Incidents will happen. Our role is to prevent it as best as we can but, soon or later a security incident hapens. It is just about time. A question of when not if. When it happens, our role is to keep business running smoothly. Necessary information for business continuity has to be kept in tact and awailable and secure. CIA triad talks about Confidentiality, Integrity and Availability of information. In the case of incident, there are specific roles to keep the business running and prevent / mitigate damage to organization. Here are some roles Google Cyber Security Cerificate Program talks about:

1. Data Owner
2. Data Controller
3. Data Processor
4. Data Custodian
5. Data Protection Officer

Data Owners

Data Owners are key decision-makers responsible for overseeing the entire lifecycle of specific datasets within an organization. They have the authority to determine how data is used, shared, and managed, including CRUD (Create, Read, Update, Delete) operations. While they may delegate day-to-day tasks, Data Owners retain ultimate accountability for data-related decisions. Data Owners have administrative rights and responsibilities over specific information assets, but not necessarily over hardware or software. They are responsible for implementing security measures, managing access controls, and ensuring data compliance within their domain. In the event of unauthorized internal or external breaches, Data Owners should indeed be informed as part of their risk management responsibilities.

Regarding personal information provided through web forms, it’s important to note that the individual providing the information is not technically the “Data Owner” in the organizational sense. However, under data protection regulations like the European Union’s General Data Protection Regulation (GDPR), individuals have certain rights over their personal data, including the right to access, modify, and request deletion of their information.

For applications, software, or digital goods and services, the Data Owner is typically not the shareholders or executive committee, but rather a designated individual or department within the organization that has deep understanding of the data and its business context. This person or group is accountable for ensuring the data is treated as a valuable asset and used responsibly to support business objectives.

Key Characteristics of Effective Data Owners

A good data owner typically:

• Has deep understanding of the specific data domain
• Possesses both business and technical knowledge
• Can make strategic decisions about data usage
• Ensures compliance with regulatory requirements
• Protects data security and integrity

The role is crucial in ensuring that data is treated as a valuable asset, managed effectively, and used responsibly to support organizational objectives.

Data Controllers

Data Controllers are collectors, they control the data entry points and they decide how to process the collected data. Data controllers are responsible for law and regulation compliences like European GDPR. For all data collected there has to be clear purpose and this reason has to be clearly communicated.

Definition and Responsibilities

A Data Controller is an individual, company, or organization that determines the purposes and means of processing personal data. They have the highest level of responsibility when it comes to data protection and must comply with and demonstrate adherence to data protection principles.

Key responsibilities of Data Controllers include:

1. Determining how and why personal data is processed
2. Ensuring compliance with data protection regulations
3. Implementing appropriate security measures
4. Maintaining records of processing activities
5. Conducting data protection impact assessments for high-risk processing
6. Appointing a Data Protection Officer when required

Relationship with Data Processors

Data Controllers often work with Data Processors, who process personal data on behalf of the controller. The controller must:

• Choose processors that comply with GDPR guidelines
• Establish a written contract specifying the processor’s obligations
• Provide documented instructions for data processing

Legal Obligations

Data Controllers have several legal obligations under the GDPR:

1. Collecting individuals’ consent for data processing
2. Managing consent revocation and enabling data subject rights
3. Reporting data breaches to authorities within 72 hours
4. Ensuring data processing adheres to principles such as lawfulness, fairness, transparency, and data minimization

Penalties for Non-Compliance

Failure to meet these obligations can result in significant penalties. Data Controllers may face administrative fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher. See the reference here

Joint Controllers

In some cases, two or more entities may jointly determine the purposes and means of processing, making them joint controllers. They must clearly define their respective responsibilities, particularly concerning the exercise of data subject rights. Understanding the role and responsibilities of Data Controllers is crucial for organizations handling personal data to ensure compliance with data protection regulations and safeguard individuals’ privacy rights.

Data Processor

A Data Processor plays a crucial role in the data processing ecosystem under the General Data Protection Regulation (GDPR). This role is defined as any entity that processes personal data on behalf of the Data Controller. This includes natural or legal persons, public authorities, agencies, or other bodies that handle data according to the controller’s instructions.

Key Responsibilities

Data Processors have several important responsibilities under GDPR:

1. Process data only on documented instructions from the controller
2. Implement appropriate technical and organizational security measures
3. Assist controllers in fulfilling GDPR obligations
4. Maintain records of processing activities
5. Notify controllers of data breaches without undue delay
6. Support controllers in conducting Data Protection Impact Assessments (DPIAs)

Legal Obligations

The GDPR imposes direct legal obligations on Data Processors, including:

1. Ensuring confidentiality of authorized personnel processing data
2. Obtaining prior written authorization from the controller to engage sub-processors
3. Cooperating with supervisory authorities upon request
4. Returning or deleting personal data after the end of services, unless required by law to retain it

Relationship with Data Controllers

Data Processors must:

1. Act only on the controller’s documented instructions
2. Enter into a legally binding contract with the controller
3. Provide sufficient guarantees to implement appropriate measures for GDPR compliance
4. Assist controllers in responding to data subject rights requests

Liability

Under GDPR, Data Processors can be held directly liable for:

1. Failing to comply with their specific obligations
2. Acting outside or contrary to the controller’s lawful instructions
3. Damages caused by processing, if they’ve breached their obligations

Record Keeping

Data Processors must maintain records of all processing activities carried out on behalf of controllers, including:

1. Categories of processing performed
2. Transfers of personal data to third countries
3. General description of technical and organizational security measures

Understanding the role and responsibilities of Data Processors is essential for organizations to ensure GDPR compliance and protect individuals’ privacy rights effectively.

Data Cusodian

A Data Custodian, also known as a database administrator (DBA), data modeler, or ETL developer, is responsible for the technical maintenance and security of an organization’s databases. They focus on the “how” of data storage, processing, and transmission, rather than the “why” or the content quality.

Key Responsibilities

Data Custodians have several important duties:

1. Database Management: They define and maintain the infrastructure of databases to ensure security against internal and external threats.
2. Access Control: Custodians implement and verify access controls, ensuring only authorized individuals can access the databases.
3. Data Security: They implement appropriate technical and organizational security measures to safeguard data.
4. Documentation: Custodians document rules and codes for data storage, processing, and transmission, and disseminate this information to employees.
5. Data Integrity: They ensure that technical processes maintain data integrity and consistency with the common data model.
6. Change Management: Custodians apply change management practices in database maintenance and ensure changes can be audited.

Skills and Expertise

Data Custodians typically possess:

• Strong technical skills in tools like SQL, Hadoop, Access, and Azure DevOps
• Solid organizational abilities for managing large-scale projects
• In-depth understanding of data security risks and mitigation strategies

Importance in Data Governance

Data Custodians are crucial for:

1. Implementing data governance rules
2. Ensuring compliance with relevant legislation, including privacy laws
3. Maximizing the value of data holdings while minimizing privacy risks

By focusing on the technical aspects of data management, Data Custodians complement the roles of Data Stewards and Data Owners, who are more concerned with data quality and business perspectives, respectively.

Data protection officer – DPO

A DPO is an expert within an organization who monitors personal data processing and provides advice on compliance with data protection regulations. They serve as a bridge between the organization, data subjects, and supervisory authorities.

Key Responsibilities

DPOs have several important tasks:

1. Informing and Advising: They educate the organization and its employees about their obligations under data protection laws.
2. Monitoring Compliance: DPOs oversee adherence to GDPR and other data protection provisions, including internal policies.
3. Training and Awareness: They conduct staff training and raise awareness about data protection issues.
4. Data Protection Impact Assessments (DPIAs): DPOs provide advice on DPIAs and monitor their performance.
5. Cooperation with Authorities: They act as the primary point of contact for supervisory authorities and cooperate with them.
6. Risk Assessment: DPOs consider the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.

Organizational Position

DPOs must be:

1. Involved in all data protection issues promptly and properly.
2. Reporting to the highest management level.
3. Operating independently, without dismissal or penalty for performing their tasks.
4. Provided with adequate resources to fulfill their obligations.

Skills and Qualifications

An effective DPO typically possesses:

• Expert knowledge of data protection law and practices
• Strong communication and leadership skills
• Ability to work under pressure and manage sensitive information
• Experience in legal, audit, or risk management roles

Importance in Data Governance

DPOs are essential for:

1. Ensuring compliance with data protection regulations
2. Fostering a culture of data privacy within the organization
3. Mitigating risks associated with data processing
4. Building trust among individuals whose data is processed

By focusing on these aspects, DPOs help organizations navigate the complex landscape of data protection and maintain ethical data practices.

---

Article 4 in “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL” of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is important to consider when processing duties of Data management above:

“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”

The most important phrase here is “The processing of personal data should be designed to serve mankind.” as a very humanist approach. After all all is good when it serves the benefit and progress of humankind. Sure as communities progress, no harm should be come to personal, private and family life.