The controller-processor distinction is the most tested concept in this chapter. Every exam question can be answered with one question: who makes the decisions about the data?
- Controller = decides WHY and HOW. Makes the decisions about purpose, collection, and processing. Bears primary legal responsibility.
- Processor = does the work. Follows controller instructions. Does not independently decide anything about the data.
Apply this to any scenario. "The payroll department decides who gets paid; the payroll company executes the payments." Who decides? Payroll department = controller. Who executes? Payroll company = processor.
Exam trap 1: "The cloud provider stores customer data." Is the cloud provider a controller or processor? The cloud provider does NOT decide why the data is stored — the customer does. Cloud provider = processor. The customer organization = controller.
Exam trap 2: "Outsourcing to a processor transfers all legal responsibility." FALSE. The controller remains responsible. The controller must ensure the processor implements adequate security (documented in a data processing agreement) and cannot escape accountability by pointing at the vendor.
A common exam trap: the question describes the most technically capable person (the DBA, the system admin, the security engineer) and asks who the data owner is. The answer is almost never the most technical person.
Data ownership follows organizational responsibility, not system access:
- Customer data = VP of Sales or Chief Revenue Officer
- Financial data = CFO or Treasurer
- Employee records = HR Director or CHRO
- Research data = Chief Research Officer or lab director
The DBA who manages the database every day is the data custodian, not the data owner. The DBA implements controls; the VP approves who gets access.
Memory: "The boss owns the data. The admin protects it."
Why it matters: when a breach occurs involving customer data, the VP of Sales faces executive accountability, not the DBA. The DBA may have operational failure responsibility, but ultimate accountability sits with the data owner.
Four levels, ordered from most open to most restrictive:
- Public: anyone can see it. No controls needed.
- Internal: employees only. Basic access control (login required).
- Confidential: specific roles/groups only. Formal authorization, logging.
- Restricted: strict need-to-know, formal approval, full logging, encryption required.
Exam scenario strategy: always read what type of information is described. Trade secrets, unreleased products, acquisition targets, security architectures = Restricted. Business strategy, client contracts = Confidential. Internal communications = Internal. Press releases, published data = Public.
The data custodian assigns the label AND configures the technical controls (permissions, DLP, encryption) that enforce it. The label is useless without the corresponding controls.
Exam trap: "The document system requires a login, so all data stored there is adequately protected." WRONG. A login only addresses Public vs. not-Public. Confidential and Restricted data requires role-based access control beyond just authentication.
The data custodian is the operational implementer of data governance. Every control that the data owner and controller decide must be enforced — the custodian actually configures it.
A shortcut to identify data custodian scenarios on the exam: the question will describe someone doing technical work with data:
- Assigning permissions to a folder = custodian
- Configuring encryption for a database = custodian
- Setting up backup jobs = custodian
- Reviewing access logs = custodian
- Applying sensitivity labels = custodian
- Configuring DLP rules = custodian
Contrast with data owner (strategic decisions) and data controller (legal/processing decisions). Custodians work in the systems; owners and controllers work in conference rooms and legal offices.
The custodian works under the direction of the data owner (who determines what classification applies and who should have access) and implements the technical reality of those decisions.
Practice Scenarios
A healthcare company has the following people and activities: (A) The Chief Medical Officer who determines that patient records must be retained for 10 years and approves which clinical staff can access patient data. (B) The IT database administrator who configures file permissions, runs nightly backups, and generates monthly access reports. (C) A cloud storage vendor that stores encrypted patient records per the healthcare company's contract specifications. (D) The Legal and Compliance team that decides how patient data can be used for research purposes and what third parties may receive it.
Classify each person or entity into the correct data governance role and explain why.
Answer: (A) Chief Medical Officer = Data Owner. The CMO is the senior organizational leader with ultimate accountability for patient records. Setting retention requirements and approving access decisions are classic data owner responsibilities. (B) IT Database Administrator = Data Custodian. The DBA performs the operational day-to-day activities: configuring permissions (access management), running backups (security controls), and generating access reports (logging and monitoring). This is the custodian role. (C) Cloud storage vendor = Data Processor. The vendor stores patient data under the healthcare company's contractual instructions. The vendor does not determine why the data is stored or what it is used for. A Business Associate Agreement (BAA) under HIPAA must be in place. (D) Legal and Compliance team = Data Controller. They determine the purposes for which patient data is processed (research), how it can be used, and which third parties may receive it. These are the fundamental decisions that define the controller role under GDPR and privacy frameworks.
A retail company uses a third-party marketing analytics vendor to analyze customer purchase data. The vendor suffers a ransomware attack that exposes 500,000 customer records including names, email addresses, and purchase history. The vendor argues they bear all the responsibility because the breach was at their systems. The retail company argues they are not responsible because they outsourced processing. Both claims cannot be fully correct.
Assess each party's actual responsibility and what both should have done before the breach.
Answer: The marketing analytics vendor (processor) is responsible for: (1) Implementing appropriate security controls to protect the customer data they process, regardless of whether the controller specifically required them (general GDPR processor obligation). (2) Notifying the retail company (controller) of the breach promptly so the controller can meet its notification obligations. (3) Implementing the specific security measures agreed to in the data processing agreement. The retail company (controller) is responsible for: (1) Ensuring a data processing agreement was in place before sharing customer data (required by GDPR). (2) Vetting the vendor's security posture before engaging them. (3) Meeting breach notification obligations to affected customers and regulators once notified by the processor. (4) Ensuring the DPA required adequate security controls. Both parties may face regulatory action. Before the breach: the retail company should have audited the vendor's security (SOC 2 report, questionnaire), required contractual security obligations in the DPA, and included breach notification timelines. The vendor should have implemented encryption, MFA for admin access, and incident response procedures.
A data custodian is auditing the document management system and finds the following unlabeled files: (1) A company newsletter about the holiday party. (2) A spreadsheet of employee salaries and performance ratings. (3) A technical architecture document for the company's customer-facing web application. (4) The employee handbook with general HR policies. (5) An M&A due diligence report about a company the organization is considering acquiring (not yet public).
Assign the correct sensitivity label to each file and explain the access controls that should follow from each label.
Answer: (1) Company newsletter = Public. This can be shared without restriction. No access controls beyond the document system login needed. (2) Employee salaries and performance ratings = Restricted (or Confidential/Highly Confidential). This is personal and commercially sensitive data. Access should require formal authorization; only HR leadership, direct managers, and authorized payroll staff should have access; audit logging of every access event; encryption at rest. (3) Web application technical architecture = Confidential (possibly Restricted). Security architectures are sensitive because they reveal attack surfaces. Access should be limited to the IT/development team with a need-to-know; logging of access events. (4) Employee handbook = Internal. For employees only; standard authentication required; not for external distribution but not highly sensitive. (5) M&A due diligence report = Restricted. This is among the most sensitive data categories. Disclosure could violate insider trading regulations, damage negotiations, or harm the target company. Strictly need-to-know (M&A team, executives, legal); full audit logging; encryption; possibly additional controls like watermarking and print restrictions.