Data Owner, Data Steward, and Data Custodian

How they map to Epical’s five pillars and the four hard questions 

A practical role model that ties directly to the four hard questions and Epical’s five pillars: Find → Classify → Protect → Govern → Facilitate. 

In the earlier four hard questions article, the leadership test was simple: 

• Do we know what data we have and where it lives? 
• Do we know who owns it and manages its lifecycle? 
• Do we know what to protect — and how? 
• Is this done persistently and efficiently across the organization? 

When the answer to any of those questions is “not sure,” the issue is often not the tooling. It is usually unclear decision rights. In practice, that confusion often appears in three role names that sound similar but serve different purposes in a Data Trust operating model: Data Owner, Data Steward, and Data Custodian.  

A practical way to understand them is this: 

• Data Owner — who decides 
• Data Steward — who makes governance work day to day 
• Data Custodian — who implements and proves controls 

This matters because effective data governance roles and responsibilities are a prerequisite for a practical Data Trust operating model, stronger data governance and lifecycle management, and support for AI readiness, compliance, and repeatable decision-making. Microsoft’s governance overview explicitly states that data governance ensures data is discoverable, accurate, trusted, and protected, and it describes a federated model in which central rules and distributed domain responsibility work together. 

Why these three roles matter 

The five pillars — Find, Classify, Protect, Govern, Facilitate — describe an operating model. But every operating model also needs three practical elements: 

• Decision rights — someone can approve, reject, or accept risk. 
• Daily stewardship work — someone keeps definitions, routines, and quality practices in motion. 
• Proof of implementation — someone can show what is configured, enforced, reviewed, and retained. 

That is why data owner vs data steward vs data custodian is not just a terminology question. It is a practical model for assigning authority, daily governance, and technical evidence in a way that makes Data Trust operational rather than aspirational.  

1) Data Owner — who decides 

In this model, the Data Owner is the business decision-maker for a data domain — such as customer, asset, metering, or finance — or for a data product. The role is responsible for the business-side decisions that determine how the data should be used and governed. 

The role typically decides three core things: 

• Purpose — why the data is collected or used, and what “allowed use” means. 
• Access — who should access the data and under what conditions. 
• Lifecycle — how long the data should be retained and when it should be archived or deleted. 

The Data Owner does not need to configure platforms or administer technical controls. In this role model, the owner defines the rules and accepts the risk associated with those business decisions. That is directionally consistent with NIST’s information owner concept, which describes an authority responsible for establishing controls for the generation, collection, processing, dissemination, and disposal of information. 

2) Data Steward — who makes governance real in daily work 

The Data Steward turns governance into daily routines. This role is usually close to both the data and the business process, and it is central to practical data governance and lifecycle management. 

Typical stewardship responsibilities include: 

• maintaining definitions and metadata, 
• monitoring and improving data quality, 
• coordinating access requests and exceptions, 
• and keeping documentation current and usable. 

Microsoft’s governance-domain documentation also assigns Data Steward permissions to users who curate business concepts such as glossary terms and governance metadata, which aligns well with the stewardship function described here. 

The practical value of the Data Steward role is simple: it prevents governance from becoming a policy-only exercise. Stewardship is what keeps rules understandable, definitions current, quality issues visible, and exceptions manageable in day-to-day work. 

3) Data Custodian — who implements and proves 

The Data Custodian is the technical owner of the platform layer — typically in IT, security, platform engineering, or operations. This role implements and evidences the controls that make governance enforceable. 

Typical custodial responsibilities include: 

• configuring access controls, logging, and monitoring, 
• managing secure storage, encryption, and backups, 
• implementing retention, archiving, and deletion rules decided by the owner, 
• and producing evidence such as audit logs, access-review reports, and retention reports. 

This is what makes practical risk-based data protection possible. The custodian is the role that turns policies and classifications into configured controls and verifiable enforcement.  

How these roles answer the four hard questions 

Q1) Do we know what data we have and where it lives? 

• Data Owner sponsors prioritization, for example by deciding which datasets or domains matter first. 
• Data Steward defines what belongs to the domain or data product and what should be cataloged. 
• Data Custodian provides system inventory, repository locations, lineage, and technical metadata.  

This role split supports the Find pillar because it combines business prioritization, domain clarity, and technical inventory. Microsoft’s governance-domain model similarly connects ownership, discovery, data products, and governance context. 

Q2) Do we know who owns it and manages its lifecycle? 

• Data Owner is the named accountable role. 
• Data Steward runs lifecycle routines and exception handling in practice. 
• Data Custodian enforces lifecycle rules on the platform and provides evidence that they are applied. 

That is how data ownership and stewardship become visible and durable rather than inform

Q3) Do we know what to protect — and how? 

• Data Owner sets the access intent and the business-side risk thresholds. 
• Data Steward ensures that labels, classifications, and usage guidance match real business use. 
• Data Custodian implements access controls, encryption or masking, and monitoring — and can show the evidence. 

This is the heart of a practical GDPR/NIS2-ready data governance model: the owner decides, the steward makes it workable, and the custodian makes it enforceable. 

Q4) Is this persistent and efficient across the organization? 

• Data Owner approves rules and delegations so decisions do not bottleneck. 
• Data Steward keeps governance running day to day. 
• Data Custodian automates enforcement and reporting where appropriate. 

That is how a Data Trust operating model becomes repeatable across domains, teams, and platforms. 

The same roles mapped to Epical’s five pillars 

Pillar 1 — Find (visibility and inventory) 

• Owner: decides what is in scope and what matters most from a business-criticality perspective. 
• Steward: validates domain boundaries and ownership signals and helps resolve unknown datasets. 
• Custodian: runs discovery tooling and provides repository lists, metadata, and technical lineage where available. 

Pillar 2 — Classify (meaning and handling rules) 

• Owner: approves the classification policy for the domain and defines allowed use. 
• Steward: applies or validates labels, definitions, and exceptions.
• Custodian: implements classification technology or control alignment where relevant. 

Pillar 3 — Protect (controls aligned to risk) 

• Owner: defines access principles, risk thresholds, and escalation rules. 
• Steward: ensures the controls fit real work and reduces the need for workarounds. 
• Custodian: configures access, encryption or masking, monitoring, and evidence collection. 

Pillar 4 — Govern (decision rights and lifecycle that stick) 

• Owner: owns decision rights, lifecycle intent, and key exceptions. 
• Steward: runs access reviews, lifecycle reviews, policy upkeep, and decision logs. 
• Custodian: enforces retention policies, performs technical reviews, and produces compliance-oriented reports. 

Pillar 5 — Facilitate (adoption and behavior) 

• Owner: sponsors the why, aligns incentives, and removes blockers. 
• Steward: creates role-based guidance, runs clinics, and collects feedback. 
• Custodian: improves usability through safe self-service, standards, templates, and friction reduction where appropriate. 

Final takeaway 

Clear data governance roles and responsibilities turn the five pillars into a working system. The Data Owner defines intent and accepts risk. The Data Steward translates intent into daily governance routines. The Data Custodian implements and evidences the controls that make those decisions real. 

When those roles are clear, the four hard questions become easier to answer — and Data Trust becomes more than an aspiration. It becomes an operating model that supports discoverability, ownership, protection, lifecycle discipline, and practical readiness for analytics, AI, and compliance.