrections, and deletions

Stewards can sit in business teams (e.g., a senior CRM user in Sales, a lead nurse or admin in a clinic) or in IT roles (e.g., system administrator).

In many SMEs, one person can be both owner and steward for a particular dataset—but it helps to keep the concepts separate: ownership = accountable; stewardship = caretaker.

3. Data Classification: How Sensitive Is the Data?

Once you know who owns what, the next step is to classify data based on sensitivity and impact. A simple scheme is enough for most SMEs.

A Simple Four-Level Classification

1. Public
   Information you are happy for anyone to see.
   1. Examples: website content, published blog posts, job ads, public price lists.
2. Internal
   For employees (and sometimes trusted partners) only, but not especially sensitive.
   1. Examples: internal policies, process documentation, training materials, internal reports without personal data.
3. Confidential
   Data that would cause harm or embarrassment if exposed. This is where most client data sits.
   1. Examples: client contact details, sales proposals, contracts, invoices, non-public project information, most HR records.
4. Highly Sensitive
   Data that could cause serious harm, legal issues, or regulatory penalties if breached. This includes most patient data and some financial or security information.
   1. Examples: medical records, mental health information, government ID numbers, bank account details, authentication secrets (e.g., encryption keys).

How to Classify Client and Patient Data

Client data in a B2B SME

• Basic client contact details (name, work email, business phone), contracts, proposals, and CRM notes are typically Confidential.
• Any data that includes personal identifiers combined with sensitive information (e.g., individual financial health, grievances, legal disputes) may approach Highly Sensitive.

Patient data in a healthcare practice

• Medical records, clinical notes, diagnoses, and test results are almost always Highly Sensitive.
• Appointment history and billing/insurance records are usually Confidential to Highly Sensitive, depending on local regulations and what information is included.

Why Classification Matters

Classification drives:

• Access control – who can see what. Public can be widely shared, Highly Sensitive should be strictly limited.
• Handling requirements – how data is stored, transmitted, and shared (e.g., encryption, secure portals, no sending over unsecured channels).
• Incident response – a breach involving Highly Sensitive data typically requires faster response, more detailed investigation, and sometimes regulatory notification.

Even a basic classification, communicated clearly to staff, is a major step forward.

4. Data Retention Policies: How Long Should You Keep Data?

A data retention policy defines how long you keep certain types of data before you archive or delete them.

Why “Keep Everything Forever” Is a Problem

Many SMEs store everything “just in case.” This is risky because:

• Cost: Storage may be cheap per GB, but it adds up—especially across email, file shares, cloud storage, and backups.
• Legal risk: The more historical data you store, the more you may have to disclose in litigation or investigations.
• Security: Old data often sits in poorly managed systems. Attackers love forgotten archives full of personal data.
• Privacy compliance: Regulations like GDPR expect you not to keep personal data longer than necessary for the purpose it was collected.

A retention policy helps you balance business need, legal obligation, and risk.

Example Retention Periods for Client Data

These are illustrative only—always confirm against your local laws and business needs.

• Sales leads and CRM records:
  • Keep active leads as long as there is an ongoing, legitimate sales relationship or interest.
  • For cold or inactive leads (no engagement), many organisations use a period such as 1–3 years after last contact, then delete or anonymise the data.
• Client contracts and related correspondence:
  • Often kept for 6–10 years after the end of the contract to cover limitation periods for potential disputes, audits, or tax requirements.
  • Check local contract and tax laws; your accountant or legal counsel can advise.
• Support tickets and project records:
  • Commonly retained for 3–7 years after project completion or contract end, balancing reference needs and legal limitation periods.

Example Retention Periods for Patient Data

Healthcare is highly regulated. Retention rules often specify minimum periods and sometimes maximum periods.

Examples of common patterns (actual numbers vary by jurisdiction):

• Adult patient medical records:
  • Often must be kept for several years (e.g., 7–10 years) after the last treatment, or a specified number of years after the patient’s death.
• Children’s medical records:
  • Often kept until the patient reaches a certain age (e.g., age of majority) plus a number of years.
• Appointment and billing histories:
  • May be tied to tax or healthcare financing/audit requirements, commonly in the range of 5–10 years.

Because the details differ widely, every clinic or practice should:

• Consult local healthcare regulations and professional bodies.
• Work with legal/compliance experts to define precise retention rules by record type.

Your policy should clearly state that where a legal requirement exists, it overrides general business preferences.

5. Data Deletion and Disposal: When and How to Get Rid of Data

Retention policies only work if they are linked to actual deletion or archiving processes.

Soft Delete vs Permanent Deletion

• Soft delete (archive/inactive)
  The data is not visible in normal workflows but still exists in your systems.
  Examples: marking a CRM record as “inactive,” moving a file to an “archive” folder, disabling a user account.
  Soft delete is useful for operational reasons but does not fully reduce risk or legal obligations.
• Permanent deletion
  The data is removed from active systems. Over time, it may also roll out of backups depending on your backup retention cycles.
  In some systems this is called “hard delete.” Once done (and past backup expiry), recovery is difficult or impossible.

For compliance and risk reduction, you eventually need true deletion or anonymisation, not just soft deletes.

Secure Deletion Practices for SMEs

You do not need advanced tools to improve your data disposal; start with basics:

• System-level deletion
  Use built-in deletion and purge features in your CRM, EHR, file storage, and email systems. Some platforms allow automated deletion based on age or status.
• Backups and archives
  Ensure your backup retention schedule aligns with your data retention policy. If you keep backups forever, you effectively keep data forever.
  Set fixed backup retention periods (e.g., 30, 90, 365 days), and make sure they are documented.
• Physical records
  For paper files containing client or patient information:
  • Use secure shredding (cross-cut or professional shredding services).
  • Don’t dispose of sensitive documents in normal bins or open recycling.
• End-of-life for devices
  When disposing of old computers, servers, or storage devices:
  • Use disk wiping tools or professional services to overwrite data.
  • For highly sensitive data, consider physical destruction by certified providers.

Examples of When to Delete or Anonymise

Inactive client records (B2B)

• A prospect has not engaged with your emails or sales outreach for three years and there is no ongoing relationship.
• According to your retention policy, you can:
  • Delete the record completely from your CRM; or
  • Anonymise it (e.g., keep industry and deal size for analytics, but remove names and contact details).

Patient data in a healthcare practice

Because of legal requirements, full deletion is often heavily regulated. However, you may:

• Anonymise or pseudonymise older data for analytics and research purposes:
  • Anonymisation: permanently remove all direct and indirect identifiers so the data can no longer be linked to a specific individual.
  • Pseudonymisation: replace identifiers with codes, with the key stored separately under strict control.

This allows you to retain value for statistics and quality improvement while reducing privacy risk. Always confirm that your approach is consistent with healthcare and privacy regulations in your jurisdiction.

6. How SMEs Can Implement Data Governance in Practice

You do not need a complex framework. A simple, documented approach is usually enough to make a big difference.

Step 1: Inventory Your Key Data Types

List the major categories of data you hold, for example:

• Client and prospect data (CRM, email marketing, proposals, contracts)
• Operational data (projects, support tickets, internal reports)
• Financial data (invoices, payroll, expenses)
• HR data (employee records, performance, recruitment)
• Patient data (medical records, appointments, billing) for healthcare organisations

You don’t need perfection. Start with the 10–15 most important data types.

Step 2: Assign Data Owners

For each data category, name a business owner:

• Client/prospect data → Head of Sales / Head of Marketing
• Contracts and billing → Finance Director or equivalent
• HR data → HR Manager or Managing Director
• Patient medical records → Medical Director / Clinical Lead
• Patient admin and billing → Practice Manager

Write this down in a simple table so everyone knows who to approach for decisions.

Step 3: Define a Basic Classification Scheme

Adopt the four levels (Public, Internal, Confidential, Highly Sensitive) and:

• Decide which level applies to each data type.
• Document a one-line rule on how each level should be handled; for example:
  • Public: can be shared externally without restriction.
  • Internal: for employees only; not to be sent to external parties without approval.
  • Confidential: limited access, protected by passwords and secure systems; no sharing via personal email.
  • Highly Sensitive: strictly limited access, encrypted in transit and at rest; special incident handling.

Communicate this scheme to staff and include it in onboarding.

Step 4: Set Draft Retention Rules and Validate

For each data type:

• Decide how long you think you need the data for operational and commercial reasons.
• Check for obvious legal or regulatory requirements.
• Discuss your draft rules with legal/compliance advisors or industry bodies.

Record retention periods in a simple table (e.g., “Client contracts: 7 years after contract end”).

Step 5: Implement Deletion and Archival Routines

Work with IT or your service providers to:

• Configure automated deletion or archival where possible (e.g., CRM rules, email retention policies, file lifecycle policies in cloud storage).
• Ensure backup retention is compatible with your policy.
• Set up a simple annual or semi-annual review to catch data that should be deleted but isn’t automatically covered.

Document how and when deletion occurs so you can show this if clients, patients, or regulators ask.

Ongoing: Document, Train, Review

To ensure your efforts stick:

• Document policies in short, readable documents: one for data classification and ownership, one for retention and deletion.
• Train staff during onboarding and periodically. Focus on practical examples rather than theory.
• Review regularly (for example, once a year or when regulations or business models change). Update owners, classifications, and retention rules as needed.

Conclusion

Data governance may sound like “big company” language, but the core ideas are straightforward and essential for SMEs:

• Make it clear who owns which data and who looks after it day to day.
• Use a simple classification scheme to guide access and protection.
• Define retention periods so you are not keeping everything forever.
• Put real deletion and disposal processes in place, including attention to backups and physical records.
• Start small, document your approach, train your team, and improve it over time.

Handled well, data governance is not just about risk and compliance — it is about running a more efficient, trusted, and resilient business.