Data ownership is a cross-domain topic (Domains 1 and 2), and has vast implications. Be sure to know the difference between each. We combined the Domain 1 and 2 concepts here because they are mostly redundant:
- Data Subject – the person who the information is about.
- Data Owner – the entity that collects/creates the PII and is legally responsible and accountable for protecting it and educating others about how to protect the data through dissemination of intellectual property rights documentation, policies and regulatory requirements, specific protective measures that are expected of custodians, and compliance requirements.
- Data Controller – same as data owner when a true data owner does not exist.
- Data Processor – typically an entity that works under the direction of the owner/controller, such as an IT department.
- Data Custodian – the role within the processing entity (IT department) that handles the data daily.
- Data Steward – users of the data; those who use the data for the business purpose.
- Data Protection Officer (DPO) is a role introduced in the 2019 update to the GDPR. Organizations that handle sensitive personal data, such as genetics, health, ethnicity, religion, or personal preferences, must appoint a DPO. Their job is to guide the company on compliance with GDPR rules and serve as the main contact for government oversight agencies.