All sounds good however... For a large organization such rules become impractical. To get full security there will be so much administrative overhead of approving access to a given area for so much time and back, that if you played by the rules you wouldn't get your job done timely. So you end up with "black market" IT where people will store backups of the data in say an access or excel files, and keep them hidden from the official system. Not because they have nefarious use of them, but because they will need to get their job done, and the official secure way is too impractical.
So let's say you were tasked to figure out if it was worth it it accept American Express, as AE charges a lot for its transaction. So you may need to figure out some numbers.
%of customers with AE
Average spending with AE
Average spending in total
Standard dev of spending with AE
Standard dev of spending total
Now because someone dropped the ball you will need this data quickly.
Putting a request to get this data may take days.