A constantly changing regulatory environment has become the “new normal” for data privacy. Consumers are demanding more protection and accountability. And with the flood of all the new and changing privacy regulations, data has become the newest regulated asset class.
Today, risk, security and data protection officers are responsible for planning, deploying and managing enterprise-wide data privacy and security programs. However, without buy-in from executive management — as well as participation from multi-departmental data stakeholders — the security program will probably not be able to effectively preserve and secure private and sensitive data, inevitably leading to an organization in regulatory non-compliance or falling victim to a data breach.
A Good Data Policy Offers Protection And Assurance
An effective security policy is put into practice throughout the organization. The policy defines the standards to which the organization will adhere and strive to follow. Data privacy and security policies must denote clarity, inclusiveness and well-defined procedures, rules and methods for regulating access to corporate systems and applications. A good policy protects customer, employee and third-party data. These policies are also testimony to investors, business stakeholders and the public at large about the organization’s commitment to data protection and privacy.
There are two operational approaches to data privacy and security. The first builds policies for various types of data and then determines access-level permissions. With this method, you would then look for any data that fits that criterion. Conversely, the other approach looks at all data, analyzes and identifies the different types, classifies and makes policy decisions on what to do with the data.
1. The Policy-First Approach
Addressing regulatory and compliance requirements is straightforward and often easily conquered with a robust policy. The policy will genuinely address the key areas and define the controls to put in place. These controls are built to target the areas defined by the requirements.
The limitation of building a policy-first data privacy approach is that it can impede the organization’s ability to discover data that doesn’t match predefined policy. Creating policies before you know what data exists is like a doctor prescribing medicine to a patient they’ve not diagnosed. To compensate, policies may be overly broad and less accurate. Ultimately, it could require more time and money to build additional guidance for data that you didn’t know you had.
2. The Data-First Approach
A data-first privacy and security program will have detailed and documented knowledge of all the elements that comprise the organization’s data ecosystem. It also features an acute understanding of the who, what, why, where and how of data collection and security measures and when it’s appropriate to delete data.
Private consumer data and sensitive corporate secrets are captured and used by various stakeholders throughout an organization — from human resources, product development and engineering to sales and marketing. Unfortunately, because of the many data-flows, changing formats and ways data is applied and stored, most organizations have a far from a complete picture of the data they hold.
Finding all the personal and sensitive corporate data stored in myriad places within a large enterprise can be an overwhelming challenge. Efficiently gathering data within corporate systems spread across multiple divisions, departments, and on-premises and cloud locations requires an approach capable of examining all types of unstructured and structured data and diverse systems, no matter where they’re located.
Bringing It All Together
A much more effective and comprehensive result can be achieved by examining the data first, then building policy criteria based upon all the data. Cataloging and securing all data will make it easier to satisfy compliance requirements. Whereas, if you just fulfill privacy mandates, you still need to secure sensitive data that doesn’t fall under privacy regulations. This includes intellectual property, copyrights, patents, trademarks, trade secrets, sales and marketing plans, product plans, patentable inventions, competitive information, financial data and more.
The key to protecting data is understanding the information about your data. Identity management systems provide IT teams with tools and technologies to control access to customer and employee data, and corporate secrets. Identity is a meta-foundational layer for data. Knowing who created it, who has access to it and what people do with it can all be tied back into identity. Think of it this way: I trust company A with my data because I know the company, and they agreed to use my data in a certain way. However, I may not trust company B to that same degree. It’s the same data, but a different and lesser-known company is using it.
Lastly, finding and deleting sensitive data that is no longer needed is an essential form of business protection. Removing data that has become stale and aged beyond its retention period will help effectively avoid any audit or compliance violations.
(2) Security Intelligence