Chapter 109 · Flashcards

Data Roles and Responsibilities — Flashcards

Eleven cards covering the four core data roles, the controller-processor distinction, the payroll example, sensitivity label classifications, custodian security controls, data processing agreements, business associate agreements, and the relationship between all roles. Click any card to flip it.

What is a data owner, who typically fills this role, and what are their four main responsibilities?

Data owner: the individual with ultimate accountability for a specific data asset. Not a technical role — follows organizational authority, not system access. Who fills it: senior leaders (VP, Director, C-suite). VP of Sales = customer data. Treasurer = financial data. HR Director = employee records. Four main responsibilities: (1) Classify sensitivity: assign the appropriate sensitivity label (public/internal/confidential/restricted). (2) Approve access: authorize who may access the data. (3) Define retention: specify how long data must be kept and when it should be deleted. (4) Establish usage policy: define acceptable uses of the data. Ultimately accountable even without direct system access — if their data is breached, the data owner bears organizational accountability.

What is a data controller, and what legal significance does this role carry under privacy regulations?

Data controller: the entity that determines the purposes for which, and the means by which, personal data is processed. Makes the fundamental decisions about data collection and use. Key decisions: why data is collected, what data is needed, how it is used, and how long it is retained. Legal significance under GDPR: the controller is the primary legal responsible party. Must ensure: (1) processing activities are lawful. (2) Data protection requirements are followed. (3) Data subject rights are respected (access, deletion, portability). (4) Records of processing activities are maintained. (5) Data processing agreements exist with all processors. Controllers can be fined directly by regulators for GDPR violations. Cannot escape responsibility by outsourcing processing to a third party.

What is a data processor, and how does a processor differ from a controller?

Data processor: an entity that processes personal data on behalf of and under the instructions of a data controller. Key distinction: the controller decides why and how data is processed; the processor executes those decisions without independent discretion. Processor characteristics: follows controller instructions; often a third party (payroll company, cloud provider, MSSP, marketing platform); signs data processing agreement with controller; still independently responsible for implementing appropriate security controls. When a processor becomes a controller: if a processor begins making independent decisions about data use (processing beyond what the controller instructed), they may become a co-controller with additional legal obligations. Processor obligations: implement security controls, report breaches to controller, not use data for unauthorized purposes, return/destroy data when relationship ends.

Explain the payroll controller-processor example in detail.

Payroll department (data controller): determines who gets paid and how much; sets pay schedules; decides what employee data is collected; provides instructions to the payroll company. Makes all the decisions about purpose and means. Payroll company (data processor): receives the payroll department's instructions; executes payroll processing (calculates deductions, generates transactions); processes employee bank transfers; stores employee records. Does not decide who gets paid or what data is collected — just executes. Key point: if the payroll company began independently using employee data for another purpose (e.g., selling salary data to third parties), they would be violating the data processing agreement and acting as an unauthorized controller. The payroll department cannot escape GDPR responsibility if the payroll company mishandles data — the controller must ensure the processor implements adequate security.

What is a data custodian (data steward), and what operational responsibilities do they hold?

Data custodian / data steward: the role responsible for the operational day-to-day management, protection, and maintenance of data. Works directly with data systems (unlike the data owner). Operational responsibilities: (1) Accuracy and privacy: ensure data is accurate, complete, and handled per privacy requirements. (2) Compliance: ensure applicable laws and standards are followed for the data under their care. (3) Sensitivity labeling: assign and maintain sensitivity classifications on data assets. (4) Access management: grant, modify, and revoke user permissions; manage authentication and authorization systems; conduct periodic access reviews. (5) Security control implementation: encryption, backups, logging, monitoring, IDS/DLP deployment. Custodians bridge the gap between high-level governance decisions (owner/controller) and technical implementation.

What are the four standard sensitivity label classifications and what does each mean?

Sensitivity labels are assigned by data custodians to determine protection requirements and access restrictions: Public: freely shareable with anyone, including the general public. No access restrictions needed. Examples: marketing materials, press releases, published pricing. Internal: for internal use only; not for external distribution. No specific access restrictions beyond authentication required. Examples: internal policies, meeting notes, general procedures. Confidential: sensitive information requiring restricted access. Formal authorization needed for access. Examples: business strategy, client contracts, performance reviews, financial projections. Restricted (highest): most sensitive; tightly controlled access with formal authorization, detailed logging, and often encryption required. Examples: trade secrets, acquisition targets, security system architectures, classified government data. The label determines what encryption, access controls, DLP policies, and handling procedures apply.

What technical security controls does a data custodian implement?

Data custodians implement the technical safeguards that protect CIA triad for data assets: Encryption: at-rest encryption for sensitive data directories and databases; in-transit encryption for data transmitted over networks. Backup and recovery: scheduled backup jobs; tested recovery procedures; offsite or cloud backup storage; retention per policy. Audit logging: configuring systems to log who accessed which data, when, and what changes were made. Log monitoring: reviewing audit logs for anomalous access patterns (user accessing data outside their normal pattern). Intrusion detection: IDS/IPS deployment and alert management for unauthorized access attempts. Data Loss Prevention (DLP): policies preventing unauthorized exfiltration of sensitive data (blocking email with credit card numbers, USB copying of confidential files). Access reviews: periodic audits of user permissions to remove stale access from role-changers and former employees.

What is a data processing agreement and when is it required?

Data processing agreement (DPA): a legally required contract between a data controller and a data processor that governs the processing of personal data. Required under GDPR when a controller engages a processor to handle personal data on their behalf. DPA must specify: (1) What data is being processed and for what purpose. (2) Duration of processing. (3) Nature and purpose of processing. (4) Security measures the processor must implement. (5) How the processor must notify the controller of breaches. (6) How data is returned or securely destroyed when the relationship ends. (7) Prohibition on sub-processing without controller consent. Why it matters: without a DPA, a controller sharing personal data with a vendor violates GDPR even if the vendor implements adequate security. The DPA documents the legal basis for processing and the security obligations of both parties. Under HIPAA, the equivalent document is a Business Associate Agreement (BAA).

What is the four-role hierarchy summary and how do the roles interact?

Four roles, two levels: Strategic level: Data Owner (accountability, classification, access approval) and Data Controller (processing decisions, legal compliance). Operational level: Data Processor (executes processing per controller instructions, often third-party) and Data Custodian (day-to-day technical protection and access management). How they interact: The data owner sets the overall policy for the data asset and approves who can access it. The data controller determines how personal data is processed and engages processors. Data processors carry out processing under the controller's data processing agreement. The data custodian implements the technical controls (encryption, access permissions, logging) that enforce the owner's and controller's decisions. Example flow: VP Sales (owner) approves CRM access policy → Legal/Marketing (controller) decides how customer data is used → Salesforce (processor) processes it → Database admin (custodian) configures encryption and access logs.

How does sensitivity labeling connect to access controls and DLP?

Sensitivity labeling creates the foundation for data-centric security: Label-to-control mapping: each sensitivity label defines what controls apply. Public = no controls; Internal = authentication required; Confidential = role-based access + logging; Restricted = formal authorization + encryption + strict logging + DLP. Access control integration: the custodian configures file permissions and RBAC groups so only authorized roles can access data at each sensitivity level. A user in the "Sales" group can access "Confidential-Sales" documents; cannot access "Restricted-Finance" documents. DLP integration: DLP policies enforce what can be done with labeled data. A DLP rule may: block emailing documents labeled "Restricted" to external addresses, prevent copying "Confidential" files to USB, or watermark "Internal" documents when printed. Why it matters: without labels, DLP has no basis to distinguish sensitive from non-sensitive data. Labels translate data classification policy into automated technical enforcement.

What are examples of common data processors and what do they have in common?

Common data processor examples and why each qualifies: Payroll company: processes employee pay data per the employer's (controller's) instructions. Cloud storage provider (AWS, Azure, Google Cloud): stores and processes organizational data; operates per service agreement (controller instructions). Managed Security Service Provider (MSSP): monitors organizational logs and security events; processes that data on behalf of the customer (controller). Marketing analytics platform: analyzes customer data the organization provides; the organization controls what data is sent and why. Email service provider: processes email data generated by the organization. What they have in common: (1) They process data on behalf of someone else (the controller). (2) They follow the controller's instructions rather than making independent decisions about data use. (3) They must sign a data processing agreement (or BAA under HIPAA). (4) They are still independently responsible for implementing appropriate security controls. (5) They cannot use the data for unauthorized purposes.