Data Governance Roles
role-based access control redux
| Role |
Description |
Role |
| Owner | A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset. | A high-ranking employee, like a director or a vice president, typically holds the owner role and is ultimately responsible for ensuring data is appropriately protected. The owner identifies what level of classification and sensitivity the data has, decides who should have access to it, and what level of security should be applied. In relation to governance, the owner provides strategic guidance to ensure that security policies align with business objectives. |
| Controller | In privacy regulations, the entity that determines why and how personal data is collected, stored, and used | The controller role closely relates to General Data Protection Regulation (GDPR) and identifies the purposes, conditions, and means of processing personal data. An individual, public authority, agency, or other body can fill the controller role. The controller ensures that data processing activities adhere to all legal requirements. In relation to governance, the controller helps maintain legal and regulatory compliance. |
| Processor | In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector. | The processor is responsible for processing personal data on behalf of the controller and often represents cloud service providers (CSP) but could also be represented by vendors and business partners. Processors must maintain records of their processing activities, cooperate with supervisory authorities, and implement appropriate security measures to protect the data they handle. In relation to governance, the processor role ensures that data is handled securely and in accordance with the rules established by the owner and controller roles. |
| Custodian | An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures. | The custodian, also known as the data steward, is responsible for the safe custody, transport, storage of the data, and implementation of business rules. The IT department typically represents the custodian role, and in relation to governance, the custodian role implements and enforces the security controls established by the data owner and controller and reports any issues indicative of a security incident. |
No comments to display
No comments to display