There is no formal requirement for a Service Owner, but it is worth giving responsibility and ownership to someone, bearing in mind the following:
- Does the system will require specific configuration or special training of users as part of the mitigation of security or data privacy risks?
- TPSAs need to be revisited every few years
- DPAs/DPIAs should be revisited if the system changes or your use of the system changes
- You should review access and log ins every year to ensure that accounts haven’t been abandoned or people who have left still need access
- Are your back-up, retention and deletion schedules working appropriately?
This role might overlap with that of Information Asset Administrator.