Data Ownership

#data_protection

(OBJ 4.2 & 5.1)

Data Ownership

Process of identifying the individual responsible for maintaining the confidentiality, integrity, availability, and privacy of information assets
There are different roles that fall under the idea of data ownership including:
- Data Owner
- Data Controller
- Data Processor
- Data Custodian
- Privacy Officer

Data Owner

A senior executive responsible for labeling information assets and ensuring they are protected with appropriate controls
Has the responsibility, integrity, and availability of the information asset
Not the person who created the file, it's the senior executive.

Data Controller

Entity responsible for determining data storage, collection, and usage purposes and methods, as well as ensuring the legality of these processes
Holds the ultimate accountability for any branches of privacy, cannot delegate this responsibility to another party.

Data Processor

A group or individual hired by the data controller to assist with tasks like data collection and processing
Work under the direction of the data controller and follow their instructions for data collecting or processing.

Data Steward

Focuses on data quality and metadata, ensuring data is appropriately labeled and classified, often working under the data owner
Involved in making sure the data is appropriately labeled and classified

Data Custodian

Responsible for managing the systems on which data assets are stored, including enforcing access controls, encryption, and backup measures
Who might be?
- System administrator: Enforcing the access control, the encryption, and the backup recovery measures that protect this data based on the requirements set forth by the data owner.

Privacy Officer

Oversees privacy-related data, such as personally identifiable information (PII), sensitive personal information (SPI), or protected health information (PHI), ensuring compliance with legal and regulatory frameworks
Person who is going to really be on the hook if you have a data breach
- Privacy of user data that has been expelled
Ensure right purpose, limitations, and consent
Doing data minimization, data sovereignty, data retention, etc...

Data Ownership Responsibility

The IT department (CIO or IT personnel) should not be the data owner; data owners should be individuals from the business side who understand the data's content and can make informed decisions about classification

Selection of Data Owners

Data owners should be designated within their respective departments based on their knowledge of the data and its significance within the organization
Example: Accountant department leader is the data owner.
Note: Proper data ownership is essential for maintaining data security, compliance, and effective data management within an organization. Different roles contribute to safeguarding and managing data appropriately