Data Management and Compliance (Domain 5)
Strong cybersecurity begins with knowing your data. What you have, where it lives, who owns it, and how long it should be kept—these are all fundamental questions for achieving compliance and securing your organization. Without clear answers, organizations struggle to meet legal obligations, enforce policy, or respond to incidents. In this episode, we focus on two essential aspects of data management and compliance: defining data ownership and maintaining accurate inventories, and securely managing data retention and the right to be forgotten.
Let’s begin with data ownership and inventory. In any organization, data is one of the most valuable assets—but also one of the most difficult to manage. Business units generate and consume massive amounts of information across email systems, databases, file shares, cloud services, and mobile devices. Without clear data ownership, no one is accountable for maintaining security controls, monitoring access, or ensuring compliance with data handling policies.
Data ownership means assigning responsibility for specific sets of data to defined roles. These roles may be assigned to business leaders, system administrators, department heads, or other data stewards. The owner is responsible for classifying the data, determining who has access to it, and ensuring it is protected in line with organizational policies and applicable regulations.
Ownership is not about technical control—it’s about decision-making. The owner may not configure the servers or manage user accounts, but they decide what security level is appropriate, how long the data should be retained, and how access is granted or revoked. This distinction helps separate strategic responsibility from operational execution.
Let’s consider a practical example. In a university, the registrar’s office maintains student academic records. The registrar is the data owner. They determine the sensitivity of that data, approve who in the faculty and administrative staff can access it, and ensure that privacy laws like the Family Educational Rights and Privacy Act are followed. The I T team might handle backup and encryption—but the registrar owns the decisions about access and policy.
Alongside ownership, organizations must also maintain an accurate data inventory. A data inventory is a detailed record of what data exists, where it is stored, what format it takes, and how it flows across systems. This includes structured data in databases, unstructured data in file shares, and metadata that describes or relates to other data.
A complete inventory should include classification labels—such as public, internal, confidential, or regulated—as well as indicators of who owns the data, how it is protected, and how often it is reviewed. For compliance purposes, it should also include whether the data is subject to specific laws such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, or the Payment Card Industry Data Security Standard.
Why is inventory so important? Because you cannot secure what you do not know you have. When an auditor asks for evidence of access controls for regulated data, or when a regulator requests information about how data subject rights are handled, your inventory is your first and best source of truth.
Let’s explore a real-world scenario. A mid-sized healthcare provider is undergoing a privacy assessment. When asked to provide a list of all locations where patient data is stored, they initially struggle—because departments have developed ad hoc systems and saved files locally without central oversight. The compliance team initiates a data discovery process, uses automated tools to scan systems, and builds a data inventory. Once complete, they assign owners to each data set, document storage locations, and establish review cycles. This effort not only improves compliance readiness—it also helps the organization respond more quickly to access requests and potential breaches.
Now let’s turn to the data retention and the right to be forgotten. These are two closely related compliance issues that deal with how long data is kept and how individuals can exercise control over their personal information.
Data retention refers to how long data must be kept to meet legal, operational, or business requirements. Different types of data are subject to different retention rules. For example, tax records may need to be kept for seven years under financial laws. Employee payroll data might be retained for five years after termination. Email records, depending on jurisdiction and content, may have no mandated retention period—or may require extended archiving.
Organizations must define retention schedules for each data type, automate enforcement when possible, and monitor compliance. Retention schedules should be based on input from legal, compliance, records management, and business units. Failure to follow proper retention policies can lead to penalties, especially if data is deleted too soon—or kept too long in violation of privacy laws.
On the other side of the retention issue is the right to be forgotten. Under laws like the General Data Protection Regulation, individuals have the right to request deletion of their personal data in certain circumstances. This might include when the data is no longer needed, when consent is withdrawn, or when data is being processed unlawfully.
Complying with right to be forgotten requests means having the tools, policies, and processes in place to locate personal data and delete it securely across all systems. This is much easier when ownership and inventory are already in place. Without those elements, organizations may be unable to identify where data resides—or may delete the wrong data, leading to further violations.
Let’s consider a real-world example. A user contacts a European e-commerce site to request deletion of their personal profile and order history. Under the General Data Protection Regulation, the company is obligated to fulfill the request unless there is a legal reason to retain the data. Because the company has an accurate inventory, it quickly locates the data across its database, CRM platform, and backup systems. A deletion process is triggered, the data is removed, and the user receives confirmation. This streamlined response demonstrates compliance, reduces legal risk, and improves customer trust.
Contrast that with a different scenario. A financial services firm receives a similar request but cannot locate all copies of the user’s data. Some of it lives in archived email, some in shadow IT spreadsheets, and some in legacy systems with no deletion process. The delay leads to regulatory inquiries and fines. The problem wasn’t intent—it was poor data management.
These cases show how retention and deletion are not just legal issues—they’re technical and operational challenges that require planning and coordination.
From a Security Plus exam perspective, be ready to identify the importance of data ownership, the role of inventories, and how compliance relates to data lifecycle management. Expect questions that describe a scenario where a data deletion request is submitted or where a retention policy is violated. Be prepared to distinguish between technical controls and governance responsibilities.
Here’s a quick tip. If the scenario focuses on who decides how data is used, it’s about ownership. If it talks about where data is stored, that’s about inventory. If it involves how long data is kept, think retention. And if it involves a request to remove personal data, it’s about the right to be forgotten.
For templates on creating data inventories, sample retention schedules, and step-by-step right to be forgotten response checklists, visit us at Bare Metal Cyber dot com. And for the most comprehensive, exam-ready Security Plus guide—complete with compliance case studies and hundreds of practice questions—go to Cyber Author dot me and pick up your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success.
