Four roles, no jargon. Understanding yours takes about five minutes and makes a real difference.
Data protection at KAUST is not just an IT responsibility. Everyone who creates, manages, or works with data has a part to play. Most people are already doing it, just without a name for what they are doing.
There are four roles. Here is what each one looks like in practice.
Data Owner
Data Steward
Data Custodian
Data User
Think of the data owner as the person who is ultimately responsible for a piece of information. Not responsible for storing it or protecting the systems it lives in, but responsible for the decisions around it. Who should have access? How sensitive is it? How should it be handled?
Ownership often belongs to senior people, researchers with datasets, or department leads. But it can apply to anyone. If you created a document with sensitive information, compiled a dataset, or built a process that collects personal data, you are the owner of that information. It does not matter what your job title is.
In practice this mostly means one thing: be thoughtful about what you have, and be deliberate about who you give access to.
A data steward is the person with day-to-day responsibility for a specific area of data. Where the owner sets the direction, the steward makes sure things actually work that way on the ground.
At KAUST this often means the manager or team lead who handles access for their group. When someone joins the team, you get them set up. When their role changes, you make sure their access reflects that. When they move to a different department, you let the right people know so nothing gets left open by accident. For contractors or temporary staff, you put an end date on their access from day one.
None of this requires technical knowledge. It is mostly about not letting things fall through the cracks. The file that a former team member still has access to six months after moving on almost always comes down to one missed conversation.
A custodian is responsible for the systems and environments where data lives. This is typically an IT or technical role, covering the infrastructure, access controls, and security settings that keep data safe at the platform level.
If you manage a SharePoint site, a shared drive, or any space where your team stores and accesses files, you are taking on a version of this role for that environment. That means checking from time to time that the right people still have access and the wrong people do not, and making sure the space is not open to more people than it needs to be.
A simple way to think about it: you would not leave your office unlocked with sensitive documents on the desk. A shared site with outdated permissions is the digital version of exactly that.
Most people at KAUST fall into this category for most of the data they interact with every day. Being a data user means you have access to information that someone else owns or manages. The expectation is straightforward: use it for the reason it was shared, handle it with the care its classification requires, and do not pass it along to people who were not meant to have it.
If you are not sure how sensitive something is, treat it as more sensitive rather than less until you find out. That one habit closes a lot of gaps.
Most people play more than one role at the same time
A researcher might own their lab's datasets, act as steward for their team's access, and be a regular user of the university's finance tools, all on the same day. That is completely normal.
What matters is knowing which hat you are wearing in a given situation. The owner hat means making decisions. The steward hat means keeping things running correctly. The custodian hat means keeping the environment secure and tidy. The user hat means handling things with care.
