Chapter 109 · Security Program Management

Data Roles and Responsibilities

Data owner, data controller, data processor, and data custodian — the four distinct roles that govern who is accountable for organizational data, who decides how it is used, who handles it, and who manages its day-to-day protection.

Confidential
Report ID: DR-2024-001Domain: Security Program ManagementTopic: Data Owner & Data Controller

Data Owner and Data Controller

Effective data governance requires clearly defined accountability for every data asset the organization holds. Without explicit role assignments, responsibilities blur, security controls go unenforced, and compliance obligations fall through the gaps. The data owner and data controller roles address the highest-level accountability questions: who is ultimately responsible for the data, and who decides how it is used.

Data Owner

The data owner is the individual or department with ultimate accountability for a specific data asset. This is typically a senior leader or manager, not a technical role. Data owners are responsible for the data under their organizational authority, even if they do not personally manage the technical systems that store it.

Data Controller

The data controller is the entity that determines the purposes for which, and the means by which, personal data is processed. This concept is especially significant under privacy regulations like GDPR, which places primary legal responsibility on the data controller.

RoleKey Question AnsweredExample
Data OwnerWho is accountable for this data asset?VP of Sales owns customer relationship data
Data ControllerWho decides why and how personal data is processed?Payroll department controls how employee pay data is processed
Data owner = senior organizational leader accountable for a specific data asset (VP Sales, Treasurer, HR Director). Data controller = entity that determines the purposes and means of personal data processing; bears primary legal responsibility under GDPR.
Confidential
Report ID: DR-2024-002Domain: Security Program ManagementTopic: Data Processor & Third-Party Processing

Data Processor and Third-Party Processing

Data Processor

A data processor is an entity that processes personal data on behalf of the data controller. The fundamental distinction between a controller and a processor is authority: the controller decides why and how data is processed; the processor carries out those decisions following the controller's instructions.

The Payroll Example

The payroll relationship is the classic illustration of the controller-processor distinction used in Security+ training:

Other Common Processor Relationships

Payroll department = controller (decides what and how). Payroll company = processor (does the work under instructions). Cloud provider = processor. The controller is always the one who decides the purpose; the processor executes. The controller cannot escape accountability by outsourcing to a processor.
Confidential
Report ID: DR-2024-003Domain: Security Program ManagementTopic: Data Custodian, Data Steward & Operational Data Management

Data Custodian, Data Steward, and Operational Data Management

Data Custodian / Data Steward

While data owners hold high-level accountability and data controllers make processing decisions, someone must handle the operational day-to-day work of protecting and managing data. This is the role of the data custodian or data steward — the terms are often used interchangeably, though some organizations distinguish them.

Sensitivity Labels

One of the most important custodian responsibilities is assigning sensitivity labels to data and enforcing the access controls associated with those labels:

The data custodian assigns these labels to data assets and then configures access controls (permissions, DLP policies, encryption requirements) to match the sensitivity level. This creates a chain from classification to protection.

Access Management

Data custodians commonly manage the practical aspects of access control:

Security Control Implementation

Data custodians implement the technical safeguards that protect data confidentiality, integrity, and availability:

RoleLevelPrimary ResponsibilityWho Typically Fills This Role
Data OwnerStrategicUltimate accountability for data asset; classification; access approvalVP, Director, C-suite
Data ControllerStrategic/LegalDetermines purpose and means of processing; legal complianceDepartment head, legal team
Data ProcessorOperationalProcesses data per controller instructions; often third-partyPayroll company, cloud provider, MSSP
Data Custodian/StewardOperationalDay-to-day protection, sensitivity labels, access management, technical controlsDatabase admin, IT staff, information manager
Data custodian = the person who does the actual security work on the data every day. Assigns sensitivity labels (public/internal/confidential/restricted), manages access permissions, implements encryption/backups/logging. The custodian bridges high-level policy (set by owner/controller) and technical implementation.