A data quality rule is a formal, documented specification that defines the conditions your data must meet to be considered accurate, complete, and fit for its intended purpose.
That definition matters because it draws a line most teams never draw. A data quality rule is not the same as a data quality check, a data quality policy, or a data quality metric – and confusing these three things is one of the most common reasons enterprise data quality programs stall.
Here is how they differ:
| Concept | What it is | Example |
| Data quality rule | A formal specification – the condition data must satisfy | “Every customer record must have a valid email address in RFC 5321 format” |
| Data quality check | The technical implementation that tests a rule | A SQL query or Python script that flags rows where email fails regex validation |
| Data quality policy | A high-level governance principle that drives multiple rules | “Customer data must be complete and accurate before use in any marketing campaign” |
| Data quality metric | A measurement of rule compliance over time | “98.7% of customer email addresses are currently valid” |
The rule sits in the middle. It translates a business policy into a precise, testable condition – and it gives the engineering team something concrete to implement as a check.
Think of it this way: a policy says what the organization requires. A rule says what a specific data element must satisfy. A check says how to test that. A metric says how well you are currently doing.
Most organizations have checks. Fewer have rules that are formally documented. Almost none have rules that are actively governed – with owners, thresholds, and a defined lifecycle. That gap is exactly where enterprise data quality programs break down.
If your team treats rules and checks as the same thing, you will run into a predictable set of problems.
First, checks written without a formal rule behind them tend to be technically correct but practically arbitrary. An engineer writes a null check on a column because it seemed important – but there is no documentation explaining which business process depends on that column, what the acceptable failure rate is, or who should be notified when it fails. When the engineer leaves, institutional knowledge leaves with them.
Second, without documented rules, it is impossible to audit your data quality program. A regulator asking “how do you ensure the accuracy of your customer data?” needs an answer that goes deeper than “we have some SQL scripts in our pipeline.” Rules give you that answer.
Third, checks without rules cannot be prioritized. If every check is equally important, nothing is. A formal rule forces you to define severity – and severity determines whether a failure blocks a downstream process or just generates a warning.
The short version: checks are how you test data. Rules are what you are testing for – and why.
Most organizations that struggle with data quality have the same underlying problem: their rules are incomplete. They define what a rule tests but skip everything else – who owns it, what a pass looks like, what happens when it fails. An incomplete rule cannot be governed, and an ungoverned rule cannot be trusted.
A well-formed data quality rule has nine attributes. Each one serves a specific purpose, and leaving any of them out creates a gap that will surface later – usually at the worst possible moment.
| Attribute | What it defines | Example |
| Rule name | A unique, human-readable identifier following a consistent naming convention | CUST_EMAIL_FORMAT_001 |
| Description | What the rule verifies, in plain business language | “The email address field for every active customer record must conform to RFC 5321 format” |
| Data domain | The business area the rule belongs to | Customer Master Data |
| Quality dimension | Which data quality dimension the rule enforces | Validity |
| Scope | The exact table, column, or data asset being tested | customers.email_address WHERE status = ‘active’ |
| Threshold | The acceptable failure rate before the rule triggers an alert | < 0.5% of records |
| Severity | What happens when the threshold is breached | Critical – blocks downstream campaign exports |
| Owner | The person accountable for the rule – not the engineer who implements it, but the business stakeholder who needs it | Data Steward, Marketing |
| Remediation | The defined action when a failure occurs | Quarantine affected records, alert data steward, log in issue tracker |
“In almost every implementation we walk into, the rules exist in some form – in pipeline code, in Jira tickets, in someone’s head. What is almost never there is ownership. The moment you ask ‘who is responsible for this rule?’, the room goes quiet. That silence is the actual data quality problem.”
— Sebastian Chalot, Data Governance Consultant, Murdio
Not all data quality rules work the same way or protect the same thing. Grouping them by type gives your team a shared vocabulary, makes it easier to assign ownership, and helps you spot gaps in your coverage – domains or quality dimensions where you have no rules at all.
There are six core types. Most enterprise data quality programs need all of them.
| Rule type | Quality dimension | What it checks | Example |
| Completeness rules | Completeness | Whether required fields contain a value | Every active contract record must have a non-null counterparty_id |
| Validity rules | Validity | Whether values conform to a defined format, pattern, or set of accepted values | Transaction currency must be a valid ISO 4217 code |
| Uniqueness rules | Uniqueness | Whether values that must be unique – such as primary keys or identifiers – contain duplicates | No two records in clients may share the same tax_identification_number |
| Referential integrity rules | Consistency | Whether relationships between datasets are intact | Every account_id in the transactions table must exist in the accounts table |
| Business rules | Accuracy / Consistency | Whether data satisfies domain-specific or regulatory conditions that go beyond format | A loan application flagged as “approved” must have a non-null credit_score above the institution’s minimum threshold |
| Timeliness rules | Timeliness | Whether data is sufficiently fresh for its intended use | The positions table must be updated within 15 minutes of market close |
The quality dimension column maps each rule type to the data quality dimension it primarily enforces. A completeness rule enforces completeness. A validity rule enforces validity. This mapping matters because it tells you which dimension your rule library is covering – and which it is not.
In practice, a large enterprise rule library will have completeness and validity rules in abundance, because they are the easiest to write. Timeliness rules and business rules tend to be underrepresented, because they require closer collaboration between data engineers and business stakeholders to define correctly. If your inventory of rules skews heavily toward completeness and validity, that is a signal worth paying attention to.
Business rules are the most powerful type and the hardest to write well. Unlike the other five types – which are largely structural and can be defined by a data engineer working from a schema – business rules encode domain knowledge. They express conditions that only make sense in the context of a specific process, regulation, or industry.
In financial services, a business rule might require that any position exceeding a certain notional value has an associated hedge on record – a condition derived directly from risk policy, not from the data model. In insurance, a rule might state that a claim cannot be marked as settled if the associated policy has an active dispute flag. These conditions are invisible to anyone who does not understand the business.
This is why business rules require a different workflow. The data steward or business analyst defines the condition. A data engineer translates it into a testable specification. A compliance or risk owner signs off. Skipping any of those three steps produces rules that are either technically untestable or practically meaningless.
For organizations operating under EU regulatory frameworks – DORA, BCBS 239, or GDPR – a significant portion of your business rules will be driven directly by regulatory requirements. Those rules carry an additional attribute worth tracking: the specific regulatory article or control they map to. When an auditor asks which rules enforce your BCBS 239 data lineage obligations, you want to be able to answer in seconds, not weeks.
Navigating DORA, BCBS 239, or GDPR data quality requirements? We have helped financial institutions and large EU enterprises translate regulatory obligations into governed rule libraries. Let’s talk about your situation – no slides, just a practical conversation.
A data quality rule is not a one-time artifact. It has a lifecycle – from the moment a need is identified to the moment the rule is retired. Managing that lifecycle deliberately is what separates organizations with a functioning data quality program from those with a graveyard of stale checks nobody maintains.
The lifecycle has seven stages.
The process starts with identifying a specific data quality need – a failed audit, a broken report, a regulatory requirement, or a proactive gap analysis. The data steward or business analyst documents the rule using the nine-attribute template from the previous section. At this stage, the rule exists as a specification only. No code has been written.
The most common mistake at this stage is skipping scope. A rule defined as “email addresses must be valid” is not actionable. A rule defined as “the email_address field in customers where status = ‘active’ must conform to RFC 5321 format, with a failure threshold of 0.5%” is.
The draft rule is reviewed jointly by the business owner and a data engineer. The business owner confirms the condition reflects the actual business requirement. The data engineer confirms the rule is technically testable against the available data model. If either review fails, the rule goes back to definition.
This step exists to catch two failure modes early: rules that are business-correct but untestable, and rules that are technically clean but describe the wrong condition.
The validated rule goes through formal sign-off – typically the data governance council, a CDO, or the designated data owner for that domain. Approval creates an audit trail. It also forces a prioritization decision: what severity level does this rule carry, and what resources are allocated to monitor and remediate it?
In organizations with a data governance platform, approval is tracked directly in the platform against the rule record.
An approved rule is implemented as one or more data quality checks – the SQL queries, Python scripts, or platform-native tests that actually run against the data. The check is the technical execution of the rule. One rule may produce several checks: a completeness check, a format check, and a range check can all flow from a single well-defined business rule.
At deployment, the rule is linked to the data asset it protects in the governance catalog. This linkage is what makes the rule traceable – you can navigate from any data asset to the rules that govern it, and from any rule to the assets it covers.
Once deployed, the rule runs on a defined schedule and produces a pass rate over time. Monitoring is not just about catching failures – it is about tracking trends. A rule with a 99.2% pass rate today that was at 99.8% three months ago is telling you something. The degradation may be slow enough to stay below your alert threshold while still signaling a structural problem upstream.
Effective monitoring requires a dashboard that shows pass rates per rule, per domain, and per dimension – not just raw alert counts. This is covered in more detail in the data quality report guide.
Rules should be reviewed on a regular cadence – at minimum annually, and immediately when the underlying data model or business process changes. A rule written against last year’s schema may be silently passing because it is testing a column that no longer exists or has been renamed.
Review questions to ask for each rule:
Rules have an end of life. A rule tied to a decommissioned system, a discontinued product line, or a superseded regulation should be formally retired – not deleted, but marked as inactive with a documented reason and date. Deletion destroys audit history. Retirement preserves it.
Retired rules also carry institutional value. When a new team member asks why a certain check exists, a trail of retired rules from the same domain tells the story of how the data quality program evolved.
The seven stages above are not just a workflow – they are the evidence trail that demonstrates your data quality program is real and operational. Each transition between stages should be timestamped and attributed to a named person. That record is what you present to a regulator, an auditor, or a new CDO who wants to understand the state of data governance in the organization.
Organizations that skip the lifecycle – writing checks directly in pipelines without a defined-approved-monitored rule behind them – have data quality testing. They do not have data quality governance. The distinction matters more than most teams realize until they face an audit.
Not sure where your program stands? If you have checks but no governed lifecycle behind them, that gap is fixable – but it helps to map it first. Talk to a Murdio expert about how to approach it in your environment.
A single well-formed rule with a named owner, a defined threshold, and a monitored check is straightforward to manage. The challenge arrives at scale – when a large enterprise has hundreds of data domains, dozens of source systems, and thousands of rules spread across teams in multiple countries.
At that point, a spreadsheet stops working. Not because spreadsheets are inherently bad tools, but because rule management at scale has requirements that spreadsheets cannot satisfy: version control, cross-domain search, lineage linkage, workflow routing, and real-time pass rate tracking. Attempting to do all of that in Excel produces a rule inventory that is always slightly out of date, always slightly wrong, and trusted by nobody.
The operational requirements for managing rules at scale break down into five categories:
Collibra treats data quality rules as first-class citizens in its data catalog. Rules are stored as assets – the same way tables, columns, and reports are stored – which means they carry full metadata, ownership assignments, and relationship linkages.
The practical implication is that a data steward navigating a data asset in Collibra can see, directly in the asset view, which rules govern that asset, what their current pass rates are, and who owns them. The rule is not a separate artifact maintained in a separate system – it is part of the same knowledge graph as the data itself.
Collibra DQ – the platform’s dedicated data quality module, built on the Owl Analytics acquisition – adds the execution layer. Rules defined in the catalog are operationalized as DQ jobs that run against the actual data on a defined schedule. Results feed back into the catalog in real time, updating pass rates and triggering workflow notifications when thresholds are breached.
For organizations managing regulatory obligations under frameworks like BCBS 239 or DORA, this linkage between rules, assets, and lineage is particularly valuable. When a regulator asks for evidence that your critical data elements are governed by defined quality rules with documented owners and monitored pass rates, Collibra provides that evidence as a native export – not as a manually assembled spreadsheet.
This is also where the data quality automation story connects to governance. Automation without a rule library is a pipeline with tests. Automation with a governed rule library – where every check traces back to a documented, approved, owned rule – is a data quality program.
Most organizations do not start with a complete rule inventory. They start with the ten or twenty most critical rules – typically the ones tied to a specific audit finding, a failed report, or a regulatory deadline. That is the right approach. Trying to define all rules for all domains before implementing anything produces analysis paralysis.
The practical path looks like this:
Organizations that follow this path consistently report the same outcome: the first domain takes months, the second takes weeks, the third takes days. The bottleneck is never the tooling – it is the process of aligning business and technical stakeholders on what “good data” actually means. Solve that once, and the rest scales.
“The teams that struggle with Collibra are usually the ones that tried to configure the platform before defining their rules. You cannot automate governance you have not designed. We always start with a single domain, a whiteboard, and the business owner in the room – not with the tool.”
— Sebastian Chalot, Collibra Implementation Lead, Murdio
Most data quality programs fail not because the technology is wrong, but because the rules themselves are poorly constructed. These are the mistakes that appear most consistently across enterprise implementations.
A rule written by a data engineer in isolation reflects a technical judgment, not a business requirement. Without a named business owner who has confirmed the condition and accepted accountability for failures, the rule has no authority. When it fires, there is nobody to decide whether the result constitutes a real problem or acceptable noise. Every rule needs a business owner at the point of definition – not after deployment.
Zero tolerance sounds disciplined. In practice it is a recipe for alert fatigue. Real data in large enterprises never achieves 100% compliance across all rules simultaneously. When every alert is a critical failure, teams learn to ignore the alerting system entirely – and miss the genuine failures buried in the noise. Thresholds should reflect the actual tolerance of the downstream process, set through a deliberate conversation between the data owner and the business stakeholder.
“Email addresses must be valid” is not a rule – it is a principle. A rule requires a precise scope: which table, which column, under which conditions, in which environment. A rule without scope cannot be implemented unambiguously, and it cannot be audited. Two engineers given the same scopeless rule will often implement different checks.
When a team writes checks directly in a pipeline without a formal rule behind them, the check exists but the governance does not. There is no documented condition, no owner, no threshold, no approval trail. The check may be technically correct and still be completely invisible to any audit or compliance review. Rules and checks need to exist as separate, linked artifacts.
A rule that detects a failure and stops there has done half the job. If the response to a failure is “someone will figure it out,” the failure will either be ignored or handled inconsistently across different teams. The remediation path – quarantine, alert, escalate, reject, flag for manual review – should be defined at the time the rule is approved, not improvised when the first failure occurs.
Rules change. A threshold adjusted after a review, a scope expanded to cover a new data source, a condition updated to reflect a regulatory change – each of these is a material modification. Without version history, there is no way to determine whether a change in pass rate reflects a change in data quality or a change in the rule itself. Version control for rules is not optional in a governed environment.
A rule written against a data model that no longer exists will either always pass – because the column it tested has been renamed and is now untested – or always fail – because a value set has changed and the rule was never updated. Stale rules are worse than no rules, because they create a false sense of coverage. Rules need to be reviewed on a regular cadence and updated whenever the underlying data model or business process changes.
Recognise a few of these in your own program? Most teams do. The good news is that none of them require starting over – they require the right approach. Talk to us about what fixing this looks like in practice with Collibra.
A data quality rule is a formal, documented specification that defines the conditions a data element must satisfy to be considered fit for its intended purpose. It includes a testable condition, a defined scope, an acceptable failure threshold, a named owner, and a remediation path. A rule is distinct from the technical check that implements it – the rule defines what must be true, the check verifies whether it is.
A rule is a governance artifact – a documented business requirement stating that specific data must meet a specific condition. A check is the technical implementation that tests whether the rule is being satisfied, typically as a SQL query, a Python script, or a platform-native test. One rule can produce multiple checks. A check without a rule behind it is a test with no documented purpose, no owner, and no audit trail.
There are six core types: completeness rules (required fields must be populated), validity rules (values must conform to a defined format or set), uniqueness rules (identifiers must not be duplicated), referential integrity rules (relationships between datasets must be intact), business rules (domain-specific or regulatory conditions the data must satisfy), and timeliness rules (data must be sufficiently fresh for its intended use). Most enterprise programs need all six types across their critical data domains.
Rules are defined collaboratively. The data steward or business analyst identifies the requirement and documents the condition in plain business language. A data engineer confirms the rule is technically testable against the available data model. A data owner or governance council provides formal approval. Rules defined by only one of these parties – typically the engineering team working alone – tend to be technically sound but practically disconnected from what actually matters to the organization.
There is no fixed number. The right number is enough rules to cover every critical data element in every domain that feeds a material business process, regulatory report, or AI system. In practice, a large enterprise might have hundreds of rules per domain across dozens of domains. The more useful question is coverage: what percentage of your critical data elements are governed by at least one active, monitored rule with a named owner?
Each rule should be documented with nine attributes: rule name, description, data domain, quality dimension, scope, threshold, severity, owner, and remediation. These can be maintained in a data governance platform such as Collibra, where rules are stored as assets linked directly to the data they govern – or, at smaller scale, in a structured spreadsheet or wiki that follows a consistent template. The critical requirement is that the documentation is searchable, versioned, and accessible to both business and technical stakeholders.
Yes. Collibra stores rules as first-class assets in its data catalog, linked to the data assets they govern and to the stewards who own them. Collibra DQ – the platform’s dedicated quality module – operationalizes those rules as scheduled jobs that run against actual data and feed pass rate results back into the catalog in real time. This means a data steward viewing any asset in the catalog can see which rules govern it, their current compliance status, and who is accountable for remediation when a rule fails.
The response depends on the severity level defined when the rule was approved. A critical failure – for example, a rule protecting data that feeds a regulatory report – may block the downstream process entirely until the issue is resolved. A warning-level failure generates an alert to the data steward and logs the incident for review without halting processing. In all cases, the remediation path defined in the rule documentation should specify exactly what happens to the failing records, who is notified, and what the expected resolution time is.
Data quality rules are not the end goal – they are the mechanism. The end goal is a data quality program your organization can rely on: one where every critical data element has documented conditions, named owners, monitored compliance, and a clear remediation path when something goes wrong.
Getting there requires more than writing rules. It requires aligning business and technical stakeholders on what “good data” means for each domain. It requires a governance structure that makes ownership real and accountability enforceable. And it requires a platform that connects rules to the data assets they protect, so that compliance is visible – not inferred.
Most organizations know what they need to build. The difficulty is knowing where to start, how to prioritize, and how to avoid the implementation mistakes that stall programs before they deliver value.
That is where Murdio works. We help large enterprises design and implement data governance programs built on Collibra – from defining the first rules in a pilot domain to scaling a governed rule library across the organization. If your team is navigating that journey, we would be glad to talk.
For further reading on the topics covered in this article, see our guides on data quality checks, data quality automation, data quality dimensions, and building a data quality framework.
19 May 2026
| Data Quality
1 April 2026
| Data Quality
1 April 2026
| Data Quality
© 2026 Murdio - All Rights Reserved
