Data Governance
Platform decisions with deep integration complexity, organizational change, and long-term data stakes.
Inside this journey
-
Pre-Discovery
Align the room on outcomes, decision process, and constraints before deeper discovery.
-
Stakeholder Alignment
Confirm decision roles (CDO, GC, CTO), exam timeline, and 60-day POC success criteria.
Alignment Questions
Quick Introductions — Who’s Driving This Effort?
- Who is the primary sponsor or owner for this initiative?
- Who else is at the table (names, titles, and role in decision-making)?
- What is the target decision timeline for selecting a platform?
- What recent event or trigger brought this to the top of the agenda?
- Briefly describe the regulator’s ask or the internal finding in one or two sentences.
Are We Still Relying on Fragile Inventories?
- When an examiner asks for a complete inventory of systems holding customer personal information, what do you typically have to produce—and what do you wish you had instead?
- How is your current inventory maintained today?
- When was the inventory last updated in a way you’d trust for an exam?
- What are the top three system types where you suspect coverage is weakest (e.g., analytics, third-party SaaS, archival storage)?
- Tell us about a specific time when inventory gaps caused a regulatory or operational problem — what happened and what was the impact?
What’s Broken About Lineage Right Now?
- If an auditor asked you to show column-level lineage for a customer personal data element, where would you expect to hit the biggest roadblock?
- Which data platforms must we be able to trace across for the POC?
- How do you currently capture or represent transformations (ETL jobs, SQL, notebooks, data pipelines)?
- Typically, how long does it take your team to trace the flow of a single sensitive column from source to report?
- Describe a recent investigation where missing lineage extended remediation work or triggered risk escalation.
Where Should Automation Immediately Reduce Risk?
- If you could have one manual task replaced by automation in the next 60 days, which would have the greatest regulatory impact?
- Which data domain should be the POC focus to demonstrate maximum regulatory value?
- What percentage of your production systems must be discoverable in the POC for you to consider it meaningful?
- Which sensitivity / classification tags are essential for discovery to capture (select all that apply)?
- What objections or cultural friction do you expect from teams about crawling production systems?
Can We Safely Crawl Production — What’s Non-Negotiable?
- What single operational requirement would make you immediately refuse a production crawl?
- Which access patterns are acceptable for connectors in your environment?
- Do you require a dry-run, throttling, or sampling approach before full crawls?
- What rollback or stop controls must be available before the CTO will sign off?
- List the network/security owners and their preferred contact method and SLA for approvals.
What Will ‘Examiner-Ready Evidence’ Actually Look Like?
- If the GC were asked to present proof that deletion requests were honored across systems, what artifact would satisfy them?
- Which elements must the evidence include for legal acceptance?
- How granular does enforcement evidence need to be (system-level, table-level, column-level, instance-level)?
- What format and delivery cadence does the examiner expect for POC evidence?
- Share an example of evidence you’ve previously delivered (what worked, what fell short).
Who Signs Off on Success — Metrics and People?
- If you had to pick the three most important acceptance criteria for the 60-day POC, what would they be?
- For each selected criterion above, what is the numeric or qualitative target you’d accept?
- Who will provide the formal acceptance sign-off at the end of the POC?
- If a criterion is not met, what remediation or extension options are acceptable?
- Describe your escalation path if the POC reveals a major compliance gap.
Integration Deal-Breakers — What Must Never Change?
- What integration requirement would cause the CTO to veto the platform immediately?
- Which connector types are preferred and which are forbidden in your environment?
- What are your latency and performance thresholds we must respect during crawls?
- Which security controls must a vendor demonstrate before any production access is granted?
- List any internal policies or compliance standards the integration must adhere to (e.g., data residency, encryption, logging).
Policy Enforcement — What Counts as Success?
- If policy enforcement is part of the POC, which automated actions are mandatory to demonstrate value?
- How often must enforcement checks run to meet compliance expectations?
- What level of human approval is required before automated deletion or masking can execute?
- What historical enforcement failures would you want the POC to detect or prevent?
- Which teams must be included in enforcement playbooks or runbooks created during the POC?
What Would It Feel Like After a Successful POC?
- Imagine the regulator leaves satisfied — what two concrete outcomes would you point to that prove the problem is solved?
- What ongoing operational model do you prefer after the POC?
- What training or handover will your teams need to sustain the capability?
- How quickly would you want to expand beyond the POC domain if it succeeds?
- What risks or internal blockers could still derail adoption even after a successful POC?
Immediate Next Steps — Aligning People, Dates, and Deliverables
- If we don’t agree on immediate next steps right now, what usually slows projects like this most?
- Which deliverables would you like to see in a POC statement of work?
- What is the earliest feasible kickoff date for a scoped 60-day POC?
- Who are the named engineering and security contacts that must approve connector access (name, title, email)?
- Do you consent to an initial discovery crawl of the agreed POC scope under a read-only, non-disruptive contract clause?
-
Current State Mapping
Capture existing inventories, known gaps in system visibility, pipeline constraints, and data risk areas.
Current State
Starting Point: Why Are We Here Today?
- What prompted you to open this discussion about data governance right now?
- Who is formally owning the evaluation and selection for this initiative?
- How urgent is a demonstrable fix—what timeline are you under to show progress to examiners or auditors?
- When you picture success at the end of an initial engagement, what single outcome matters most to your execs?
- Who else on your team should we involve in discovery so we don’t miss key constraints (names/roles preferred)?
Are You Comfortable Being Surprised by Where Customer Data Lives?
- How confident are you today that you could, within two business days, produce a complete list of systems containing customer personal information?
- Tell us about a time a review or request revealed data in an unexpected place—what happened and how did it feel for the team?
- How often do you find previously unknown copies, exports, or analytics outputs containing customer records?
- If an examiner asked for proof that a deletion request was honored across every downstream copy, how comfortable would you be with the evidence you could produce today?
- Which of these emotions best describes how the data team reacts when an unknown system is discovered?
Where Does Data Disappear (or Multiply) in Your Estate?
- Which platforms and pipeline types currently host or process customer personal information in your environment?
- Are there known dark spots (e.g., undocumented reports, ad-hoc exports, contractor environments) where visibility is limited?
- Describe an example of a pipeline or process that routinely creates downstream copies—what tools, teams, and handoffs are involved?
- Who currently holds operational responsibility for tracing lineage when an issue arises (role/team)?
- Which of the following best describes your current method for tracking where customer PII lives?
What Would Passing an Examiner Actually Feel Like?
- If an examiner demanded evidence, which artifacts would convince you that the answer is rock-solid?
- What minimum catalog coverage percentage (by systems, tables, or lineage hops) would you need to accept a POC as successful?
- How deep does lineage need to go for you to feel comfortable—surface-level system mapping, table-level, or column-to-column with transformation detail?
- Which enforcement outcomes would you need demonstrated during the POC to present to GC and the examiner?
- Who must sign off on the POC acceptance—list names/roles and their top concern (e.g., GC: evidentiary sufficiency)?
If We Run a 60‑Day Proof, What’s Non‑Negotiable?
- What CTO or platform constraints would immediately disqualify a vendor or POC approach?
- Which type of production access can you realistically grant for a controlled POC (read-only credentials, service account, metadata-only, other)?
- What windows or maintenance schedules must we work around to run crawlers or scans without impacting teams?
- If we request a temporary connector or role for 60 days, what security checks or approvals will that require (list stakeholders)?
- What rollback or emergency controls do you require to feel safe authorizing crawling against production systems?
Where Does Enforcement Need to Happen Without Drama?
- Which enforcement actions matter most to your compliance team during a POC—deletion, masking, quarantine, or policy flagging?
- Have you had situations where enforcement in one system caused problems downstream (e.g., stopped reporting or broke dashboards)? Tell us about one.
- How do you expect a governance platform to coordinate enforcement across heterogeneous systems—fully automated, human-in-the-loop, or hybrid?
- What SLAs or time-to-action would be required for an automated enforcement (e.g., delete propagated within 24 hours)?
- What evidence of enforcement will satisfy auditors—time-stamped logs, replayable actions, signed attestations, or other artifacts?
What Will Integration Actually Look Like for Your Teams?
- Who will own day-to-day POC operations on your side (names/roles) and who will be the escalation contact?
- What internal teams must be engaged for connectors, network approvals, or security reviews?
- What monitoring and reporting do your engineers want during the POC to feel in control (latency metrics, error rates, resource usage)?
- If integration required a short runbook or playbook, what three items must be included for your ops team to allow it?
- Which teams should receive automated alerts versus which should get summary reports?
Deciding Risks, Rewards, and Red Lines
- What contractual or legal constraints would make you decline a POC even if the technology validated every claim (data residency, audit rights, liability caps)?
- What minimum privacy and security controls must a vendor demonstrate before legal allows access to production metadata or systems?
- How will GC evaluate the sufficiency of examiner-ready evidence—what format and sign-offs are required?
- Are there any internal procurement or contract clauses (e.g., indemnities, IP, data handling) that are absolute non-starters?
- If a technical approach required a minor contract amendment to enable production connectivity, how long would legal typically take to review?
What Would Make You Say Yes—Right Now?
- If we could guarantee non-disruptive discovery, column-level lineage for one high-risk domain, and examiner-ready artifacts in 60 days, what remaining concern would still stop you from greenlighting the POC?
- What practical first step would you be willing to commit to this quarter (e.g., sign off on scope, provide read-only creds to two systems, schedule an integration call)?
- Who are the decision-makers and what is the decision process/timeline for moving from POC to enterprise license?
- What would you like us to prepare next—a focused scope doc, security questionnaire responses, or a technical integration checklist?
- On a scale of 1–10, how ready do you feel to begin a limited production POC after we've addressed the items above?
-
-
Outcome Discovery
Define measurable acceptance criteria (catalog coverage, lineage depth, enforcement actions) for the POC.
Discovery Questions
Quick Grounding — Who’s driving this POC?
- Which role best describes the person completing this form?
- What triggered this POC right now?
- When does the examiner expect an answer (or when would you like the POC completed)?
- How confident are you, today, that you can produce an inventory and lineage that satisfies the examiner within your desired timeline?
- Briefly describe in your own words what a successful 60-day outcome would look and feel like to you (who celebrates, what gets notarized, what worry disappears).
If an Examiner Asked for Everything Tomorrow, Where Would You Stumble?
- If an examiner demanded a complete, auditable list of all systems processing customer personal information tomorrow, what specific items would you not be able to show?
- Approximately what percent of systems that process customer personal information are currently inventoried in any tool or spreadsheet?
- Where do you feel the greatest uncertainty comes from — unknown systems, duplicate copies, third-party platforms, or transformation pipelines?
- Tell us a concrete example of a time the team tried to locate a customer record: what happened and how long did it take?
- How does this uncertainty make you feel when you think about an upcoming examination (e.g., anxious, resigned, motivated to fix it)?
Where Data Hides — Platforms, Pipelines, and Pain
- Which of the following data platforms are in your environment and must be discoverable during the POC?
- Where do you most suspect column-level lineage will break or be incomplete (SQL transforms, Spark jobs, BI tools, ETL tools, or code notebooks)?
- How long does it typically take your team to trace lineage from a reporting column back to its source today?
- Which of these hidden sources worry you most because they're frequently missed by inventories?
- Describe a place in your stack you suspect contains PII but haven’t been able to prove it — why is it hard to include that source today?
How Much Coverage and Depth Would Actually Change the Conversation?
- At day 60, what minimum catalog coverage would make you comfortable calling the POC successful?
- For lineage, what depth is non-negotiable for examiners: table-level only, column-level within top pipelines, or full column-level across all discovered pipelines?
- Which enforcement outcomes must be demonstrable during the POC for you to consider it meaningful?
- What maximum false positive rate (incorrectly flagged PII) would be acceptable during the POC before it becomes operationally harmful?
- Are there specific datasets, business units, or regulatory scopes we should prioritize to prove value quickly? Please list them.
What Does 'Examiner-Ready Evidence' Mean to You?
- Imagine the examiner asks for proof—what artifact would make you feel confident (pick all that apply)?
- What format do your examiners prefer for evidence: raw exports, visual diagrams, annotated screenshots, or official audit packages?
- How quickly must you be able to produce those artifacts when asked (while under examination)?
- Who in your organization must sign off on examiner artifacts (roles or titles)?
- Describe any prior experience where submitted artifacts were rejected by an examiner — what was missing?
Breaking Assumptions — Integrations, Non-Disruption and the CTO Bar
- What integration assumptions would you be surprised to learn are necessary and that could derail the POC?
- Which of the following CTO constraints must the POC respect?
- What security or legal approvals are gating connector access (e.g., InfoSec signoff, encryption proofs, third-party risk)?
- How do you feel about granting read-only production access for automated crawling—comfortable, cautious, or opposed? Please explain briefly.
- If the CTO asks for a rollback plan, what minimum elements must it include (e.g., connector disable, logs purge, access revocation)?
- List any platform or compliance constraints (e.g., data residency, encryption keys, SOC2/HIPAA controls) that could affect connector design.
Who Owns What — Responsibilities, Acceptance Tests, and Escapes
- Which acceptance tests must be owned or co-owned by your team during the POC (pick all that apply)?
- Who will be the primary point of contact for day-to-day coordination (name/title)?
- Which teams must be available for short technical workshops during the POC (select all that apply)?
- What would be a deal-breaker action or finding that would cause you to stop the POC early?
- If the POC succeeds, what is the realistic near-term next step you’d expect (enterprise license, phased rollout, deeper integration)?
- What operational cadence do you prefer for POC checkpoints (weekly demo, bi-weekly review, milestone sign-offs)?
The Evidence Playbook — Formats, Timelines, and Signatures
- Which types of evidence must be included in the final POC package for examiner review?
- Who must review and sign the final POC evidence package before it’s shared with an examiner?
- What retention window for evidence is required for regulatory purposes (how long must we keep POC artifacts)?
- How would you like evidence delivered if an examiner requests it—via secure export, shared portal, or formal package delivery?
- What is your tolerance for iterative evidence requests from the examiner (e.g., expect 1 follow-up, multiple rounds, or live walkthrough only)?
- If an artifact needs additional context for the examiner, who will provide the narrative (technical lead, CDO, GC)?
-
Solution Experience
Use the customer’s systems and a high-risk data domain to demonstrate outcome delivery: automated discovery, column-level lineage, and enforcement producing examiner-ready evidence.
Experience Meetings
- Solution Experience Pre-brief (Alignment & Success Criteria)
- Data & Systems Validation (Pre-crawl Technical Check)
- Live Solution Experience — Discovery & Column-level Lineage
- Live Solution Experience — Enforcement Actions & Examiner Evidence
- Solution Experience Wrap-up & Acceptance Review
- Compliance to sign-off sample examiner artifact template or provide required edits within 48 hours.
- Record any gaps and immediate remediation steps to reach acceptance criteria.
- Engineering to document any missing connectors or lineage gaps observed during the live run and propose fixes.
- Security/CTO to confirm the lineage method meets internal integration/latency constraints or list objections.
- Schedule a targeted follow-up to resolve high-priority gaps identified in the session.
- Recap Enforcement Acceptance Criteria
- Demonstrate enforcement actions applied across discovered assets and linked via lineage to all downstream copies.
- Deliver and validate that examiner-ready artifacts contain the required fields and chain-of-custody evidence.
- Confirm with CTO that enforcement methods do not introduce unacceptable latency or require pipeline refactoring.
- Capture any remaining legal/compliance questions about artifact formats or retention windows.
- Introductions & Meeting Objectives
- Engineering to provide a reproducible runbook for enforcement execution and rollback controls.
- Customer to confirm whether production enforcement will be allowed during the POC or limited to non-prod copies.
- Security to approve the evidence export process and retention of audit logs.
- Measured Outcomes vs Acceptance Criteria
- Obtain explicit acceptance (or a prioritized remediation list) against the POC success criteria from CDO/GC/CTO.
- Agree a clear remediation plan for any failed acceptance items with owners and deadlines.
- Decide next commercial/legal/operational steps (enterprise pilot, contract, or closure).
- Establish communication plan for examiner engagement and artifact handover.
- Produce final POC results packet (coverage metrics, lineage snapshots, enforcement evidence) and circulate to stakeholders.
- Customer signatories (CDO/GC/CTO) to sign acceptance or the remediation plan within agreed SLA.
- Schedule Validation Checklist meeting to verify remediation items are closed before final handover to production.
- Assign single point-of-contact for examiner interactions and artifact delivery.
- Create a single-sentence current state that all stakeholders accept.
- Surface and quantify the regulatory / operational consequence driving urgency.
- Agree a one-sentence future state (the outcome the experience must prove).
- Lock the POC scope, acceptance criteria, and technical access checklist with named owners and deadlines.
- Customer to provide the definitive one-sentence current state and a one-paragraph description of the regulatory finding for the live session.
- Customer to sign and return the POC scope & acceptance criteria document (including named signatories: CDO, GC, CTO).
- Engineering to confirm supported connectors required for listed systems and any sandbox/non-prod endpoints for demonstration.
- Schedule dates for pre-crawl validation and the two live Solution Experience sessions.
- Recap of Agreed Current/Future State & Evidence Needs
- Ensure all in-scope systems are reachable with appropriate non-disruptive permissions.
- Agree the concrete list of datasets and owners for the high-risk domain to be used in the live session.
- Validate a metadata dry-run produces usable inventory entries without impacting production.
- Confirm exact format and required fields for examiner-ready evidence artifacts.
- Customer IT to provide test credentials/endpoints and open any required network rules for the dry-run account.
- List and confirm dataset owners and sign-off emails for each in-scope asset.
- Engineering to deliver dry-run results and a short support plan for any failed connectors.
- Legal/Compliance to confirm the exact evidence fields the examiner will accept and share a sample examiner checklist if available.
- Customer data owners to validate discovered mappings and mark any false positives/negatives.
- One-sentence Current State Recap & Outcome to Prove
- Demonstrate that automated discovery uncovers a meaningful portion of the in-scope PII inventory without manual registration.
- Prove column-level lineage across heterogeneous pipelines for representative flows to the satisfaction of data owners and the CTO.
- Obtain explicit validation (or precise exceptions) from CDO/GC/CTO that results map to the problem statement.
- One-sentence Current State (Diagnosis)
- Capture Lessons, Gaps & Remediation Plan
- Live Automated Discovery Results — Inventory Coverage
- Connector & Credential Walkthrough
- Controlled Enforcement Demonstration
- Produce & Review Examiner-ready Evidence Artifacts
- Mutual Commit & Next Steps
- Column-level Lineage Walkthrough (Representative Flows)
- Sample Dataset & High-Risk Domain Mapping
- Explicit Consequence
- Tie Back to Problem — Demonstrate Consequence Mitigation
- Dry-run Metadata Crawl / Smoke Test
- One-sentence Future State (Success Outcome)
- Operational Integration & Monitoring
- Assign Owners, Deliverables & Schedule
-
Solution Scope
Define the POC scope, modules (discovery, lineage, policy), responsibilities, and acceptance tests.
Scope Configuration
- Deploy Database and Warehouse Connectors
- Deploy Cloud Object Storage Scanners
- Deploy Analytics and BI Platform Connectors
- Deploy Streaming and Messaging Connectors
- Run Column-Level PII Identification
- Extract SQL-Based Column Lineage
- Extract Code-Based Column Lineage
- Assemble Unified Column-Level Lineage Graph
- Deploy Policy Enforcement Engine (Retention/Masking/Deletion)
- Activate Automated Deletion and Masking Workflows
- Install Non-Intrusive Integration Adapters
- Enable Data Subject Request Fulfillment Automation
- Deploy Examiner-Facing Audit Evidence Exports
- Enable Real-Time Catalog Sync and Change Detection
Scope Questions
Deploy Database and Warehouse Connectors
- Do you want databases and cloud warehouses included in the POC connector scope?
- Which database/warehouse platforms must be crawled?
- How many distinct database instances, clusters, or warehouses should be connected in the POC?
- What connectivity model is available for connectors (choose one)?
- Are there any performance or maintenance windows that restrict connector runs?
- List databases, schemas, or instances that must be excluded or that contain regulated/sensitive workloads (free text).
Deploy Cloud Object Storage Scanners
- Should cloud object stores be scanned in the POC?
- Which object storage platforms should be included?
- Approximately how many buckets/containers or total objects should the scanner handle during the POC?
- What credential model is preferred for scanning buckets?
- Are there encryption, VPC, or private endpoint constraints for accessing object stores?
- Are there specific bucket prefixes, archive layers, or file types to prioritize or exclude? (free text)
Deploy Analytics and BI Platform Connectors
- Do you want BI and analytics platforms scanned for data sources and queries?
- Which analytics/BI platforms should be connected?
- Should connector access include dashboard/report definitions and underlying SQL/query text?
- How many workspaces, accounts, or report repositories should be scanned?
- Are there governance restrictions (e.g., PII redaction) when exporting report definitions or queries?
- List any vendor-specific admin roles, API tokens, or IP allowlists required for access (free text).
Deploy Streaming and Messaging Connectors
- Should streaming and messaging systems be included in the POC?
- Which streaming/messaging technologies do you use?
- How many topics/streams or partitions should be assessed during the POC?
- Can the connectors consume from streams in a non-destructive, read-only manner (consumer groups) or is alternative access required?
- Is there a Schema Registry or Avro/Protobuf definitions available to assist field-level mapping?
- Are there data retention or throughput concerns that would limit continuous stream sampling? (free text)
Run Column-Level PII Identification
- Do you want automated column-level PII/Personal Data identification in the POC?
- Which detection techniques are acceptable for the POC?
- Are there custom corporate identifiers, taxonomies, or regex patterns we should apply?
- What false-positive tolerance is acceptable for PII tagging during the POC?
- Which data domains are highest priority for PII identification (e.g., customer personal info)?
- Are any columns or tables excluded from content inspection for privacy or legal reasons? Please list.
Extract SQL-Based Column Lineage
- Should SQL-based transformations and jobs be included for column-level lineage extraction?
- Which sources of SQL text are available?
- Approximately how many transformation jobs, stored procs, or dbt models should be analyzed?
- Is full access to query text/logs available, or are only summaries/metadata available?
- Do you require lineage that traces through intermediate/staging tables and temp objects?
- List any transformation frameworks or scheduling systems (e.g., Airflow, dbt, Informatica) and access constraints (free text).
Extract Code-Based Column Lineage
- Do you want lineage extracted from code-based pipelines (e.g., Spark, Python ETL)?
- Which languages and frameworks should be analyzed?
- Where is pipeline code stored and can we access repositories for static analysis?
- Is instrumentation (runtime tracing) allowed for extracting lineage, or is static analysis required?
- How many distinct ETL jobs or code-based pipelines should be in-scope for the POC?
- List any packaging or runtime constraints (e.g., serverless, containers, restricted clusters) that affect code access (free text).
Assemble Unified Column-Level Lineage Graph
- Do you require a unified, cross-platform column-level lineage graph for the POC deliverable?
- What lineage depth is required (choose one)?
- What percentage coverage of high-risk assets is the acceptance target for the POC?
- Do you need lineage to show column-level transformations (expressions, masking, joins) or only mapping relationships?
- Which export or visualization formats are required for reviewer consumption?
- Are there specific consumers (e.g., examiners, auditors, data owners) who require tailored views of the lineage? List roles and needs.
Deploy Policy Enforcement Engine (Retention/Masking/Deletion)
- Should policy enforcement (retention, masking, deletion) be part of the POC scope?
- Which policy types must be supported during the POC?
- Do you require policies to run in automatic (enforce) mode or in audit/simulation mode during the POC?
- Are there legal, compliance, or business holds that must prevent automatic deletion for certain assets?
- What masking techniques are acceptable (choose any)?
- Describe approval workflows or segregation-of-duty requirements for policy changes or enforcement actions (free text).
Activate Automated Deletion and Masking Workflows
- Do you want fully automated deletion/masking executed during the POC or only test runs with manual approval?
- What retention windows or deletion criteria should be demonstrated in the POC?
- Are backups, archives, or replicas in scope for deletion/masking, or will those be excluded?
- What rollback controls and test validation are required before executing destructive actions?
- Who are the approvers and owners for deletion/masking actions (roles/emails) and are they available during the POC?
- List any regulatory or legal constraints that prevent automated deletion for certain datasets (free text).
-
Mutual Commit
Finalize commercial and legal terms, CTO integration constraints, and confirm readiness to execute the POC.
Agreement Modules
- Non-Disclosure Agreement (NDA)
- Master Services Agreement (MSA)
- Statement of Work (SOW) — POC
- Order Form & Commercial Terms
- Technical Integration Addendum (CTO Constraints)
- Data Processing Agreement (DPA) / Privacy Addendum
- Security & Compliance Addendum
- POC Acceptance Criteria & Test Plan
- Implementation Schedule & Responsibility Matrix
- Rollback, Safeguards & Non-Disruption Agreement
- Change Order / Scope Amendment
- Termination & Exit Plan
- Intellectual Property & Source Escrow
- Executive & Legal Sign-off Checklist
- Insurance, Indemnity & Liability Schedules
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation.
-
Pre-Deployment Readiness
Validate production access, non-disruptive connector plans, data owner sign-offs, and rollback controls before crawling.
Readiness Questions
Quick Win: Who's Already Caring About This?
- Who will be the core team evaluating and signing off on this POC? (pick all that apply)
- Who is the single point of accountability for moving the POC forward?
- What is the regulatory/exam timeline we are trying to meet? (choose the range closest to your deadline)
- Which single outcome would make you feel this POC was a clear success at day 60?
- If you could summarize one worry you hope this POC will remove, what would you say?
If an Examiner Called Right Now, What Would You Do?
- If an examiner demanded a full inventory of every system holding customer personal data today, what would your first reaction be?
- How are inventories and system registries created at your institution today?
- What confidence level would you give your current inventory if inspected by an examiner? (estimate)
- What specific blockers prevent you from being able to answer the examiner within the requested timeframe? (select all that apply)
- When you think about the last time you failed to meet an information request, what emotion best describes the leadership reaction?
Where Your Customer Data Is Actually Living (and Hiding)
- Which data platforms and locations do you expect to contain customer PII for the POC? (select all that apply)
- Roughly how many distinct ingestion/transformation pipelines move customer data between systems in scope?
- Which copies of data (backups, snapshots, downstream marts) are you most worried examiners will ask about?
- How do you currently trace data at the column level through transformations and joins?
- Please list any high-risk data domains or example tables/fields we should prioritize for discovery in the POC (e.g., customer identifiers, SSNs, account numbers).
The Moments That Break Trust — Tell Us a Story
- Describe a specific incident where a data request, deletion, or policy enforcement failed — what happened?
- How often do incidents like that occur (estimate)?
- Which impacts from that incident mattered most? (select all that apply)
- Who typically owns investigation and remediation when these issues appear?
- How long did it take (or would it take) to produce examiner-ready evidence about that incident?
Why You've Stayed With Manual Processes (Even If You Hate Them)
- What's the real reason a spreadsheet or tribal-knowledge approach has persisted here?
- Which of these barriers best describe why automation hasn't scaled for you? (select all that apply)
- Have you trialed automated discovery or lineage tools before? If yes, what went wrong or what surprised you?
- What technical assurances or guardrails would meaningfully reduce CTO resistance to connecting production systems?
- If you were to adopt automation, what internal change would be hardest for your teams?
If This POC Is Perfect at Day 60, What Will Be on the Table?
- List the top 3 pieces of examiner-ready evidence you must be able to produce at the end of the POC.
- What minimum catalog coverage would you accept for the scoped domain by day 60?
- For lineage, what level of detail is required to satisfy examiners and legal? (choose one)
- Which enforcement actions must be demonstrable during the POC to convince GC? (select all that apply)
- Which single high-risk domain should we run first in the POC to prove value (e.g., customer PII, loan accounts, payments)?
- If you selected a percentage or metric above, please explain why that threshold is meaningful to your regulator or leadership.
Operational Safety: What Keeps Engineering Up at Night?
- What is the single production safety concern engineering will raise to delay the crawl?
- Which access and authentication patterns will we need to support for connectors? (select all that apply)
- Do you require connector designs that are guaranteed non-disruptive or sandboxed? If so, which option best describes your requirement.
- Who must approve production access and what is the typical approval lead time?
- What rollback or mitigation controls would make the team comfortable if something looked wrong during discovery?
Decisions, Communication, and What ‘Good’ Governance Looks Like
- What would make you feel this POC is a partnership, not just a vendor trial?
- Which stakeholders need to be included in weekly POC updates? (select all that should be present)
- What cadence and format do you prefer for status—standups, weekly demos, or asynchronous reports?
- After a successful POC, what immediate decision will leadership need to make?
- What contractual/commercial or legal conditions absolutely must be in place before you can start connectors into production?
- Realistically, when could your team be ready to start the first non-disruptive crawl if approvals align?
-
Deployment Enablement
Schedule crawler runs, assign owners, coordinate engineering windows, and monitor latency and system impact.
-
Validation Checklist
Verify catalog completeness, column-level lineage accuracy, and enforcement actions; produce examiner-ready evidence artifacts.
Validation Questions
Quick Introductions — Who's In The Room?
- Who are the people we should loop into the POC conversation (name, role, and primary decision authority)?
- What's the single business event that kicked off this evaluation (regulatory finding, audit, merger, other)?
- Which executive sponsors will sign off on the POC outcome (select all that apply)?
- What is your ideal target date to start the 60-day POC?
- Do you currently have an existing data inventory or catalog that we should import or compare against?
If an Examiner Called Right Now, Would You Panic?
- If an examiner demanded a complete list of systems processing customer personal information with proof within 48 hours, could you comply?
- Which systems would you be able to produce immediately (select all that you can provide today)?
- Estimate how complete your current inventory feels as a percentage of systems that actually touch customer personal data.
- When was your authoritative inventory or catalog last updated?
- If you selected Partial or No above, what’s the main barrier to being able to produce a full inventory quickly?
Where Does Customer Data Hide That Nobody Talks About?
- Which systems do you suspect hold customer personal information but are not in any official inventory?
- Tell us about the most surprising place you found customer data—how was it discovered and how long has it been there?
- How frequently do new 'shadow' systems or ad-hoc pipelines appear without central registration?
- When a new system is found, what usually happens next?
- Who typically discovers these hidden systems (analytics team, devops, auditors, vendor, other)?
Which Pipelines Break the Chain of Evidence?
- Which transformation types most often prevent you from showing clear column-level lineage end-to-end?
- For those pipeline types, where is lineage most often lost (at extraction, transformation, enrichment, or aggregation)?
- Give an example of a report or dashboard that you cannot trace back to source columns—what system produced it and why is tracing difficult?
- How many distinct ETL/processing jobs do you estimate touch customer PII weekly?
- When lineage gaps are found, how are they currently investigated and how long does a typical investigation take?
When Retention or Deletion Is Required, What Actually Happens?
- Have you ever been unable to prove that a deletion or retention policy was enforced across downstream copies (backups, analytics, exports)?
- Which downstream copies are the hardest to control or attest to (select all that apply)?
- Walk me through the last time a retention or deletion request required cross-system confirmation—what went well and what broke?
- How do you currently record and timestamp enforcement actions (deletions, masks, retention purges)?
- What kind of examiner-ready evidence would satisfy you that a deletion request was enforced end-to-end?
What Would Passing the Examiner Actually Feel Like?
- What concrete evidence would make the CDO and GC comfortable that an examiner's request is satisfied?
- Of the evidence types above, which three are highest priority for your examiners or legal team?
- What acceptance thresholds would you set for a successful 60-day POC (catalog coverage percentage, lineage depth in hops, number of enforcement actions validated)?
- Who will validate and sign off the POC acceptance criteria from the business, legal, and engineering perspectives (roles only)?
- If we delivered an examiner-ready evidence bundle at the end of the POC, how would you like it packaged for review?
What Would the CTO Need to See to Say Yes?
- What's the single integration or performance requirement that would cause the CTO to veto the POC?
- Which of the following access patterns are acceptable for your security team?
- Do you have pre-approved deployment patterns (e.g., VPC peering, private link, on-prem appliance) we should follow?
- What performance SLAs matter—maximum added latency, acceptable crawl windows, and maintenance blackout windows?
- Who in engineering must sign off on connector types and schedule (roles and contact cadence)?
Ready to Run a 60-Day Proof That Actually Proves Something?
- If we scoped a focused POC today, what would be the single biggest risk to completing it within 60 days?
- Which approvals or contracts must be completed before we begin (select all that apply)?
- What is the earliest realistic start date given current approval timelines?
- What would you define as a minimally scoped success for the POC—what domain, how many systems, and what evidence must be produced?
- Who will be the day-to-day POC owners on your side (roles for access coordination, engineering coordination, and legal/compliance)?
Small But Critical Details — Constraints, Exceptions, and Non-Starters
- Are there any explicit 'no-go' systems or data types we must never touch during the POC?
- Do you require data to remain strictly in-region or on-premises for regulatory reasons?
- What rollback controls or non-disruption guarantees would make your team comfortable (snapshot restores, read-only proofing modes, audit-only scans)?
- If we encounter a critical issue during crawling, who must be notified and what is the escalation path?
- What is an acceptable cadence for status updates during the POC (daily standups, weekly review, on-demand escalation)?
Closing the Loop — Real Commitments and Next Steps
- Which of the following would you like from us to make approval easiest (pre-signed connector spec, security whitepaper, sample evidence bundle, references)?
- Who will own scheduling and coordination for the POC kickoff from your side (name and role)?
- Before we wrap, what's the single metric or artifact that will make the CDO declare this POC a success?
- Would you like us to draft a scoped POC statement of work based on your answers here and propose a kickoff within two business days?
- Any other concerns, recent incidents, or institutional histories we should know about that could affect how we run the POC?
-
-
Success
Review POC outcomes vs acceptance criteria, capture lessons, and maintain a shared channel for issues and enhancements.
Success Reviews
- POC Outcomes Review (Acceptance Mapping)
- Evidence Walkthrough — Examiner-Ready Artifacts
- Lessons Learned & Remediation Plan
- Executive Decision & Mutual Commit Review
- Ongoing Support, Enhancement Backlog & Shared Channel Setup
Issues & Enhancements
- Confirm governance for post-decision communications to auditors/examiners.
- Open tickets for any missing evidence items with proposed fixes and owners.
- Retrospective Setup
- Produce a prioritized remediation backlog with owners, deadlines, and required resources.
- Agree the acceptance criteria and test harness for any retest or extended POC.
- Establish who signs off on remediation completion (CDO/CTO/GC).
- Create the remediation backlog in the shared channel with owners, estimated effort, and priorities.
- Schedule remediation windows with data engineering and confirm non-disruptive connector plans.
- Define the retest runbook and acceptance verification checklist.
- Record the executive decision and distribute a one-page decision memo to stakeholders.
- Executive Summary of POC Outcomes
- Secure an executive-level decision (deploy / remediate+retest / extend POC) with named signatories.
- Agree commercial/legal next steps and any contract amendments required to reflect the decision.
- Welcome & Objectives
- If proceeding to deployment, open SOW/contract amendment work and assign commercial/legal owners.
- If remediation/extension chosen, publish the modified acceptance criteria, timeline, and sign-off matrix.
- Shared Channel & Access Controls
- Establish a single shared channel with clear ownership and access for ongoing issues and artifacts.
- Agree triage rules, SLAs, and escalation matrix to ensure timely response to production issues.
- Populate the enhancement backlog and set the initial prioritization and sprint/cadence.
- Define monitoring and reporting cadence that satisfies CDO/CTO/GC oversight needs.
- Create the shared communication channel, invite the defined membership list, and post governance rules.
- Document triage process and SLAs in the shared space and link to runbooks for common issues.
- Publish the initial enhancement backlog with priority tags and schedule the first backlog grooming session.
- Produce a line-by-line verdict (pass/fail/partial) against each POC acceptance criterion.
- Surface concrete consequences for any failed or partial criteria in terms of examiner risk and operational impact.
- Secure customer validation that the measured artifacts match what GC/examers will require.
- Agree immediate next step: accept, remediate+retest (with scope/timeline), or extend POC.
- Publish the final POC metrics dashboard and line-by-line acceptance verdict to the shared channel.
- List all failed/partial acceptance tests with severity, impact statement, and recommended remediation owner.
- Schedule the Evidence Walkthrough session to validate artifacts tied to each verdict.
- Scope & Artifact Inventory
- Prove that artifacts exist and are reproducible with clear chain-of-evidence for examiner consumption.
- Surface any missing artifact elements and classify them by impact to an examiner finding.
- Agree on remediation steps and artifact completion criteria if gaps are identified.
- Deliver a signed artifact checklist indicating which artifact elements meet examiner expectations and which require remediation.
- Provide reproducibility playbooks/scripts and access instructions for auditors/GC.
- One-sentence Current State
- Catalog Evidence Walkthrough
- Triage Process & SLA Definitions
- Residual Risk & CTO Integration Constraints
- Root Cause Analysis (by gap)
- Column-level Lineage Trace (Live Example)
- Acceptance Criteria Recap
- Legal & Commercial Implications
- Technical Remediation Options & Tradeoffs
- Enhancement Backlog & Prioritization
- Monitoring, Alerts & Runbook
- Measured Results Dashboard
- Operational & Governance Changes
- Enforcement Evidence (Deletion/Masking Logs)
- Decision & Commit Options
- Gap & Consequence Analysis
- Retest Acceptance Tests & Schedule
- Reproducibility & Audit Trail
- Immediate Executive Actions
- Recurring Cadence & Reporting
- Customer Interpretation & Validation
- GC/Examiner Validation & Outstanding Gaps
- Decision Framework & Immediate Next Steps