Data Ownership: Considerations for Risk Management (2024)

Table of Contents
Determining Who Owns Data The Risk of Data Ownership Managing Risk Related to Data Ownership Conclusion Endnotes FAQs

There is no easy answer to the question of who owns data. Indeed, debates about the subject tend to be theoretical. Depending on the situation, the possessor, the user, the creator and the subject of the data could all claim ownership, and sorting it out can pose logistical, technological and even ethical challenges. But that should not discourage auditors and risk managers from making pragmatic efforts to determine who owns the data in an enterprise’s possession, because with ownership comes risk.

Far from a mere technicality, data ownership is strategically important as enterprises become increasingly reliant on data. As such, internal audits should examine data ownership from a more strategic perspective. Beyond ensuring that certain controls and processes are working to prevent compliance or operational problems, internal auditors should ascertain whether data ownership has the attention of top management and whether there are guidelines addressing the enterprise’s use of data and decision-making related to data ownership. Internal auditors must also understand what factors are relevant to determining data ownership, the risk associated with data ownership and how to manage that risk so that they will be able to add value to the organization’s efforts to deal with the question of who owns the data.

DUE TO THE SHEER VOLUME OF DATA AND THE COMPLEXITY OF THEIR MOVEMENTS, IT MAY NOT BE FEASIBLE FOR AN ENTERPRISE TO IDENTIFY THE OWNER OF EVERY PIECE OF DATUM IT POSSESSES AT ANY GIVEN TIME.

Determining Who Owns Data

Due to the sheer volume of data and the complexity of their movements, it may not be feasible for an enterprise to identify the owner of every piece of datum it possesses at any given time. However, there are some key considerations that should be taken into account when determining who owns data.

The type of data is one consideration. For example, personal data, particularly personally identifiable information (PII), are most likely owned by the subject of the data. For enterprises that must comply (or choose to comply) with the EU General Data Protection Regulation (GDPR), any personal information they collect remains the property of the subject. Under GDPR, personal data include name, address, photographs, Internet Protocol (IP) address, and genetic and biometric data that could be processed to identify an individual.

Another consideration is how the data were created, generated or collected. For example, data created by an enterprise or by people working for the enterprise in the course of doing their jobs are generally considered the property of the enterprise.

The availability and location of data also factor into the determination of ownership. For example, if two enterprises separately track stock prices, neither one owns the digits (i.e., the raw data) or the stock price itself, which is publicly available information. However, a file containing the enterprise’s recording or documenting of the stock price is generally considered the property of that enterprise. Cloud computing has raised questions about the relationship between data location and data ownership, but in general, anything created before it is put on the cloud is owned by the creator.

There are, of course, exceptions to every rule. From an internal audit perspective, it is critical to look at whether an enterprise’s processes for determining data ownership are consistent and in line with applicable regulations.

Also, it should not be taken for granted that everyone in an enterprise considers documenting data ownership to be a worthwhile pursuit. Researching who owns data can be labor intensive, and some may believe those resources would be better spent on other projects. One thing internal auditors can do is recommend that documenting the ownership of collected or generated data be addressed in the planning stages to avoid having to do so retroactively. In this way, enterprises will be better equipped to handle any problems that arise.

IT SHOULD NOT BE TAKEN FOR GRANTED THAT EVERYONE IN AN ENTERPRISE CONSIDERS DOCUMENTING DATA OWNERSHIP TO BE A WORTHWHILE PURSUIT.

The Risk of Data Ownership

Enterprises should be concerned about data ownership because there are potential legal, financial and reputational risk factors associated with owning data and possessing data owned by other parties. Risk related to data ownership can take several forms. For example, business disruption is possible when one or more parties claim ownership of critical data. As documented, the parties that could potentially claim ownership of data include:1

  • Creator—The party that creates or generates the data
  • Consumer—The party that uses the data
  • Compiler—The entity that selects and compiles information from different sources
  • Enterprise—The entity that creates or possesses the data
  • Funder—The user that commissions data creation
  • Decoder—The party that “unlocks” encoded information
  • Packager—The party that collects information for a particular use and adds value by formatting the information for a specific market or set of consumers
  • Reader—An entity that gains value by adding the data to its information repository
  • Subject—The individual who is the subject of the data
  • Purchaser or licenser—The individual or entity that buys or licenses the data

Another risk associated with data ownership is liability resulting from the loss or misuse of data belonging to other parties. Data breaches involving private customer information obviously fall into this category, and the results can be devastating to an enterprise, as numerous high-profile data breaches have shown. When a data breach happens, consumers are generally not upset about the event itself; they are upset because their personal information (e.g., Social Security numbers, credit card numbers)—which they expected to be kept private—may have been stolen or disclosed. If an enterprise’s data are breached or mishandled by a third party with which it does business, the enterprise may have a legal obligation to report it, and failure to do so could result in penalties. GDPR, for example, requires all enterprises to report certain types of data breaches involving unauthorized access to or loss of personal data to the relevant authority and, in some cases, enterprises must also inform individuals affected by the breach.

The quantity of data owned may also pose risk. In addition to concerns about technology infrastructure, there may be disagreement about whether certain data are more of an asset or a liability. Those who want to leverage data to extract value may disagree with those responsible for safeguarding the data when it comes to determining the right volume. This is why internal auditors should understand the strategic purpose of data ownership and why there should be top-down guidance about the use of data.

Managing Risk Related to Data Ownership

In addition to knowing the nature of the data created, collected, processed and stored, there are other ways that enterprises can mitigate the risk associated with data ownership. Generally, these strategies line up with the fundamentals of good data governance.

Accountability
Ambiguity about who is responsible for the enterprise’s data greatly increases the potential for legal, reputational or financial harm. Clearly defined roles of responsibility and accountability—from the chief information officer (CIO) and data protection officer (DPO) to the individuals responsible for managing smaller subsets of data—are critical to managing the risk associated with data ownership. These people need to understand not only the nature of the data and the data’s value to the business, but also compliance requirements. Thus, having the right people in these roles is critical. As such, internal auditors should assess how the enterprise determines accountability for data and whether that process is reasonable and consistent.

Information Security
Loss, theft and unauthorized access are imminent risk concerns associated with the possession of data, whether they are owned by the enterprise or by an external party. Internal auditors and risk managers should work closely with information security teams to ensure that data are protected while in the enterprise’s hands.

GDPR RAISED THE STAKES IN TERMS OF THE EXTENT TO WHICH AN ENTERPRISE OR DATA CONTROLLER IS RESPONSIBLE FOR THE USE AND MISUSE OF DATA BY EXTERNAL PARTIES.

Data Retention Policy
The data retention policy is key because, as noted previously, risk is inherent to the ownership and possession of data, and a retention policy ensures that the enterprise possesses only data that provide value to it. The policy should be regularly updated and assessed for compliance.

Data Inventory
Hand in hand with the retention policy, a dynamic data inventory is vital to identifying ownership of and protecting data. In short, the enterprise must know what data it possesses. A data inventory should include not only what data the enterprise has and where those data reside, but also how the data move into, through and out of the enterprise.

Consent and Disclosure
As it relates to the risk of possessing data owned by other parties, consent and disclosure are vital, particularly in the post-GDPR world. The enterprise should secure consent to collect data and disclose how those data are going to be used to mitigate the risk of future legal or reputational peril.

Third-Party Contracts
GDPR raised the stakes in terms of the extent to which an enterprise or data controller is responsible for the use and misuse of data by external parties such as vendors that process data on behalf of the controller. Internal auditors should review contracts with external data processors to ensure that they align with GDPR and that the enterprise has visibility into the processor’s ability to maintain records of personal data and how those data are processed. Additionally, when data are shared with a third party, that third party may put the data to further use. In that case, there should be agreements in place that establish the ground rules for ownership, usage and sharing.

Conclusion

As enterprises become more data-driven, and as volumes of data grow exponentially, the debate over who owns data will continue to play out in the courts, in academia and in the marketplace. Often, there is no straightforward answer to the question of who owns certain data, but it is inarguable that data ownership and possession can put an enterprise at risk. Although ownership of data cannot be understood in the same way as ownership of tangible assets such as natural resources or machinery, it is equally important and, if enterprises hope to capitalize on the potential value of data, they should be taking proactive steps to ensure that they can manage the risk of owning data.

Endnotes

1 Responsible Conduct of Research, “Data Ownership,” Northern Illinois University, USA, 2005, https://ori.hhs.gov/education/products/n_illinois_u/datamanagement/dotopic.html

Kevin M. Alvero, CISA, CFE
Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the company’s Global Media products and services.

Data Ownership: Considerations for Risk Management (2024)

FAQs

What are the considerations of data ownership? ›

Some considerations include the following: Who will access the data? For how long can they access the data? What is the process for granting access to the data?

Show Me More
What are the risks of data ownership? ›

Despite its advantages, data ownership comes with challenges. Establishing clear ownership can be complex, data fragmentation can occur, and the risk of potential misuse or security breaches exists. Moreover, it can lead to siloes if not managed properly.

Get More Info Here
How do you determine data ownership? ›

Suppose seniority can't be used as a determining factor. In that case, data ownership can be assigned based on how frequently someone uses the data and how it's used to forward your organization's goals. For example, marketing and sales personnel could use customer data.

Read More
What are the principles of data ownership? ›

The GDPR emphasizes several key principles that organizations need to follow when processing personal data. These principles include: Lawfulness, fairness, and transparency: Organizations must have a lawful basis for processing personal data and must process it in a fair and transparent manner.

Show Me More
What are the three types of data ownership? ›

Data ownership in big data environments involves defining roles and responsibilities to ensure data integrity, security, and compliance. Types of ownership include stewardship (managing data lifecycle), custodianship (ensuring technical aspects), and governance (policy enforcement).

Discover More Details
What is an example of data ownership? ›

In certain situations, data can be owned by research participants. For example, data collected as a part of Canada's First Nations Regional Health Survey (FNRHS) is owned by the First Nations communities, as outlined in the First Nations Principles of Ownership, Control, Access, and Possession (OCAP).

Find Out More
What is data ownership typically determined by? ›

In any collaboration, data ownership is typically determined by: The type and source of funds used to support the project.

See Details
What best describes data ownership? ›

Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control.

Continue Reading
Who is responsible for data ownership? ›

At its core, a data owner is an individual or a specific department entrusted with authoritative rights over particular datasets within an organization. This doesn't mean they exclusively “own” the data, but they're custodians, responsible for its well-being.

Show Me More
Why is it important to establish data ownership? ›

Data ownership provides accountability and responsibility for the data. It helps to ensure that the data is used appropriately and that access to the data is controlled. Data ownership also helps organizations comply with regulatory requirements and mitigate risks associated with data breaches.

Continue Reading

Why would users give up ownership of their data? ›

Users may give up ownership of their data for convenience or benefits like personalized services or targeted ads. Companies want user data to improve their products and tailor marketing.

Learn More
What type of role when it comes to data ownership? ›

Explanation: The valid type of role when it comes to data ownership is data owners. Data owners have the ultimate responsibility for the data and make decisions about how it is collected, used, and shared. They have legal and ethical obligations to protect the data and ensure its accuracy.

Discover More Details
Which is not a type of data ownership? ›

In most cases, the Data Custodian is not the Data Owner. A system administrator or Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access.

Read The Full Story
What are the 7 data principles? ›

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

Discover More Details
What is the data ownership and stewardship policy? ›

The Data Owner is responsible for defining the strategic direction and priorities for the data. And the data Steward focuses on implementing policies, procedures, and practices to ensure the data's integrity, quality, as well as security.

Read More
What are the key considerations in data collection? ›

Ensure that you are clear about what is required before beginning data collection. It is also important to ensure that issues of confidentiality and culturally appropriate methods and tools are addressed. This may include factors such as the population's language needs, literacy levels, and credible collectors.

Keep Reading
What are the key considerations for data quality? ›

The Data Quality Assessment Framework (DQAF) is a set of data quality dimensions, organized into six major categories: completeness, timeliness, validity, integrity, uniqueness, and consistency. These dimensions are useful when evaluating the quality of a particular dataset at any point in time.

Discover More
What are the considerations issues in data analysis? ›

These problems arising from things such as: (a) an insufficient sample size; (b) unequal data being collected for groups when differences are being compared; (c) an inability to find an easy solutions when the assumptions for a given statistical test have been violated; (d) uncertainty over how to treat outliers and ...

Know More
Top Articles
Fr Frank’s Homily for the 19th Sunday in Ordinary Time 2024
REFLECTION/HOMILY FOR 19TH SUNDAY IN ORDINARY TIME — YEAR B
Wmaz 13
Bolongaro Trevor Backpack
Far-right activist Laura Loomer's access to Trump reveals a crisis in his campaign
Academic Calendar Biola
Culver's Flavor Of The Day Little Chute
Ark Ragnarok Map Caves
Thothub Alinity
Nala Ahegao
Guy I'm Talking To Deleted Bumble
The Center Breakfast, Lunch & Snack Menus September 2024
Wac 182
Gncc Live Timing And Scoring
Wolf Of Wallstreet 123 Movies
Robotization Deviantart
Sinfuldeeds Pt 2
Mcallen Craiglist
Spaghetti Models | Cyclocane
Hdmovie 2
St Paul Pioneer Obituaries Past 30 Days Of
The Secret Powers Of Doodling
Winnie The Pooh Sewing Meme
Hahs Sentral
Arkansas Craigslist Cars For Sale By Owner
Laura Coates Parents Nationality
91 Freeway news - Today’s latest updates
11 Nightlife Spots To Experience In Salem, Oregon
Only Murders In The Building Wiki
Receive Sms Verification
Usc Human Biology
Fort Worth Craiglist
John Wick 4 Showtimes Near Starlight Whittier Village Cinemas
3962 Winfield Rd, Boynton Beach, FL 33436 - MLS RX-11020379 - Coldwell Banker
Durrell: The Alexandria Quartet - The Modern Novel
Circuit Court Evanston Wy
South Park Old Fashioned Gif
Erfahrungen mit Rheumaklinik Bad Aibling, Reha-Klinik, Bayern
Bdo Passion Of Valtarra
Grave Digger Wynncraft
Recharging Iban Staff
Swissport Timecard
Craigslistwesternmass
Harpel Hamper
Splunk Stats Count By Hour
450 Miles Away From Me
10.4: The Ideal Gas Equation
U Arizona Phonebook
Exploring The Craigslist Washington DC Marketplace - A Complete Overview
How Much Does Costco Gas Cost Today? Snapshot of Prices Across the U.S. | CostContessa
Research Tome Neltharus
Mecklenburg Warrant Search
Latest Posts
Homily for the 20th Sunday of Ordinary Time, Year B, 2024
11 Aug 2024 - 19th Sunday (Year B) - Association Of Catholic Priests
Article information

Author: Jeremiah Abshire

Last Updated:

Views: 6373

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.