Module 10 of 26 · Foundations

Roles and responsibilities

15 min read 4 outcomes Interactive RACI explorer + drag challenge 4 standards cited

By the end of this module you will be able to:

  • Distinguish data owner, steward, custodian, and consumer using DAMA definitions
  • Describe the statutory DPO role and when GDPR requires it
  • Apply a RACI framework to a data governance decision
  • Explain why accountability gaps cause data governance failures

Data roles exist to prevent exactly the kind of accountability gap that the Cabinet Office breach demonstrated. When everyone assumes someone else is checking the data, nobody checks it. Clear role definitions turn that assumption into an assignable, auditable responsibility.

With the learning outcomes established, this module begins by examining core data roles in depth.

10.1 Core data roles

The DAMA (Data Management Association International) DMBOK2 defines four primary data roles that organisations need to fill. These may be dedicated positions or assigned responsibilities within existing roles.

The key distinction is accountability versus execution. Owners are accountable for the data. Stewards manage it day-to-day. Custodians maintain the technical infrastructure. Consumers use it. Explore each role in the interactive panel below.

Data governance is the exercise of authority, control, and shared decision-making over the management of data assets.

DAMA-DMBOK2, 2nd edition (2017) - Chapter 3, Data Governance

DAMA's definition emphasises 'shared decision-making' because data governance is not a single person's job. It requires a structured collaboration between owners (who set policy), stewards (who implement it), custodians (who manage infrastructure), and a governance committee (who resolves cross-domain disputes).

With an understanding of core data roles in place, the discussion can now turn to the data protection officer, which builds directly on these foundations.

Loading interactive component...
Business team in a meeting room discussing documents, representing data governance committee collaboration
Data governance is a collaborative exercise. The governance committee brings together data owners, stewards, the DPO, legal, and IT to set policy and resolve cross-domain disputes.

10.2 The Data Protection Officer

The DPO (Data Protection Officer) is a statutory role defined in GDPR Articles 37-39. DPOs must have expert knowledge of data protection law, operate with independence, and report directly to the highest management level.

GDPR Article 37 requires a DPO when: (1) the processing is carried out by a public authority, (2) core activities involve regular and systematic monitoring of data subjects on a large scale, or (3) core activities involve processing special categories of data at scale. Examples include NHS trusts, credit reference agencies, and mental health treatment providers.

The DPO is not liable for breaches. Responsibility remains with the data controller. The DPO advises, monitors, trains, and acts as a contact point with the ICO.

The controller and the processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised for performing his tasks. The data protection officer shall directly report to the highest management level.

GDPR Regulation (EU) 2016/679 - Article 38(3), Position of the data protection officer

This article ensures DPO independence. A DPO who reports to the IT director or is subordinate to the general counsel may face pressure not to raise compliance concerns. Direct reporting to the board removes that structural conflict.

Common misconception

Hiring a CDO means we have data governance covered.

A CDO (Chief Data Officer) without an operating governance structure, defined steward roles, or executive-level support cannot drive change. The CDO role requires organisational authority, not just a title. Similarly, the CDO and DPO roles should be separated: the CDO drives data use while the DPO ensures compliance. Combining both creates a conflict of interest.

With an understanding of the data protection officer in place, the discussion can now turn to governance maturity, which builds directly on these foundations.

Professional reviewing documents and compliance paperwork at a desk, representing the DPO role
The Data Protection Officer advises on compliance, monitors processing activities, and acts as the contact point with the ICO. The role requires independence and direct reporting to the board.

10.3 Governance maturity

Data governance capability is not binary. The IBM Data Governance Council Maturity Model defines five levels:

  1. Initial: ad hoc data management, no formal governance
  2. Managed: basic policies exist but are inconsistently applied
  3. Defined: governance processes are documented and consistently followed
  4. Quantitatively managed: data quality is measured and reported against targets
  5. Optimising: continuous improvement using measurement data

Most UK organisations fall at levels 2 to 3. Level 4 and 5 organisations are predominantly in highly regulated sectors: financial services, pharmaceuticals, and large NHS trusts.

Common misconception

Data governance is just creating policies that nobody reads.

Governance without enforcement is indeed useless. But the purpose of governance is not documentation for its own sake. It is to create clear accountability (who decides?), consistent standards (what counts as quality?), and escalation paths (who resolves disputes?). The Cabinet Office breach occurred specifically because governance documentation did not exist for that workflow. The ICO did not ask for more policies; it asked for assigned accountability.

Loading interactive component...
Loading interactive component...

Key takeaways

  • Data owners are accountable for data domains. Stewards manage quality day-to-day. Custodians manage technical infrastructure. Consumers use the data. All four roles have distinct responsibilities defined by DAMA-DMBOK.
  • The GDPR DPO role is mandatory for public bodies, organisations conducting large-scale systematic monitoring, and processors of special category data at scale. DPOs must report to the highest management level and operate independently.
  • A RACI matrix assigns Responsible, Accountable, Consulted, and Informed roles to each governance decision, preventing the accountability gaps that caused the Cabinet Office Honours breach.
  • Governance maturity ranges from Level 1 (ad hoc) to Level 5 (optimising). Most UK organisations sit at levels 2 to 3. Advancing requires measurement infrastructure and executive authority to mandate change.

Standards and sources cited in this module

  1. DAMA-DMBOK2 (2017)

    Chapter 3, Data Governance

    Definitions of data owner, steward, custodian, and consumer roles used throughout this module.

  2. GDPR Regulation (EU) 2016/679

    Articles 37-39 (DPO designation, tasks, and position)

    Statutory DPO requirements: when appointment is mandatory, independence obligations, and reporting line requirements.

  3. ICO, reprimand to Cabinet Office (February 2020)

    Full reprimand

    Opening case study. ICO found that absence of designated roles for the publication workflow was the direct cause of the New Year Honours data breach.

  4. IBM Data Governance Council Maturity Model (2007)

    Full model

    Five-level governance maturity framework adopted into DAMA guidance. Used to assess organisational governance capability.

Back: Data lifecycle and flowNext: Ethics and trust

Module 10 of 26 · Data Foundations