Home ›
D2: Asset Security ›
Data Ownership Roles
Domain 2 · Lesson 2 of 5
Data Ownership Roles
Vai trò Sở hữu Dữ liệu
Theory
The 5 Data Roles
| Role | Tiếng Việt | Responsibility | TS Example |
|---|---|---|---|
| Data Owner | Chủ sở hữu dữ liệu | Business leader; sets classification and access policy; ultimately accountable for the data | CTO / Head of Product |
| Data Steward | Quản lý dữ liệu | Day-to-day data quality management; enforces classification decisions made by the owner | Data / Analytics team lead |
| Data Custodian | Người giám hộ dữ liệu | IT / Engineering; implements technical controls; stores, backs up, and protects data per owner policy | Hoa (EM Engineering) |
| Data Processor | Bên xử lý dữ liệu | Third party that processes personal data on behalf of the data controller (GDPR term); must have signed DPA | eKYC Vendor, Card Processor, AML Vendor |
| Data User | Người dùng dữ liệu | Accesses data in the course of their job; must follow handling rules set by the owner | Customer service operations team |
Critical Distinction: Data Owner vs Data Custodian
This is the #1 most-tested distinction in Domain 2. The two roles are fundamentally different:
Data Owner — DECIDES
- What data exists and why
- Classification level
- Who can access and for what purpose
- Retention policy
- Always a business person (not IT)
Data Custodian — IMPLEMENTS
- Encryption and key management
- Backups and recovery
- Access control enforcement
- Audit logging
- Always an IT/Engineering person
Data Processor (GDPR / DPA Framework)
Under GDPR and Philippines DPA 2012, a Data Processor is a third party that processes personal data on behalf of the Data Controller (the organization that collects the data and determines the purpose).
- Must have a Data Processing Agreement (DPA) signed before any processing begins
- Cannot use the data for their own purposes — only the controller's stated purpose
- Must delete or return data when instructed by the controller
- Must implement appropriate security controls
- Must notify the controller of any data breach promptly
FinTech Company X as Data Controller: FinTech Company X is the Data Controller for all customer data collected via Platform C/Platform B/Partner C. eKYC Vendor (biometrics), AML Vendor (AML), Card Processor (card processing), and AWS/GCP (cloud infrastructure) are Data Processors who must each have a signed DPA covering obligations under Decree 13/2023 (VN) and DPA 2012 (PH).
Key Terms
Data Owner — business leader accountable for data; sets classification and access policy
Data Custodian — IT/Engineering; implements technical controls mandated by the owner
Data Steward — manages data quality and enforces classification day-to-day
Data Processor — third party that processes personal data on behalf of the controller
Data User — employee or system that accesses data to perform authorized job functions
Data Controller — GDPR term for the organization that collects data and determines its purpose
Data Processing Agreement (DPA) — legal contract governing how a processor may handle personal data on behalf of a controller
Accountability — the Data Owner carries ultimate accountability; cannot delegate accountability, only responsibility
Exam Tips
Tip 1 — Data Owner is NEVER IT
Data Owner is always a business executive (CTO, VP Product, CFO). If an exam question says "the IT department is the data owner," that is wrong. IT implements; business owns. This is the most common trick in Domain 2 exam questions.
Tip 2 — Custodian Implements, Owner Decides
"Who classifies the data?" → Data Owner. "Who implements encryption?" → Data Custodian. Memorize this split. Questions will try to swap them.
Tip 3 — Third-Party Vendors = Data Processors
Any third party that handles your customer data (eKYC Vendor, Card Processor, AML Vendor, cloud providers) is a Data Processor. They MUST have a signed DPA. Without a DPA, you're in violation of GDPR / DPA 2012.
Tip 4 — Accountability Cannot Be Delegated
The Data Owner is ultimately accountable. They can delegate responsibility to the custodian, but if a breach occurs, the owner (and their organization) is accountable — not the IT team. This has legal and regulatory consequences.
Tip 5 — Data Controller vs Data Processor
Controller = determines the purpose and means of processing (your organization). Processor = processes on behalf of the controller (your vendor). GDPR and DPA 2012 hold both accountable, but with different obligations.
Work Application — FinTech Company X
Action Item
For Platform C multi-tenant platform: Data Owner = CTO (accountable for all classification decisions); Data Custodian = Hoa (implements AES-256-CTR, RBAC, Vault, audit trail); Data Processors = eKYC Vendor (biometrics), AML Vendor (AML), Card Processor (card data), AWS/GCP (cloud storage). Verify DPA signed with each processor covering Decree 13/2023 (VN) and DPA 2012 (PH) obligations.
| Entity | Role | Data Handled | Obligation |
|---|---|---|---|
| CTO | Data Owner | All customer data in Platform C/Platform B/Partner C | Sets classification, approves access policy |
| Hoa (Engineering EM) | Data Custodian | All data in Platform C platform | Implements AES-256-CTR, RBAC, Vault, audit logs |
| Data / Analytics Lead | Data Steward | Reporting & analytics data | Enforces data quality, classification labels |
| eKYC Vendor | Data Processor | Biometric templates (facial recognition) | Signed DPA; cannot use biometrics for own purposes; must delete on instruction |
| AML Vendor | Data Processor | AML & sanctions screening data | Signed DPA; data residency compliance |
| Card Processor | Data Processor | PAN (card data) — stores PAN, TS holds token only | Signed DPA; PCI-DSS certified |
| Customer Service Ops | Data User | Customer loan & account info | Must follow access policy; need-to-know only |
Practice Questions
Q1. An auditor asks: "Who is responsible for classifying customer PII in Platform C?" The correct answer is:
A) The Data Custodian (Engineering EM) B) The Data Owner (CTO) C) The Data Steward D) The DBA who manages the database
✓ B) The Data Owner (CTO)Classification is a business decision, not a technical one. The Data Owner — a business executive who understands the business value and risk of the data — is responsible for setting the classification level. The custodian then implements the technical controls that classification requires.
Q2. Hoa's engineering team implements AES-256-CTR encryption for all PII stored in PostgreSQL. Which data role does this activity represent?
A) Data Owner B) Data Steward C) Data Custodian D) Data Processor
✓ C) Data CustodianImplementing technical controls (encryption, access control, backups, audit logging) is the responsibility of the Data Custodian. The custodian implements the controls that the Data Owner has mandated through policy. Hoa's engineering team is the custodian — they protect and store data per the CTO's policy direction.
Q3. eKYC Vendor processes biometric facial recognition data on behalf of FinTech Company X. Which data role does eKYC Vendor hold?
A) Data Owner B) Data Controller C) Data Processor D) Data Custodian
✓ C) Data ProcessoreKYC Vendor processes personal data (biometrics) on behalf of FinTech Company X (the Data Controller). Under GDPR and Philippines DPA 2012 frameworks, this makes eKYC Vendor a Data Processor. This relationship must be governed by a signed Data Processing Agreement that restricts eKYC Vendor from using the biometric data for any purpose other than providing facial recognition services to FinTech Company X.
Q4. What legal document must be in place between FinTech Company X and eKYC Vendor before eKYC Vendor can begin processing biometric data?
A) NDA (Non-Disclosure Agreement) B) SLA (Service Level Agreement) C) DPA (Data Processing Agreement) D) MSA (Master Service Agreement)
✓ C) DPA (Data Processing Agreement)A Data Processing Agreement (DPA) is the legally required instrument under GDPR and DPA 2012 that governs how a processor may handle personal data on behalf of a controller. It must specify: the purpose of processing, data types, security requirements, deletion obligations, breach notification timelines, and data residency requirements. An NDA alone is insufficient; the DPA addresses data protection obligations specifically.
Q5. The CTO declares: "All customer PII collected via Platform C must be classified as Restricted." Which data role is the CTO performing?
A) Data Custodian B) Data Steward C) Data Owner D) Data Processor
✓ C) Data OwnerSetting the classification level is the defining responsibility of the Data Owner. The CTO, as the business leader accountable for the data, decides that PII warrants Restricted classification. The Data Custodian (engineering) then implements the technical controls (AES-256-CTR, RBAC, audit logging) that Restricted classification requires. The Data Steward enforces these decisions day-to-day.