cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
OliLue
Newcomer III

Who pays for the data owner request

Dear all,

 

what happen if the data owner requires measures which are not implemented in the current infrastructure? Is the system owner responsible to provide systems which covers the requirements. So there has to be an investment in new systems or / and technology? Or has the data owner only the possibility for requirements which are in the current possibility of the existing architecture?

Maybe there is an agreement between both? But who has the lead, data or system owner.

 

Do you have an answer to this?

 

Best regards

OliLue

6 Replies
Caute_cautim
Community Champion

@OliLue   From which context are you coming from?  Privacy Legislation i.e. GDPR or something else?

 

Or from a standards perspective ISO 27001, 270017, 270018.

 

NIST?

 

Or you coming from a general perspective?

 

Is there a mandate driving the data owners request i.e. legislative, compliance, standards etc?

 

If the data owner is responsible for the asset, they have overall responsibility for ensuring that correct protective controls are applied in accordance with an agreed risk management i.e. risk, threat and impact etc.

 

The data owner will have to highlight to the Financial Officer, that they are at risk of incurring a penalty or potentially a data breach, if certain protective measures are not put in place.  The data owner may leverage the Chief Information Security Officer (CISO) influence for their support in the case, if they existed too.

 

If the data asset resides on a system, which is owned and managed by a Cloud Provider is one perspective, another is where it is a shared responsibility with a system owner responsible for the infrastructure for that organisation or even a partner.

 

The data owner would have to formally indicate to the system owner and the financial officer, their responsibilities for protecting the stated data asset, and clearly articulate the ramifications or impact if the correct protective measures were not put in place  - which may result in a public incident having to being notified to the appropriate authorities, should it occur or penalties being incurred to the organisation.

 

Of course, the system owner, and the financial officer could decide to ignore, mitigate, transfer the risk as the agreed approach to resolve the situation.   However, they would have to make an agreed decision, after ensuring all avenues have been explored and the implications understood before making a firm decision.

 

The data asset's value would have to be ascertained as part of the organisation risk management ongoing assessments etc.

 

Regards

 

Caute_Cautim

Early_Adopter
Community Champion

Bottom Line Up Front - The CFO pays for it.

As C_C points out context is important but let’s go worst case from a regulatory standpoint.

Infighting/push-me, pull-me/who’s budget brinksmanship on an organisational mandate for data protection(Let’s assume GDPR, PDPA, PIPL etc) where the fine can be up to 2%, 4%, 5% or even 10% of global/local turnover for one instance of a problem seems like a real false economy. If a complaint/issue is upheld and you get caught again - ouch same fine but higher, and this generally doesn’t prevent your subjects for during you as well.

If you’re in the US and you dance with the FTC on this they’ll negotiate a consent decree with you, you breach that and well:

https://www.wsj.com/articles/ftc-approves-roughly-5-billion-facebook-settlement-11562960538

This is still ongoing and it’s very likely not going to end well for Meta:

https://www.reuters.com/legal/transactional/ftc-can-reopen-meta-privacy-case-despite-5-bln-fine-cour...

The FTC can ask the courts to sue for billions or even trillions on a per record basis. (While it’s theoretically possible it’s more likely that it will end up with a consent decree in which Meta agrees not to monetise the data of minors.)

So Data Owner and System Owner should come to an agreement and make sure the right controls are put in place asking for fresh budget if “Money No Enough.”

Having System and Data Owner’s realise it’s us/we rather than they/them is critical. 

OliLue
Newcomer III

Thanks for your feedback.

As always Caute_cautim you view and you arguments are clear and I got the idea how it should be. Clear, if you have legal, regulation or government requirements or also market requirements you have to go the way and implement the safeguards and countermeasures.

 

Thanks for you point and feedback

OliLue
Newcomer III

Thanks for your point, Early_Adopter.

 

I think the discussion and decision has to go as discripted in you post.

 

Thank 

Caute_cautim
Community Champion

@OliLue    But make sure you have done your own risk assessment to support your case, when presenting it to the CFO or board.

 

Regards

 

Caute_Cautim

denbesten
Community Champion

To be fair, the CFO ('s delegate) probably writes the check and debits it from some department's budget, but in the end, it is the customer that supplies the money to pay the bill.