No-one would disagree that data is an asset. As such, it has value. It therefore follows that somebody must own it. I would state the responsbilities of a data owner as being:
1. Ensuring that data is correctly classified
2. Granting access to the data
3. Ensuring that the data is valid
4. Ensuring that individuals who need to process the data are correctly trained in doing so and understand their roles and responsbilities
5. Deciding on permissible uses of the data
6. Understanding risks associated with the data (and the consequences of the data being compromised)
The issue becomes one of who should take on the responsbility of data ownership within the organisation: should it be something stated on a job description? In France, the answer is definately “yes” to that question. I know this because I’ve created a raucous by introducing the concept of data ownership into a French office and been told, in strong terms, that if it’s not already part of an employment contract then it wont get done.
Should the IT department take on the role? Although the IT department can be the custodian of the data, it should not be the owner. Employees in IT generally do not know how important the data is to the business, how the data is to be used, and which people (or roles) should access the data.
It’s important that we get this one right. We easily lose track of where our data is but it’s importance should not become diluted the more it gets updated, emailed, printed, or sent outside of our traditional network boundaries to third parties or off-site storage for back-up purposes. So really, the data owner is an individual who has a vested interest in making sure the data is accurately and appropriately secured. Take a financial application, for example. Depending on the size of the organization, the data owner may be the CFO or one of the directors who reports to the CFO. The person who is appointed needs to understand the importance and value of the information to the business as well as the ramifications of inaccurate storage or inappropriate access as well as the laws and regulations that may govern the use and retention period of their data. Make sense?
The challenge then becomes one of getting the owner to take ownership. I don’t have an answer yet on how to accomplish this one. I’m working on it from defining policy on the one hand and pushing out messages as to the importance of data on the other. I’m also asking questions such as “Here is a system that contains data, who’s data is it?”
I wanted to review some of the reasons why it’s important to classify data. Here are my answers:
1. Helps focus their attention on the data that is most critical to the business
2. Helps the organization comply with pertinent laws and regulations
3. In the USA, classifying data as private helps the organization comply with the various data breach notification laws
4. Helps identify the methods to be used for disposing of data
5. Helps identify data retention requirements
Would anyone like to add to the list?