1. The Vice President of Sales at a publicly traded company is identified as the data owner for all customer relationship data. She has never logged into the CRM system and does not manage the database servers. Why is she the data owner, and what are her primary responsibilities in that role?
2. A company's payroll department determines which employees are paid, their salary amounts, pay schedules, and tax withholdings. They send this information to an external payroll company that processes direct deposits and maintains employee records. What is the correct role classification for each party?
3. A healthcare organization stores patient records in a cloud platform. A breach at the cloud provider exposes patient data. The cloud provider claims they are not responsible because they were just storing what the hospital gave them. Under HIPAA data governance, what is the cloud provider's actual security obligation?
4. A data custodian is assigning sensitivity labels to files in the corporate document management system. She finds a document containing trade secrets about an unreleased product, future acquisition targets, and detailed security system architectures. Which sensitivity label is most appropriate, and what access controls should follow?
5. A data controller suffers a breach at its third-party data processor. The controller argues it cannot be held responsible because it outsourced processing to a reputable vendor. What does data governance and GDPR actually say about controller responsibility in this situation?
6. An IT administrator is responsible for managing access permissions to the company file server, implementing encryption for sensitive directories, configuring audit logging of file access, and running backup jobs nightly. Which data governance role best describes this administrator's function?
Matching: Data Governance Roles
Match each role (1–4) to its correct description (A–D).
1Data Owner
2Data Controller
3Data Processor
4Data Custodian
ADetermines the purposes for which and means by which personal data is processed; bears primary legal responsibility under privacy regulations for lawful data use
BSenior organizational leader accountable for a specific data asset; classifies sensitivity, approves access, defines retention, and is ultimately responsible even without direct technical access
CManages day-to-day operational protection of data; assigns sensitivity labels, manages permissions, implements encryption, backups, and audit logging
DProcesses personal data on behalf of and under the instructions of another entity; often a third party such as a payroll company, cloud provider, or managed service provider