Data ownership vs. data processing: A moral dilemma?

Work around data seems to never end. Between collection, sharing and use – the burden of this falls onto the shoulders of the CISO, the broadness of which, seems to be increasing year-on-year. The question that must be asked is, can we expect the CISO to prosper when the essence of data itself seems to be out of control?

Complex issues can be broken down into simpler parts to help resolve them. This may be true in the case of data security. In terms of the state of data, it can be reduced to who owns data, aka, data ownership equates to data control.

This approach then leads to more nuanced layers of consideration:

  • When does data ownership change hands?
  • How does data ownership impact security choices?
  • What aspects of data governance and regularity compliance are affected?

In turn, further layers of the data onion will peel away to reveal more questions, such as, who owns the responsibility in complying with data regulations? And where does the responsibility for data security actually lie? If a customer uploads an image to your site – who owns that image? And, who is responsible for keeping it safe?

These questions open a moral dilemma around data security responsibility – and nuanced questions can lead to fuzzy answers. Any fuzziness in ownership can be used to off-set responsibility. If a CISO is swamped with work, it is a natural next step to ‘pass the buck’. Understanding the finer aspects and nature of data can give us a more detailed analysis to work from.

Where the data buck stops?

The data ownership vs. data processing dichotomy is a great place to understand where the data buck stops. It can help to use the GDPR principles around data. Article 4 of the GDPR provides the definitions of data processing and control to allocate responsibility; whilst the two are intrinsically linked and there may be some overlap, you can say:

Data controller: Referring to Article 5 of the GDPR sets out the data controller must act in a manner of “lawfulness, fairness and transparency”. The data subject rights such as data consent and access rights are under controller remit. Controllers should also protect the accuracy and confidentiality of personal data. In doing so, the controller will need to ensure the data processor is up to the job.

Data processor: This is an entity that processes the data on behalf of the controller. For example, if a user removes consent, then the controller will handle this request, but the processor would be responsible for removing the data from their servers. What is important to note is that a data processor has a strong security perspective; however, if cloud providers aren’t exposed to data, they won’t be labeled processors under GDPR.

The CISO may similarly have to set up their own “internal GDPR” equivalent to delegate ownership and help share data responsibility. The data onion, as you can see has many layers.

How data ownership contracts can help

The CISO is not an island and vendors are part of the data lifecycle. The data onion has touchpoints across technology, legal, and social. The legal argument can be headed off using Data Ownership Contracts with your vendors. Cloud vendors, for example, may offer these types of contracts. The contracts typically have clauses that cover data privacy and security. Various aspects of data protection are handled by these contracts, this should include:

1. Technological measures used to protect data.
2. Data breach notification procedures.
3. Compliance with any data protection regulations, such as GDPR and industry specific ones.
4. Third-party liabilities (this is the extended vendor ecosystem which adds yet another layer to the data lifecycle).
5. Data breach indemnity support.

The bottom line here is that there are many cogs in the ‘data lifecycle wheel’ and contracts can go so far. However, we must be able to address the underlying issue of data ownership and movement to ensure all parts of this data lifecycle wheel are well lubricated.

The work of the CISO is never done but data governance can help

Cloud computing, the regulatory landscape, and changing customer expectations have changed data security choices and needs. The CISO has to fit all of these moving parts together and keep everyone happy.

Gartner has predicted that through 2025, 99% of cloud security failures will be the customer’s fault. They recommend that CIOs can combat this by implementing and enforcing policies on cloud ownership, responsibility, and risk acceptance. In addition, 60% of enterprises with proper Cloud Governance will see one-third fewer security incidents.

Layers of cloud complexity for the CISO

Whilst cloud computing is important, the way it is being handled creates further complexity. By using a SaaS offering, IT infrastructure giants, like VMWARE and IBM, organizations basically initiate vendor lock-ins as they migrate to their cloud infrastructure and embrace the multi-cloud ethos.

The result is that the CISO must encompass ‘cloud-thinking’ into a model of security that embraces the cloud, SaaS, vendor ecosystems, compliance requirements, and customer needs. The data onion has many layers but having a comprehensive security approach that utilizes encryption across a broad spectrum of at rest, in transit, and in use, can take care of the vagaries of data ownership, preventing a ‘pass the buck’ culture.

We’re all actors in the data protection play

Protecting data that is at rest, in transit, and in use covers the spectrum of our ‘theatre of data’. A broad-brush approach to security covers the bases of the entire cast in the data protection play. This approach can give us the technological tools to protect data no matter who owns it, where it resides, or where it ends up. The ownership of data in a world where cloud and SaaS are ubiquitous is complicated with many stakeholders.

The CISO can turn this on its head by using encryption across the data lifecycle, no matter where the data goes, where it is stored, how it is used, if the encryption is part of the whole journey of the data, ownership becomes mute.

Don't miss