Resources · Updated March 2026

Resources

Practical guides, long-form commentary, and worked examples for the people setting up data governance inside ministries, universities, and national programmes. Written in plain English. Each piece ends with something you can do on Monday morning.

Guides

Practical how-to guides

Written for the person who has to actually set this up: the governance officer, the IT manager, the compliance lead, or the director newly handed a data portfolio. No jargon. No filler. Each guide closes with what you will have finished by the end of it.

Guide

Data governance, from zero to first milestone

A plain-English guide for the person just handed responsibility for their organisation's data, with no budget and no team.

Audience
Department heads, IT managers, newly appointed data leads
Updated
March 2026
Open guide

Handbook

Connecting eventParity to the systems you already use

What to expect when you ask eventParity to read from your existing data estate: preparation, security posture, and what to check after the connection is live.

Audience
IT teams, database administrators, technical project managers
Updated
March 2026
Open guide

Reference

Proving what you said you would do: a reference for compliance officers

How to turn the rules you have written into evidence you can put in front of an auditor, a board, or a regulator on short notice.

Audience
Data protection officers, compliance leads, legal counsel, company secretaries
Updated
March 2026
Open guide

Guide

Data governance, from zero to first milestone

A plain-English guide for the person just handed responsibility for their organisation's data, with no budget and no team.

Primary audience
Department heads, IT managers, newly appointed data leads
Last updated
March 2026

Most people walk into a data governance role and find no handover, no inventory, and no clear place to start. The previous person left, the documents are scattered across folders nobody has access to any more, and the chief executive is asking when the AI strategy will be ready. This guide is for that situation.

Data governance, stripped of jargon, is really about answering three questions well: what data do we have, who is responsible for keeping it honest, and can we trust it enough to make decisions with it. Everything else, the policies, the reviews, the software, is just a way of making those three answers reliable and repeatable.

You do not need a large team or a big budget to begin. You do need about two days of focused effort in your first week, a notebook, and the willingness to say out loud that you do not know the answers yet. Everything useful starts from that honesty.

Week one. Make your inventory

  • Walk the building, digital and physical. List every database, spreadsheet, and shared drive that anyone in your organisation relies on.
  • Note who uses each one and, more importantly, who would notice if it disappeared tomorrow. That second list is your real inventory.
  • For each item, write a one-sentence description of what it is for. If you cannot write one, that is a finding in itself.
  • Do not try to fix anything yet. The point is to see clearly, not to tidy.

Month one. Name owners

  • For every item on your inventory, identify one named person who will take responsibility for it. Not a team. A person.
  • Tell that person. Put it in writing. Make sure their manager knows.
  • If you cannot find an owner, the item either belongs to you now or should be retired. Those are your only two options.
  • Write down what "taking responsibility" actually means: who raises concerns about quality, who approves changes to structure, who answers when there is an external enquiry.

Month three. Set the first rules

  • Pick three datasets that matter most to your organisation's decisions. Start small. Nobody ever improved data quality by tackling everything at once.
  • For each of those three, write down what "good" looks like in terms your non-technical colleagues would understand. Which fields must be filled in. What counts as a valid value. How current the data needs to be.
  • Set up a weekly rhythm to review the rules against what is actually happening in the data. If reality is diverging from the rules, decide which needs to change.
  • Keep the review meeting short. Thirty minutes is usually enough when the rules are clear.

At the end of three months, you will have an inventory you can show a regulator, a named owner for every significant data asset, and at least three datasets where quality is being watched rather than guessed at. That is not a finished governance programme. It is the foundation that everything else is built on.

The most common mistake at this stage is to try to write a comprehensive policy document before anything has been measured in practice. Policies written before practice are wish-lists. Policies written after the first three months reflect what your organisation is actually capable of doing, and they survive contact with reality.

When you are ready for the next stage (linking your rules to the software your teams already use, setting up automatic checks, and preparing for external audits) that is a conversation worth having. We walk customers through that rollout live on a discovery call.

Handbook

Connecting eventParity to the systems you already use

What to expect when you ask eventParity to read from your existing data estate: preparation, security posture, and what to check after the connection is live.

Primary audience
IT teams, database administrators, technical project managers
Last updated
March 2026

The single biggest reason governance platforms fail to land in public-sector and institutional settings is that they ask you to move your data first. You are told the platform is ready to help the moment you have migrated twenty years of records into a new store. Nobody ever manages to complete that migration, so the platform is never fully useful.

eventParity deliberately takes the opposite position. We connect to the data you already have, where it already lives. Nothing is copied unnecessarily. Nothing is moved without a business reason. The governance layer sits above your existing systems rather than replacing them, which is the only arrangement that actually works at a ministry or a university with a long data history.

What to prepare before the connection

  • A named technical contact on your side who can create a read-only service account on the target system. That is all the access we need to start.
  • An agreed list of the tables, schemas, or data sources you want governance to cover in the first phase. We encourage you to start narrow, two or three high-value sources, and expand once the rhythm is established.
  • A documented approval path for connection changes. Who needs to sign off when we add a new source, when we change a quality rule, or when we rotate a credential.
  • A regulator or compliance contact who can answer questions about residency constraints. This decides whether your deployment sits in our managed environment or inside your own.

The first week after connection goes live

  • Confirm that the connection is reading only what it is supposed to read. Your team should be able to see, in one place, exactly which tables and fields are in scope.
  • Review the baseline quality signal. On day one you will often see completeness or consistency issues that nobody had noticed because the questions had never been asked.
  • Decide which of those findings need immediate action and which can wait for the first monthly review. Not everything is urgent.
  • Set up the alert routing. Who gets notified when quality drops below an agreed threshold. Start with a single person; expand to a group only once the signal is trustworthy.

Questions your security team will ask, and the short answers

  • Where are the credentials stored? Encrypted at rest, held inside your deployment rather than shared with anyone else. If you run the sovereign-tier deployment, the encryption keys are yours.
  • What does eventParity actually read? Only what you grant the service account permission to read. We do not discover data you have not told us about.
  • Who can see the results? Only the users you invite, under the roles you define. The audit trail records who looked at what, and when.
  • Can we rotate credentials on a schedule? Yes. Your security team sets the cadence; we honour it.

The most common troubleshooting question is why a connection succeeds but shows no data. It is almost always a permissions issue on the source side. The service account exists, but the granting team did not yet attach it to the right role. A five-minute conversation with your database administrator usually resolves it.

If your data estate spans several jurisdictions, connection topology becomes part of the contract. We design the deployment shape with you before anything goes live: a single managed instance today, or a sovereign on-premise deployment as a scoped engagement. The choice depends on your residency and sovereignty obligations, not on what is easiest for us to operate.

Reference

Proving what you said you would do: a reference for compliance officers

How to turn the rules you have written into evidence you can put in front of an auditor, a board, or a regulator on short notice.

Primary audience
Data protection officers, compliance leads, legal counsel, company secretaries
Last updated
March 2026

Most compliance failures are not failures of intent. They are failures of evidence. Your organisation did the right thing, but the trail of who did what, when, and on whose authority, cannot be reconstructed three years later when the question finally arrives. The distance between "we have a policy" and "we can show that we followed it, every time, including the awkward cases" is where governance programmes live or die.

This reference is for the officer who has to stand up in front of a regulator or a board audit committee and answer specific questions about specific decisions. It is not a legal opinion. It is a practical guide to what evidence you need to be producing continuously, in the background, so that answers are ready on the day they are asked for.

The four artefacts an auditor always asks for, in some form

  • A register of the personal data your organisation holds, with the lawful basis for holding each category. Not a one-off spreadsheet from two years ago. A living record.
  • A log of every decision that was made about that data, with the date, the person who made it, the reason, and the evidence they based it on.
  • A record of every change to the governance rules themselves, including who approved the change and why. This is the audit trail of the audit trail.
  • A clear process for handling the rights of the people whose data you hold (access requests, corrections, deletions) with timestamps showing the clock started and the clock was met.

The principle running through all of these is simple: if it is not written down, it did not happen. Your team's memory, your email archive, and the screenshots saved in someone's desktop folder do not count. The artefact has to be in a place a third party can examine on request, in a form that cannot be quietly edited after the fact.

What to set up before the first audit

  • A single source of truth for the register of personal data. One place your team updates, not twelve.
  • An approval workflow for every change to that register, with the approver named on the record. A change without a named approver is a finding.
  • A rhythm of review, at least quarterly, where a senior person signs off that the register is current. Put it in a calendar.
  • A dry-run exercise at least annually: pick a decision from six months ago, ask your team to produce the trail, and see how long it takes. If it takes more than an hour, fix the process before the real audit arrives.

Handling the cross-border question

  • Identify which of your data holdings are subject to more than one jurisdiction. These are the ones that cause difficulty.
  • For each, document the specific arrangement (contractual, technical, or organisational) that makes the cross-border flow lawful.
  • If you cannot produce that document in under an hour, the arrangement is not robust enough to defend.
  • Review annually. Regulators do change their position, and an arrangement that was fine in 2022 may not be fine in 2026.

The hardest question a compliance officer usually faces is not about the law. It is about what their own organisation actually did, given what the law required. eventParity is built around making that second question easier to answer: every change is recorded, every decision has an author, and every artefact can be produced in one click when the moment comes. The regulation changes; the artefact holds.

If you want a review of your current evidence posture, that is a discovery-call conversation. We walk through a real example with you, show where the evidence holds up, and flag the places where it would not survive an adversarial audit. No deck, no pitch. Just a look at where you are.

Commentary

Blog

Longer pieces, written monthly.

First-person writing on data governance, AI readiness, and the slow work of building institutions that can answer hard questions about their own data.

Mar 10, 2026

The missing step before every African AI strategy

Every national AI strategy on the continent skips the same step. It is the reason so many of them will not produce what they promised.

8 min readRead the post

Feb 28, 2026

What happens when nobody checks the data

Poor data quality is invisible until the moment it costs you something. The cost is rarely the first thing that breaks. It is everything downstream of it.

7 min readRead the post

Feb 15, 2026

The case for building this at home

Sovereignty is not an ideological point. It is the difference between being able to adjust the rules on your own timetable and having to negotiate them with a supplier in another timezone.

7 min readRead the post

Mar 10, 2026 · 8 min read

The missing step before every African AI strategy

Every national AI strategy on the continent skips the same step. It is the reason so many of them will not produce what they promised.

In the last two years, every significant government on the continent has launched, announced, or quietly begun an AI strategy. The decks look similar. The ambitions are legitimate. Most of them will not produce what was promised, and the reason is almost always the same. It is almost never the thing the decks talk about.

The public conversation about AI is dominated by the visible layers. Who owns the compute. Which model was built where. How the application will be rolled out. Those are reasonable questions. They are also not the ones that determine whether the strategy succeeds.

The step that gets skipped is the one under those layers: the work of making sure the data those models will be trained on is trustworthy, documented, and accountable. Without that step, every layer above it is operating on faith. A minister commissions a predictive tool. Six months later an auditor asks which records it was trained on. Nobody can produce a clean answer. The tool is quietly paused. The strategy loses a year.

Why this step gets skipped

  • The work is invisible when it goes well. Nobody publishes a news story about a ministry that has good data governance.
  • It is unglamorous. Compared with the ribbon-cutting of a new AI lab, registering datasets and naming owners feels like housekeeping.
  • It requires patience. The benefit arrives quietly, months later, when a question that would have taken weeks to answer can be answered in a day.
  • It is genuinely hard. Organisations with ten years of accumulated data, multiple upgrades, and staff turnover find that nobody really knows what is in the system any more.

None of this is an argument against AI. It is an argument for the work that has to come first. An AI system trained on undocumented data is a compliance exposure waiting to happen. An AI system trained on data whose provenance can be reconstructed, whose lawful basis is recorded, and whose quality has been measured, is a system that can be defended in front of a regulator, a parliamentary committee, or the journalist on the other end of an enquiry.

What makes this an African question in particular is the cost of getting it wrong. Institutions on this continent already operate with tighter budgets and fewer margins for error. A governance failure that would cost a European ministry a bad headline can cost an African counterpart years of progress, because the trust the institution depends on is harder to rebuild once lost.

What to do in the next 90 days, even with no budget

  • Identify the three decisions your institution most wants to make with data in the next year, and check whether the data to make those decisions exists, is current, and is documented.
  • Name a single owner for each of those three decisions. Not a committee. A person, with a remit in writing.
  • Run a tabletop exercise: if a regulator asked today about one of those decisions, how long would it take to produce the evidence? Whatever the answer, it is the baseline you are trying to shorten.
  • Decide what good looks like for each of those three decisions, write it down, and share it internally. Rules that only exist in one person's head do not survive that person leaving.

The institutions that do this work now will be the ones that look unhurried three years from now when everyone else is scrambling. The ones that skip it will have the same conversations at that point, but from a much weaker position, because the trail will have gone cold.

None of the above requires eventParity. It requires attention. What eventParity does is make the attention repeatable: a single place for the inventory, the owners, the rules, and the evidence, so that what you put in place this quarter still works when your team turns over or your mandate expands.

Feb 28, 2026 · 7 min read

What happens when nobody checks the data

Poor data quality is invisible until the moment it costs you something. The cost is rarely the first thing that breaks. It is everything downstream of it.

A university vice-chancellor asks her registry for this year's total student enrolment across all twelve faculties. She needs the number for a donor meeting the next morning. The registry comes back with three different figures by the end of the day, each defensible, none agreed on. By the time the meeting starts, she is presenting a range rather than a number, and the donor's confidence in the institution drops by a measurable amount.

This is not a story about poor record-keeping. It is a story about what happens when twelve teams each collect the same kind of information slightly differently, nobody has agreed on what counts, and the question is never asked until it really matters. The registry staff are competent. The faculties are diligent. The data is still wrong for the purpose it is being used for.

Every large organisation has a version of this story. In a health ministry it is case counts that reconcile only after a regional officer spends three days cross-checking spreadsheets. In a federal agency it is beneficiary numbers that depend on whether the query includes duplicates. In a research institute it is the difference between "papers published" and "papers published with a named dataset", and the latter is what the ethics committee wants to see.

Why this keeps happening

  • Nobody is paid to catch problems early. Staff are paid to deliver services, and data quality issues only show up downstream of that delivery.
  • Systems evolve faster than the definitions that describe them. A field that meant one thing in 2019 can have drifted to mean something subtly different by 2024, without anyone formally making the change.
  • People move on, and so does the tacit knowledge of how the data actually works. The team member who knew why that column had nulls retired two years ago, and the knowledge went with them.
  • Checking takes more than one person. One team can say their own numbers look right. Cross-checking requires coordination, time, and a named owner. All of which have a cost that nobody ever budgets for.

The damage of finding out late is not in the moment of discovery. It is in everything that was built on the bad data before the discovery. Decisions made. Reports submitted. Policies drafted. Every one of those has to be re-examined once the underlying figure is questioned, and the cost of re-examination is often an order of magnitude larger than the cost of catching the problem at the source.

What a good data-quality practice actually looks like

  • A small number of rules, agreed by the people who actually use the data, written down in one place that is not anyone's personal folder.
  • Automated checks that run on a schedule and tell you when the rules are violated. Not when someone notices. When the rule is broken.
  • A named person who gets the alert, and a documented process for what they do when it arrives. "Somebody should probably look at this" is not a process.
  • A review meeting, short and regular, where the rules themselves are examined. Reality moves; the rules have to move with it, and that should be deliberate.

None of this is revolutionary. It is boring work. It is also the difference between an institution that can answer a hard question on the day it is asked, and one that has to phone round twelve faculties overnight hoping the answer is in there somewhere.

If you are at the start of this work, pick three datasets that matter, write down what good looks like for each, and set up the review. You do not need eventParity to do this. You need to agree on the rules and mean them. What eventParity does is make it automatic: the checks run without anyone remembering to trigger them, the alerts land with the right person, and the history is there when someone asks later how the data got to be what it is.

Feb 15, 2026 · 7 min read

The case for building this at home

Sovereignty is not an ideological point. It is the difference between being able to adjust the rules on your own timetable and having to negotiate them with a supplier in another timezone.

Take a national health programme whose entire data governance posture depends on a platform designed for a different part of the world. The pricing is set in dollars, indexed to a cost of living the programme cannot match. The compliance templates are for regulations that do not apply. The support team sits on a timezone the programme staff cannot reach during their working day. And when the regulator asks a question specific to the jurisdiction (which the regulator always will) the platform cannot answer it, because its concept of the world does not include that regulator.

Every institution that has tried this arrangement has the same set of experiences. The platform does roughly half of what is needed out of the box. The other half is patched together by internal teams, poorly documented, and lost when those team members move on. The bill arrives on a fixed calendar regardless of usage. And the moment an adjustment is needed for a local rule that the platform never anticipated, the institution is negotiating with a supplier who has no particular reason to move quickly.

Sovereignty is not an ideological argument in this context. It is a practical one. The question is whether the tool that carries the accountability record of an entire institution is one the institution can shape on its own timetable, under its own terms, for prices that make sense in its own budget. If the answer is no, the tool is a liability dressed up as an asset.

What it means in practice

  • The regulations the tool understands on day one are the ones your institution actually has to meet. Not an aspirational list from elsewhere.
  • The pricing makes sense for a public-sector budget. Predictable, quoted per engagement rather than per seat, and with the deployment support included rather than sold separately.
  • The tool speaks to stakeholders who are not technical. Department heads, policy officers, compliance leads. The people who actually make decisions on the ground.
  • When the tool is deployed across several institutions in a federated programme, each institution keeps its data under its own governance while the programme-level view is still coherent.

There is a further question underneath this, which matters in the medium term: who owns the record of how the continent governs its data? If the answer is a foreign supplier, the continent's governance history sits on someone else's server, under someone else's roadmap, priced in someone else's currency. That is not a sovereignty position. It is a rental arrangement that happens to be paying the bills today.

This is not an argument against foreign tooling of any kind. It is an argument for the specific category of tool that sits at the centre of the institution's accountability to its public. That category should be built and owned locally. Not for reasons of pride, but because the alternative creates a structural dependency that is hard to unwind once it is in place.

eventParity exists to be that tool, built by people who come from the context it serves. The product was born out of more than 18 years of work inside organisations asking the same questions across different continents: what data is this, who is responsible for it, can we trust it. We decided the record those questions produce should belong to the institutions answering them, on the continent that asks the questions.

Whitepapers

Worked examples by sector

Hypothetical but realistic scenarios drawn from actual conversations with ministries, universities, and development organisations. Each one is a walk-through of what the problem looks like, what good governance would look like in response, and what it takes to get from the first to the second.

Government: a national programme with twenty-three agencies

How to keep programme-level oversight without forcing every agency onto a single system.

A worked example of what data governance looks like when the programme spans a federal ministry and dozens of state and agency implementers, each with their own legacy systems.

See how it works

University: twelve faculties, one accreditation body

How a university can present its own data coherently to regulators, funders, and accreditation reviewers without centralising control.

A worked example of a large university where each faculty has operated independently for decades, and now the accreditation body wants a single institution-level picture.

See how it works

Development programme: partners across seven countries

How to run a coherent programme when the partners on the ground are at very different levels of data maturity.

A worked example of a development organisation delivering a health intervention through partners in seven countries, where some partners have modern databases and others still run on paper forms and shared spreadsheets.

See how it works

Use Case

Government: a national programme with twenty-three agencies

How to keep programme-level oversight without forcing every agency onto a single system.

Picture a federal programme with a single mandate. Say, delivering a social intervention to citizens in every state of a country. The programme is run by one ministry at the centre. Implementation happens through twenty-three agencies on the ground, each answerable to a different state or regional authority. Each of those agencies already has a system of record, chosen locally, set up years ago, and staffed by people who know it well. None of the systems agree on the shape of a citizen record.

The central ministry has to report to parliament on programme outcomes. It cannot do that by waiting for twenty-three different spreadsheets to arrive by email, each with its own definition of who counts as a beneficiary. It also cannot solve the problem by forcing all twenty-three agencies onto a single system, because that migration would take years and would be political suicide with the state authorities.

The only arrangement that actually works is a federated one. Each agency keeps its own system, its own data, and its own independence. What they share is a single set of governance standards: agreed definitions, agreed quality thresholds, and a single place where the programme-level view is assembled. The shared standards are the contract between the ministry and the implementers, and the tool enforces the contract without replacing the local systems.

What good looks like in practice

  • The ministry publishes a single definition of the records that matter for programme reporting: who counts as a beneficiary, what counts as a completed intervention, how long a record has to be kept. Every agency has seen and acknowledged that definition.
  • Each agency registers its own data sources under its own control. The ministry does not see the raw records, only the governance summary: quality scores, completeness, named owner, date of last review.
  • When an agency's quality drops below the agreed threshold, the alert goes to that agency first. The ministry sees it too, but not before the agency has had a chance to act.
  • The ministry produces its programme-level dossier on a monthly or quarterly rhythm, with every reported figure traceable back to an agency and a named owner.

The political advantage of this arrangement is that it respects the autonomy the state authorities already have. The ministry is not asking the agencies to hand over their data. It is asking them to participate in a shared standard of how the data is described and how its quality is measured. That is a conversation implementers can say yes to, because it does not threaten the authority they already hold.

The operational advantage is that problems surface in weeks rather than months. The old model, where the ministry discovers data problems in the week before a report is due to parliament, disappears. The new model has the problems visible as they happen, with the named people who can fix them already on the receiving end of the alert. Parliament gets a cleaner number, and the implementers get to fix their own issues before anyone outside their state knows there was one.

What this looks like on a discovery call is a walk-through of the specific programme: which agencies, which systems, which report to parliament is on the line, and how fast the ministry can get to a defensible programme-level view. Every programme is different; the shape of the deployment is part of the contract, not a default setting.

Use Case

University: twelve faculties, one accreditation body

How a university can present its own data coherently to regulators, funders, and accreditation reviewers without centralising control.

A public university with a century of history has, over time, become twelve semi-autonomous faculties sharing a logo. Each faculty runs its own research grants, its own student records, and its own relationship with donors and funders. That autonomy is a strength. It is also the reason the vice-chancellor cannot produce a coherent institutional position when the accreditation body asks for one.

The specific precipitating moment is usually an accreditation review. The reviewers ask to see how the institution manages research data across faculties: provenance, ethics approvals, retention, access controls. Each faculty can answer for itself; nobody can answer for the institution. The review either ends with conditions attached, or the university spends six months in a crash programme to produce the answers after the fact.

The arrangement that works in a university context is almost the opposite of a top-down crackdown. It is federated: each faculty remains in control of its own data and its own research ethics process, but the institution has agreed a minimum standard of what every faculty captures and how it captures it. That standard is thin enough that faculties do not feel their autonomy is threatened, and thick enough that the vice-chancellor can answer an accreditation question without phoning all twelve deans.

What the standard usually covers

  • A register of research datasets at faculty level, with a named academic responsible for each and a recorded date of last review.
  • A consistent vocabulary for the ethics status of a dataset (approved, pending, expired, withdrawn) so that a single institution-level view is possible.
  • A simple rule about where sensitive data is allowed to live (for example, nothing containing identifying information on institutional email).
  • An agreed cadence of quality review per dataset, with a named reviewer and a timestamp.
  • A clear escalation route when a dataset fails review, owned by the faculty, visible to the institution.

The cultural work is harder than the technical work. Getting faculty deans to agree on a shared standard requires presenting the standard as a protection for their autonomy, not a threat to it. The argument is that the institution is going to be asked questions by funders, regulators, and accreditors whether or not the faculties are ready, and the standard is the cheapest way to make sure each faculty is answering in its own voice rather than being answered for.

The immediate dividend is in the accreditation review itself. Where the previous review generated weeks of defensive preparation, the next one generates a ninety-minute walk-through of a dossier that already exists, updated in the ordinary course of research work. The review either passes cleanly or identifies specific improvements that can be implemented inside a single faculty without dragging the whole institution into a reorganisation.

What this looks like on a discovery call is a look at the university's current accreditation obligations, the faculties that already have good practice, and the minimum shared standard that can be adopted without provoking political resistance. Every institution's shape is different; the standard follows from the institution, not the other way round.

Use Case

Development programme: partners across seven countries

How to run a coherent programme when the partners on the ground are at very different levels of data maturity.

A development organisation is funded to deliver a public-health intervention across seven countries. It works through local partners, chosen because they know the communities and have the operational reach. The maturity of those partners varies dramatically. One partner in a coastal capital has a modern operations team with a database, a reporting rhythm, and a data protection officer. Another, in a rural region, still runs on paper forms, a mobile phone, and a spreadsheet that lives on one laptop.

The development organisation has the same reporting obligations to its donor regardless of the maturity of its partners. The donor does not accept "we have good partners and worse partners" as an answer. It wants a single, consistent picture of the programme. The organisation therefore has to bridge a ten-year difference in operational maturity with a governance arrangement that all seven partners can actually participate in.

The mistake to avoid is choosing the most sophisticated partner as the template. Doing that turns the less mature partners into a compliance problem, and the programme spends more time policing its own delivery than doing the work it exists for. The right move is to meet the partners where they are, ask for the minimum that every partner can actually commit to, and build the sophistication in over time.

The minimum every partner can commit to on day one

  • A named person at each partner responsible for the programme data, with their contact details on a single list held by the coordinating team.
  • A single agreed record format that can be captured on paper, typed into a spreadsheet, or entered into a database. Whatever the partner actually uses.
  • A monthly rhythm of uploading the record to a shared place the coordinating organisation can see, with a timestamp and the named person's sign-off.
  • A simple escalation rule: if the record is late, the coordinating team rings the named person the same day, not after a week of silence.
  • A clear answer to the question "where is this data allowed to live?" in each jurisdiction, documented before the first record is ever transmitted.

That is the baseline. From there the programme can start to build capacity in specific partners who are ready for it: moving one onto a database, another onto automated quality checks, another into the data-protection-officer role inside their own organisation. The coordinating team has a single view of where each partner sits on the maturity curve, so the capacity investment goes where it will actually be absorbed.

The donor outcome is a programme report that tells the truth about how the programme is actually running across all seven countries. Not an idealised version. Not a version that depends on the most sophisticated partner producing nine-tenths of the work. An honest, current, defensible picture, with the governance record to back it up.

What this looks like on a discovery call is an honest conversation about the partners, the jurisdictions, the donor obligations, and the maturity gap the programme is trying to bridge. The deployment shape (managed, federated, or fully isolated per partner) falls out of that conversation.

Deep dives

Longer-form implementation guides

Written for the programme director planning a rollout over six to eighteen months. Assumes you have got budget, a team, and a board to answer to. We walk through the stages, the trade-offs, and the common traps.

Deep dive

Data maturity, honestly measured

A practical guide to what data maturity actually means for a public institution, how to measure where yours sits today, and what to invest in to move up.

Read guide

Deep dive

Compliance as a practice, not a project

What it takes to keep a data-protection programme alive between audits, rather than reconstructing it each time a regulator asks.

Read guide

Deep dive

Data maturity, honestly measured

A practical guide to what data maturity actually means for a public institution, how to measure where yours sits today, and what to invest in to move up.

Data maturity is one of those phrases that sounds more technical than it is. Stripped of consulting-speak, it is a five-step ladder describing how seriously an organisation treats its own data, from "we make it up as we go along" at the bottom to "data is a first-class part of how we run the organisation" at the top. Most institutions sit somewhere in the middle and do not know it, because nobody has asked them to place themselves on the ladder.

This deep dive is for the programme director or chief data officer who has been handed a data strategy to deliver and needs to know, in practical terms, where their institution is starting from. Not the aspirational version. The honest version, the one that matches what the people on the ground would say if they were asked privately.

What each level actually feels like

  • Level 1 (ad hoc). Data lives in individual inboxes and spreadsheets. If the person who made a spreadsheet leaves, nobody can answer questions about the data it contained. Decisions get made, but reconstructing why is nearly impossible.
  • Level 2 (emerging). Someone has started making lists of what exists. There is at least one named owner for the most important datasets. Data still breaks often, but there is a named person to ask about it.
  • Level 3 (established). Definitions are written down, reviewed, and agreed. Quality is monitored on a schedule rather than when problems erupt. A new joiner can find the rules in their first week.
  • Level 4 (managed). Quality signals feed into decisions in the ordinary course of business. Data problems are fixed at the source, not patched downstream. The institution can defend its numbers without a scramble.
  • Level 5 (optimised). Data is a first-class input to strategy. The institution experiments deliberately, testing which rules produce cleaner outcomes, and the organisation's muscle memory treats data quality as a continuous practice, not a project.

Most public-sector organisations discover they are at Level 2 or early Level 3 when they first measure honestly. That is not a failure. It is the starting position. What matters is that the measurement is honest enough to produce an investment plan: one that the board can fund, the team can deliver, and the regulator can accept.

Moving from one level to the next

  • From 1 to 2, invest in visibility. Make the inventory. Name the owners. Do not try to improve anything yet; just see what is there.
  • From 2 to 3, invest in agreement. Write down the rules the organisation claims to follow. Put them through a review. Make them easier to find than the outdated copies already circulating in shared drives.
  • From 3 to 4, invest in automation. Move from "somebody checks this every quarter" to "the check runs by itself and alerts the named person when it fails".
  • From 4 to 5, invest in culture. Embed the quality conversation in executive meetings. Treat it as a standing agenda item rather than a project review. Make sure the discipline survives leadership turnover.

The temptation at every level is to skip ahead: to write ambitious policies at Level 2, or to automate the wrong thing at Level 3. The investment that actually moves the institution forward is the one that matches where it actually is, not where the strategy document says it will be next year. Measuring honestly is therefore the single most important act of the whole exercise.

eventParity gives you the measurement. The maturity assessment sits inside your workspace and is scored against the six dimensions of data governance the industry actually cares about. You see where you are, where you are strongest, and which investment would move the needle most. The plan you build off the assessment is yours; the measurement keeps you honest.

The business case usually writes itself once the first honest score is in hand. "We are at Level 2 on data quality" is the kind of number a board will fund a response to, because it implies a specific next step rather than a vague aspiration. The dossier produced alongside the score has the audit trail that makes the case defensible against later questions about value.

Deep dive

Compliance as a practice, not a project

What it takes to keep a data-protection programme alive between audits, rather than reconstructing it each time a regulator asks.

Most organisations treat data-protection compliance as a project. A deadline approaches, a team is assembled, documents are produced, the submission goes in, the team is dispersed, and the documents begin their slow drift out of date. A year later the cycle repeats, each iteration a little more expensive than the last because the trail between the cycles has been lost.

The institutions that do this well treat compliance as a practice instead. There is no big-bang project. There is a continuous, low-intensity rhythm of updating the register, reviewing the quality signals, recording the decisions as they are made, and producing the dossier from the practice rather than assembling it under deadline pressure. The practice costs a fraction of the project, and the output is stronger.

The weekly rhythm

  • Ten minutes: the team lead confirms nothing on the register has changed without a recorded decision. If something has, the decision is captured while memories are still fresh.
  • Twenty minutes: the quality signals for the most sensitive datasets are reviewed. Anything below the agreed threshold is either fixed, escalated, or explained on the record.
  • No more than an hour in total. The whole point is that it is short enough to survive the weeks when everyone is busy with something else.

The monthly rhythm

  • A named senior person reviews the register end-to-end and signs off that it matches reality. The sign-off is itself a record.
  • Any pending data-subject requests are examined against the clock: the regulatory clock, not the internal one. Anything close to breaching is escalated.
  • A short note to leadership: what changed, what is pending, what is at risk. Three bullet points is usually enough.

The quarterly rhythm

  • The full dossier is regenerated and sanity-checked. If the regulator arrived tomorrow, this is what they would see.
  • The rules themselves are reviewed. Are any of them now obsolete, are any of them missing an entry that would close an obvious gap.
  • A tabletop exercise: the team picks a random decision from the last quarter, tries to reconstruct its trail, and times how long it takes. If the answer is hours rather than minutes, the practice needs tightening.

The payoff is that an audit, when it comes, is an ordinary event rather than a crisis. The dossier exists. The rhythm is documented. The answers are the same ones the team has been producing every week anyway. The regulator sees an institution that takes itself seriously on the record, and the review closes without the conditions attached.

What kills the practice

  • Assigning the rhythm to a single person. When they go on leave, the practice breaks. Always have a second person on the same cadence.
  • Letting the meeting get long. If the weekly slot grows past half an hour, people stop turning up. Keep it short; escalate anything bigger out of the meeting.
  • Rewarding the project. If the organisation applauds the team that stays up all night producing a submission, it is punishing the team that did the weekly work that would have made the all-nighter unnecessary.
  • Cutting the practice budget in a lean quarter. The savings are imaginary; the cost of the next audit absorbs them several times over.

eventParity is built for the practice, not the project. The register updates itself when you record a decision. The quality signals run on a schedule. The dossier is generated from what actually happened, not from what someone remembered three weeks before the deadline. The practice survives leadership turnover because the record survives them, and the next person can pick it up on their first day.

If you want to see what the practice looks like against your institution's specific obligations, that is a discovery-call conversation. We walk through the regulations that apply to you, the evidence you have today, and the rhythm that would keep it current without bankrupting the team. No deck; the review is the conversation.

Ready when you are

The full product is shown on a 30-minute discovery call. Not in slides. Live, on your real questions.

Book a demo