Skip to main content
In this article, we explore the final component of effective security governance: clearly defining systems and data roles and responsibilities. Robust data privacy is crucial—not only to protect individuals from breaches but also to ensure compliance with stringent regulations such as the GDPR, which governs the handling of EU citizens’ data. Non-compliance can result in heavy penalties, fines, or irreparable harm to an organization’s reputation. From a security governance perspective, it is essential to understand the various roles involved in data privacy and their specific responsibilities. The primary roles are:
  • Data Owners
  • Data Controllers
  • Data Processors
  • Data Custodians or Stewards
Effective role designation ensures that data privacy and security measures align with legal regulations and organizational policies.

Data Controllers and Data Processors

Legally, a data controller—which may be an individual or organization—is responsible for ensuring compliance with data privacy laws and regulations. As the entity ultimately accountable for the data, the data controller must:
  • Ensure adherence to data laws and regulations
  • Secure consent for data collection and storage
  • Implement comprehensive policies and procedures to protect data
  • Provide clear privacy notices
Any issues arising from data mishandling are primarily the responsibility of the data controller.
The image shows four colored boxes labeled "Data Owners," "Data Controllers," "Data Processors," and "Data Custodians," each with an icon representing its role. The title "Behavior Recognition" is at the top.
Working in close association with data controllers are data processors. These entities handle the operational management of data strictly under the instructions of the data controller. Their responsibilities include:
  • Implementing robust security measures
  • Maintaining data confidentiality and integrity
  • Keeping detailed records of all data processing activities
Whether managed internally or outsourced to external providers such as cloud services or payroll companies, data processors must adhere to the prescribed guidelines.
The image is an infographic titled "Behavior Recognition" that outlines four aspects of data controllers: data laws and regulations, collecting and storing data, policies and procedures, and privacy notices.
The image is an infographic titled "Behavior Recognition" featuring three icons representing security measures, data confidentiality and integrity, and data recording, all under the category of "Data Processors."

Data Custodians and Data Stewards

The roles of data custodians and data stewards are closely related yet distinct. Data custodians are primarily responsible for managing the technical environment in which data is stored and transmitted. In contrast, data stewards focus on data quality, ensuring its accuracy, and overseeing its proper utilization across the business.
The image is a flowchart illustrating "Behavior Recognition," showing the roles of "Data Custodians" and "Data Stewards" in managing stored and transmitted data.
To better understand these roles, consider a payroll system scenario. A company collecting employee data for payroll processing (including addresses, banking details, and other personal information) may assign responsibilities as follows:
  • The data controller (e.g., the HR or payroll department) determines how this data is processed and is accountable for its proper use.
  • The data processor is a third-party service engaged to handle payroll processing, implementing robust security measures under the data controller’s directives.
  • The data custodian is typically the IT department providing the servers and resources needed to securely store the data, ensuring encryption during data rest and transit.
  • The data steward works within the payroll department to verify salary details, manage pay dates, and maintain timesheets accurately.

Data Owners and Data Subjects

Understanding the difference between data ownership and data subjects is imperative for effective data governance:
  • If personal data is being processed, the individual is recognized as the data subject. Regulations like the GDPR empower data subjects with rights such as the right to be forgotten and the ability to request data removal.
  • The data owner is generally the person or department responsible for overseeing the use of that data once provided by the data subject.
This differentiation is key to ensuring that both privacy rights and data integrity are maintained throughout the data lifecycle.
The image displays four colored icons labeled "Policies," "Procedures," "Standards," and "External Considerations" under the heading "Behavior Recognition."

Conclusion

In summary, this article has detailed the critical elements of security governance, including:
  • Policies and procedures for data handling
  • Clear delineation of roles and responsibilities among data controllers, processors, custodians, stewards, owners, and subjects
  • The importance of maintaining robust data privacy practices in compliance with regulatory requirements
The next section will shift its focus towards risk management, further building on the foundations established here. For further insights on data security and governance, consider exploring additional resources such as Kubernetes Documentation and Docker Hub.

Watch Video