Data Roles

A data governance policy defines the security controls applied to protect data at each stage of its lifecycle.

Effective data governance ensures that data is properly managed, protected, and utilized in alignment with organizational objectives and regulatory requirements. Central to this framework are clearly defined roles responsible for the oversight, management, and protection of information assets.

Data Subject

A data subject is a natural person whose personal data is being collected, processed, or stored. The data subject can be identified using various data markers, including:

  • Personally identifiable information (PII)
  • Transactional data (e.g., purchase history)
  • Other sensitive personal information

This information must be handled with strict confidentiality to protect the privacy of the individual.

Data Owner

The data owner is accountable for ensuring that specific data is adequately protected. Typically, this role is assigned to a senior executive responsible for maintaining the confidentiality, integrity, and availability (CIA) of the information asset.

Key responsibilities include:

  • Determining data sensitivity and classification levels
  • Defining access requirements and authorization criteria
  • Assessing asset criticality and data backup frequency
  • Ensuring compliance with organizational policies and legal/regulatory requirements
  • Assigning appropriate classifications to information assets

The data owner is ultimately responsible for how data is protected and accessed.

Data Custodian

The data custodian is responsible for the day-to-day management and protection of data, ensuring that the controls defined by the data owner are properly implemented.

Key responsibilities include:

  • Enforcing access controls and security policies
  • Implementing encryption, backup, and recovery mechanisms
  • Assigning and revoking access rights based on the data owner’s direction
  • Documenting and sharing security controls with the data owner
  • Producing reports or derivative data for operational use
  • Implementing physical and technical safeguards to protect data

There may be multiple custodians assigned to manage different aspects of data.

Data Steward

The data steward focuses on maintaining data quality and ensuring that data is accurate, consistent, and usable.

Key responsibilities include:

  • Defining and enforcing rules for data collection, storage, and use
  • Establishing internal policies and standards
  • Monitoring data quality using feedback, reporting metrics, and analysis
  • Identifying and resolving data-related issues
  • Promoting best practices in data usage
  • Supporting data-driven decision-making across the organization

The data steward plays a critical role in ensuring that data remains reliable and valuable.

Data User

A data user is any individual—employee, contractor, or third-party—authorized by the data owner to access information assets.

Key responsibilities include:

  • Following all organizational policies, guidelines, and procedures
  • Protecting confidential information and avoiding unauthorized sharing
  • Reporting actual or suspected security incidents or policy violations
  • Ensuring responsible and ethical use of data

For example, if a user discovers sensitive data exposed on a system or website, they must report it to the appropriate authority.

Data Controller

The data controller determines the purposes and means of processing personal data. This role is central in defining how and why data is collected and used.

Key responsibilities include:

  • Determining the purpose and method of data processing
  • Ensuring that data processing activities comply with applicable regulations
  • Maintaining accountability for all data processing activities, including those delegated to third parties
  • Retaining ultimate responsibility for privacy breaches

The data controller may process data directly or delegate processing to external entities, but accountability cannot be transferred.

Data Processor

A data processor processes data on behalf of the data controller. Unlike the controller, the processor does not determine the purpose or use of the data.

Key responsibilities include:

  • Performing data processing activities as instructed by the data controller
  • Adhering to contractual or legal agreements governing data processing
  • Protecting data as required, although accountability remains with the controller

The relationship between controller and processor is governed by a contract that specifies:

  • Scope and duration of processing
  • Nature and purpose of processing
  • Types of personal data
  • Categories of data subjects
  • Rights and obligations of both parties

Typically, the data processor is a third-party organization selected by the data controller.

Controller vs. Processor: Practical Example

For example, a bank that collects and manages customer data acts as the data controller. If the bank shares this data with a third-party customer service provider, that provider acts as the data processor, handling the data on behalf of the bank.

Conclusion

Data governance is a critical component of asset security, ensuring that data is properly managed and protected throughout its lifecycle. Clearly defined roles—ranging from data owners and custodians to controllers and processors—enable organizations to enforce accountability, maintain data quality, and ensure compliance with regulatory requirements. By aligning responsibilities across these roles, organizations can establish a robust framework for managing and safeguarding their information assets.