Data ownership formalizes the role of data owners and establishes accountability, assigning responsibility for managing data from creation to consumption. It puts rules and processes in place to ensure that the right people define usage directives, set quality standards, and consistently resolve data issues.
Data ownership does not mean possession of the data; data owners establish the rules for the data they own related to creation and usage. This means that data owners essentially govern the data under their purview, including managing glossaries, definitions, and quality controls. Data ownership also entails remediating issues and ensuring compliance with corporate, industry, and government regulations and laws.
Five Core Elements of Data Ownership
There are five core elements to consider and codify when creating data ownership plans and related data governance.
Describe how data is handled, can be used, and plan data recovery, as well as outline the systems and processes required to manage it. Data management, with respect to data ownership, also covers how and when data is deleted.
Know where data is physically located and processed, including data stored in the cloud. Data ownership requires a detailed understanding of data location to ensure compliance with regulations, such as those related to government agencies' data.
Define access rules that specify by whom, when, and how data can be accessed. Data ownership covers data accessed by third parties who use it to execute their services, such as data storage providers, SaaS solution providers, and vendors who support internal systems. An audit feature should be in place to provide reports about who accessed what data and when it was accessed.
Ensure that data has protections commiserate with the sensitivity of the information. Data ownership includes taking care that there are guardrails in place to protect data privacy and confidentiality.
5. Rights and Retention
Specify who has rights to data and establish retention parameters. Data ownership extends throughout the data lifecycle and must include provisions for the transfer of rights, dates for data to be destroyed, and any exceptions.
Importance of Data Ownership
Data ownership has historically been an afterthought, taken into consideration after "first-tier" security tools (e.g., firewalls, anti-malware solutions, IDS, SIEM) have been implemented. Legislation (e.g., GDPR, PCI-DSS, HIPAA, CCPA) has driven data ownership to the forefront. Many require organizations to know what data they have and provide appropriate data security to protect it. Unstructured data has also brought attention to data ownership, especially with the rise of big data, much of which is unstructured. Regardless of file format or content, best practices must be implemented to ensure that all data elements are accounted for and protected.
Data Ownership Considerations and Issues
First and foremost, data ownership requires ensuring that data is classified correctly. Responsibilities also include assigning role-based access privileges once data has been classified.
According to commonly used data ownership guidelines, the following should be considered when defining role-based access controls for data:
- How is the data secured?
- How long is the data retained?
- How should data be destroyed?
- What data needs to be encrypted?
Data Ownership and Security
A security-centric approach to data ownership allows organizations to effectively right-size security, especially in environments with on-prem and cloud infrastructure.
Data ownership comes with the responsibility to protect, monitor, and audit sensitive information access and use.
Five Security Challenges
Data ownership has many challenges related to security. In addition to protecting data with a complex web of security systems and processes, it requires addressing issues related to:
- Unclear ownership when accountability is spread across a number of departments or users
- Unknown data meaning when data lacks semantic definitions or data dictionaries are subpar
- Cumbersome, old data structures that technically still work, but make it difficult to apply data ownership best practices using newer systems
- Data explosion driven by the dropping cost of storage, causing excessive data to be stored, resulting in an expanding attack surface.
- Variability in access control setup and enforcement leads to vulnerabilities caused by inappropriate access being granted, especially for privileged user access.
- Lack of tools and processes hampers data ownership as it requires technology along with clear user direction and management to be successful.
Data Ownership and Encryption—Pros and Cons
Encryption protects data that is sent, received, and stored. It scrambles readable text so it can only be read by a person who has the decryption key. Encryption plays a leading role in data ownership, providing security for sensitive information. Despite its benefits, encryption has downsides.
Advantages of Encryption:
- Minimizes data residency risk by limiting data readability
- Reduces data breach notification requirements
- Eliminates the need to clean or "shred" data when it is deleted
Disadvantages of Encryption:
- Key management can be complex and can require training
- Use of weak passwords undermines data security
- False sense of security leads users to let down their guard
Data Ownership and Privacy
Data ownership does not cover a sufficient set of rights to protect individuals' privacy, because it does not provide users with a clear chance to refuse any data transfer prior to collection. Allowing a user to "accept" or "refuse" data collection does not provide control or ownership. Some data protections are in place by law and regulation, but data ownership is mostly out of individuals' hands once information has been shared with an organization. Data privacy is not an intrinsic part of data ownership.
State and Global Requirements Related to Data Ownership
Data ownership requires complying with a dizzying number of regulations and laws. Two of the most stringent are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
GDPR and Data Ownership
GDPR requires organizations to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. According to GDPR, data privacy extends from an individual's IP address and cookie data to their address and Social Security number.
GDPR has an entire section on the Rights of Subjects (Chapter 3). The eight user rights show the far-reaching impact of GDPR on data ownership.
- The right to information
- The right of access
- The right to rectification
- The right to erasure
- The right to restriction of processing
- The right to data portability
- The right to object
- The right to avoid automated decision making
CCPA and Data Ownership
The CCPA increases consumers' control over the personal information that organizations collect from them. These rights include:
- The right to know about the personal information a business collects about them and how it is used and shared
- The right to delete personal information collected from them—with some exceptions
- The right to opt-out of the sale of their personal information
- The right to non-discrimination for exercising their CCPA rights
Regulations, such as GDPR, and laws, such as CCPA, strengthen personal data privacy. Individuals' data ownership capabilities are also increasing personal data privacy, and mechanisms are emerging that allow individuals to assert rights of data ownership.
Data Governance and Security Plans
Data ownership is a critical part of an effective data governance plan and improves security, as systems and processes are in place to ensure that data is used and managed according to its inherent value and sensitivity. Organizations should allocate resources to develop, implement, and maintain oversight of a data ownership plan that is integrated and aligned with data governance and security.
Last updated: 06/02/2021
Secure Remote Work