Continuous innovation in information technology, the expansion and globalization of enterprises, and the necessary introduction of new policies and regulations engender challenges that compel enterprises to invest massive amounts of effort and capital into managing operating risks and complying with relevant regulations. As a result, governance, risk and compliance (GRC) have become increasingly critical issues. In particular, data governance has emerged as a paramount GRC research topic. Adequate data governance enables enterprises to effectively utilize data for business purposes while remaining compliant with legal requirements and maximizing the value of their data assets. A suitable data governance framework is needed to assist enterprises in achieving operational goals while fulfilling legal requirements; however, data governance-related academic studies remain in their infancy. Though some studies have introduced the concept of data governance, no consensus on a unifying framework has evolved. The primary purpose of this study is to construct a data governance framework and to examine the critical controls that organizations must consider to successfully implement data governance. Since evaluations of critical controls for data governance are inevitably influenced by the risk perceptions and cognitive challenges of evaluators, the GRC evaluations tend to differ based on various environmental conditions and the fuzziness of evaluators’ subjective cognition. Therefore, control evaluations have become a complex and fuzzy decision-making problem. To address this issue, this study examines critical data governance controls in three phases. In the first phase, relevant data governance studies were collected and summarized, and grounded theory research methodology was applied to analyze and compile the control prototypes to be used in a data governance framework. In the second phase, the modified Delphi method and Lawshe’s content validity ratio (CVR) were combined to confirm the control prototypes for use in the data governance framework. The most suitable and representative controls were identified after assessments and screening by Taiwanese experts. In the third phase, experienced professionals from government authorities and the banking and manufacturing industries evaluated the importance of the selected controls. Evaluations were performed using a combination of fuzzy theory and the hierarchical analysis method. Fuzzy semantic variables and defuzzification methods were employed to eliminate any fuzziness in the subjective cognition of evaluators. The fuzzy hierarchical analysis method was adopted to calculate the relative importance of various controls in the data governance framework and to analyze and compare rankings across industries, allowing for an evaluation of the critical controls that organizations must consider for the successful implementation of data governance. The results of this study show that respondents from separate industries have varying views on the importance of particular controls in a data governance framework. Based on differing opinions on the importance of various controls, individual data governance frameworks were developed for the banking industry and for government authorities in Taiwan: the banking data governance framework (BDGF) and the government data governance framework (GDGF). Finally, this study validated the BDGF using a field case study. In Phase 1 of the testing process, content analysis was employed to examine the relationships between data governance incidents at the case bank and various controls in the data governance framework. In Phase 2, a field experiment was conducted to investigate the relationships between controls in the data governance framework and improvements in audit results following the implementation of a money laundering prevention audit project. Test results show that the BDGF developed in this study effectively reflects the data governance framework of the Taiwanese case bank.