Module 10 of 26 · Foundations

Roles and responsibilities

15 min read 4 outcomes Interactive RACI explorer + drag challenge 4 standards cited

By the end of this module you will be able to:

  • Distinguish data owner, steward, custodian, and consumer using DAMA definitions
  • Describe the statutory DPO role and when GDPR requires it
  • Apply a RACI framework to a data governance decision
  • Explain why accountability gaps cause data governance failures

Data roles around one accountable owner

Data roles split accountability from operation: one named owner decides; four responsible roles do.

Data roles: one accountable owner, four responsible roles Hub-and-spoke map. Central red-soft hub names the single Accountable Owner: states purpose, approves changes, carries decision risk. Four satellite cards in the corners are Steward, Custodian, Producer, Consumer. Brand-red arrows from each satellite to the hub carry the verbs tends meaning for, runs systems for, supplies, draws from. A red-accent callout names the common defect: confusing accountability with operation creates paralysis. DATA ROLES · ONE ACCOUNTABLE OWNER · FOUR RESPONSIBLE ROLES ACCOUNTABLE OWNER · ONE PERSON Names the purpose Approves changes, takes the decision risk UK GDQF Pr.1 · DMBOK 2 §3 · ISO 27701 RESPONSIBLE Data steward maintains meaning + quality RESPONSIBLE Custodian operates storage / access RESPONSIBLE Producer captures and emits the data RESPONSIBLE Consumer uses for a stated purpose tends meaning for runs systems for supplies draws from Why the split matters in practice Confusing accountability with operation is the most common governance defect; it creates four-people-no-one-deciding paralysis when something goes wrong. ransfordsnotes.com

Data roles separate accountability from operation. One Accountable Owner makes decisions; Stewards, Custodians, Producers, and Consumers do the work. DAMA-DMBOK 2 Chapter 3 and ISO/IEC 27701:2025 both require this split to be named explicitly per dataset.

RACI applied to a single data action

Apply RACI per data action: one Accountable owner, one or more Responsible doers, those Consulted before, those Informed after.

RACI applied to a data action with one accountable owner Four cards left to right: R Responsible (does the work), A Accountable (owns the decision, emphasised), C Consulted (input before), I Informed (told after). Brand-red arrows with verbs reports to, advises, notifies. A red-accent callout names two-accountables as the most common defect. RACI FOR DATA ACTIONS · ONE ACCOUNTABLE PER ROW RDMBOK 2ResponsibleDoes the workAUK GDQF Pr.1AccountableOwns the decisionCDMBOK 2ConsultedInput before actionIDMBOK 2InformedTold after action reports toadvisesnotifies Two Accountables is the most common defect When two roles both think they own the decision, neither does. One Accountable per row, every row. ransfordsnotes.com

RACI applied to a data action: one Accountable owner, one or more Responsible doers, those Consulted before the change, those Informed after. Two Accountables on the same action is the most common defect. DAMA-DMBOK 2 Chapter 3 names this clearly.

Data roles exist to prevent exactly the kind of accountability gap that the Cabinet Office breach demonstrated. When everyone assumes someone else is checking the data, nobody checks it. Clear role definitions turn that assumption into an assignable, auditable responsibility.

With the learning outcomes established, this module begins by examining core data roles in depth.

10.1 Core data roles

The DAMA (Data Management Association International) DMBOK2 defines four primary data roles that organisations need to fill. These may be dedicated positions or assigned responsibilities within existing roles.

The key distinction is accountability versus execution. Owners are accountable for the data. Stewards manage it day-to-day. Custodians maintain the technical infrastructure. Consumers use it. Explore each role in the interactive panel below.

Data governance is the exercise of authority, control, and shared decision-making over the management of data assets.

DAMA-DMBOK2, 2nd edition (2017) - Chapter 3, Data Governance

DAMA's definition emphasises 'shared decision-making' because data governance is not a single person's job. It requires a structured collaboration between owners (who set policy), stewards (who implement it), custodians (who manage infrastructure), and a governance committee (who resolves cross-domain disputes).

With an understanding of core data roles in place, the discussion can now turn to the data protection officer, which builds directly on these foundations.

Loading interactive component...

10.2 The Data Protection Officer

The DPO (Data Protection Officer) is a statutory role defined in GDPR Articles 37-39. DPOs must have expert knowledge of data protection law, operate with independence, and report directly to the highest management level.

GDPR Article 37 requires a DPO when: (1) the processing is carried out by a public authority, (2) core activities involve regular and systematic monitoring of data subjects on a large scale, or (3) core activities involve processing special categories of data at scale. Examples include NHS trusts, credit reference agencies, and mental health treatment providers.

The DPO is not liable for breaches. Responsibility remains with the data controller. The DPO advises, monitors, trains, and acts as a contact point with the ICO.

The controller and the processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised for performing his tasks. The data protection officer shall directly report to the highest management level.

GDPR Regulation (EU) 2016/679 - Article 38(3), Position of the data protection officer

This article ensures DPO independence. A DPO who reports to the IT director or is subordinate to the general counsel may face pressure not to raise compliance concerns. Direct reporting to the board removes that structural conflict.

Common misconception

Hiring a CDO means we have data governance covered.

A CDO (Chief Data Officer) without an operating governance structure, defined steward roles, or executive-level support cannot drive change. The CDO role requires organisational authority, not just a title. Similarly, the CDO and DPO roles should be separated: the CDO drives data use while the DPO ensures compliance. Combining both creates a conflict of interest.

With an understanding of the data protection officer in place, the discussion can now turn to governance maturity, which builds directly on these foundations.

10.3 Governance maturity

Data governance capability is not binary. The IBM Data Governance Council Maturity Model defines five levels:

  1. Initial: ad hoc data management, no formal governance
  2. Managed: basic policies exist but are inconsistently applied
  3. Defined: governance processes are documented and consistently followed
  4. Quantitatively managed: data quality is measured and reported against targets
  5. Optimising: continuous improvement using measurement data

Most UK organisations fall at levels 2 to 3. Level 4 and 5 organisations are predominantly in highly regulated sectors: financial services, pharmaceuticals, and large NHS trusts.

Common misconception

Data governance is just creating policies that nobody reads.

Governance without enforcement is indeed useless. But the purpose of governance is not documentation for its own sake. It is to create clear accountability (who decides?), consistent standards (what counts as quality?), and escalation paths (who resolves disputes?). The Cabinet Office breach occurred specifically because governance documentation did not exist for that workflow. The ICO did not ask for more policies; it asked for assigned accountability.

Loading interactive component...
Loading interactive component...

Key takeaways

  • Data owners are accountable for data domains. Stewards manage quality day-to-day. Custodians manage technical infrastructure. Consumers use the data. All four roles have distinct responsibilities defined by DAMA-DMBOK.
  • The GDPR DPO role is mandatory for public bodies, organisations conducting large-scale systematic monitoring, and processors of special category data at scale. DPOs must report to the highest management level and operate independently.
  • A RACI matrix assigns Responsible, Accountable, Consulted, and Informed roles to each governance decision, preventing the accountability gaps that caused the Cabinet Office Honours breach.
  • Governance maturity ranges from Level 1 (ad hoc) to Level 5 (optimising). Most UK organisations sit at levels 2 to 3. Advancing requires measurement infrastructure and executive authority to mandate change.

Standards and sources cited in this module

  1. DAMA-DMBOK2 (2017)

    Chapter 3, Data Governance

    Definitions of data owner, steward, custodian, and consumer roles used throughout this module.

  2. GDPR Regulation (EU) 2016/679

    Articles 37-39 (DPO designation, tasks, and position)

    Statutory DPO requirements: when appointment is mandatory, independence obligations, and reporting line requirements.

  3. ICO, reprimand to Cabinet Office (February 2020)

    Full reprimand

    Opening case study. ICO found that absence of designated roles for the publication workflow was the direct cause of the New Year Honours data breach.

  4. IBM Data Governance Council Maturity Model (2007)

    Full model

    Five-level governance maturity framework adopted into DAMA guidance. Used to assess organisational governance capability.

Back: Data lifecycle and flowNext: Ethics and trust

Module 10 of 26 · Data Foundations