When personal data is involved, one question matters more than anything else:
Who is responsible?
Not who stores the data.
Not who processes it.
But who decides what happens to it.
Why This Matters
In cybersecurity, protecting data is important.
But in privacy, accountability is everything.
Many organisations struggle not because they lack controls—
But because they lack clarity on:
- Who owns the decision
- Who executes the process
- Who the data belongs to
CISSP tests this distinction very clearly.
A Simple Analogy: A Food Delivery Platform
Think of a food delivery app:
- You place an order
- The app decides how orders are handled
- The restaurant prepares the food
- The delivery partner delivers it
Now map this to data:
- You → Data Subject
- App → Data Controller
- Restaurant / delivery → Data Processor
Each role is different.
Each has a distinct responsibility.
Data Controller – The Decision Maker
The Data Controller determines:
- Why data is collected
- What data is collected
- How the data will be used
Responsibilities include:
- Defining purpose of processing
- Ensuring lawful basis
- Protecting data subject rights
- Ensuring compliance with regulations
Key CISSP principle:
The Controller is accountable.
They define the “why” and “what”.
Data Processor – The Executor
The Data Processor acts on behalf of the controller.
Responsibilities include:
- Processing data based on instructions
- Maintaining security controls
- Protecting data during processing
Examples:
- Cloud providers
- SaaS platforms
- Third-party vendors
Important:
Processors do not decide purpose.
They execute it.
Data Subject – The Individual
The Data Subject is the person whose data is being processed.
They are not part of the system.
They are the reason the system exists.
Rights typically include:
- Access to their data
- Correction of inaccurate data
- Deletion (where applicable)
- Withdrawal of consent
CISSP focus:
Privacy is about protecting the individual.
The Core Difference
Let’s simplify:
- Controller → Decides purpose
- Processor → Executes processing
- Subject → Owns the personal data
Or even simpler:
- Controller defines “why”
- Processor handles “how”
- Subject is “who”
Why This Structure Matters
Without clear roles:
- Compliance fails
- Accountability is unclear
- Data misuse increases
With clear roles:
- Governance improves
- Legal risk reduces
- Privacy becomes enforceable
How This Appears in the CISSP Exam
CISSP will test this in scenarios like:
- Who determines purpose? → Controller
- Who processes data? → Processor
- Whose data is it? → Subject
Your approach:
- Identify decision-making authority
- Identify execution responsibility
- Identify ownership of personal data
Key Takeaway
If you remember one concept, remember this:
The controller decides.
The processor executes.
The subject is protected.
🎧 Listen to the Podcast
This article is part of the CISSP Blogpost and Podcast Series.
The podcast explains this concept using real-world analogies and exam-focused scenarios in a structured format.
Search on Spotify:
PK’s Chronicles
Final Thought
Privacy is not just about securing data.
It’s about understanding:
- Who controls it
- Who processes it
- Who must be protected
Because without clarity in roles—
There is no accountability.
Think roles.
Think responsibility.
Think like a CISSP.
