In anticipation of new data privacy and cyber-attack regulations, and to better safeguard their sensitive data, companies are increasing their data management efforts. The first step—identifying what they have—may be the hardest.
In this era of data proliferation, companies are struggling to get a handle on the information they are creating and collecting, in an attempt to make sense of it all. Most companies begin by mapping the data they have. It consists of categorizing the information in terms of sensitivity and usefulness, and in most cases, purging what isn't needed.
Even though companies today are putting more time and effort into understanding what data they have and the systems in which they reside, “it's still a struggle, especially for the larger companies that have a lot of legacy data that's been around for a long time,” says Eric Dieterich, who leads the data privacy practice for Sunera, a provider of business consulting and technology risk-management services.
While the process can be daunting, breaking it into pieces can make it more manageable. Chris Babel, chief executive officer of online privacy solutions provider TRUSTe, says some companies approach the data-mapping process as having to locate all of their databases at once to find where the data sits. “What I think helps people much better,” he says, “is to try to tackle it by business process.” More and more companies are adopting a concept called “privacy-by-design,” in which privacy is planned and implemented in the earliest stages of a business process, he says.
Understanding where data is located is important toward understanding what controls need to be put in place from a data loss prevention standpoint. Companies can better understand the data lifecycle process by asking each business unit the following questions:
What sort of information are you collecting?
How is that data being collected?
Where is that data being stored?
Is the data being encrypted as it moves between systems?
How are you using that data?
Who has access to it (e.g., is it being shared?)
What are the destruction or retention policies related to that data?
“Asking good questions really helps to fully understand the information lifecycle,” says Dieterich.
Take the collection of customer data as an example. The kinds of questions to ask the sales and marketing team may include: What kind of details is the customer providing (i.e., name, address, credit card number, etc…)? How do customers submit orders (i.e., Website transactions, call centers, electronic data feeds, etc…)? What happens to the information from there? Is it being shared with a third party?
The job applicant recruiting process is another example. What kind of personally identifiable information are you gathering from the applicant? How is that data being collected—are you writing on a form or collecting it electronically? Are you working with a third-party vendor for payroll, annual reviews, and compensation purposes? How are they handling that data?
For multinational companies with offices across multiple geographic locations, in which it's not realistic to meet with hundreds of people, says Dieterich, surveys are the most effective method for large companies to get answers to these data lifecycle questions.
“The technology infrastructure component is also important to make sure you understand the systems and the databases behind the scenes that you may not be aware of.”
—Emily Mossburg,
Principal, Security & Privacy Practice,
Deloitte
“A survey method allows you to hit a broader audience and get more coverage,” says Dieterich. The more multiple choice questions you have, the better for when it's time to do analytics on the back end, he says.
In addition to the business processes associated with data mapping, the technology infrastructure component is also important “to make sure you understand the systems and the databases behind the scenes that you may not be aware of,” says Emily Mossburg, principal in Deloitte's Security & Privacy practice.
Danny Miller, partner and national cyber-security and privacy practice leader at Grant Thornton, says clients are always “shocked” to find privacy data in places they weren't aware, such as laptops and thumb drives.
Employees aren't always aware of what data is sensitive and what needs to be secured, Miller adds, so the onus is on the company to put the proper controls in place. “In almost every case, whether it's a big company or a small company, we will implement a data leakage prevention tool,” he says.
Security and privacy experts agree that where data should—and should not—be stored is not as important as how it is stored. “As opposed to there being hard and fast rules where the data should be, the focus is really about figuring out from a business perspective where it absolutely needs to be,” says Mossburg.
BEST PRACTICES
Below is a list of “Dos and Don'ts” and best practices from TRUSTe for implementing Privacy by Design.
You may already be aware of these core tenets of Privacy By Design. It is not rocket science.
However, the rules and regulations imposed by external authorities are constantly in flux. You may
already know that if your organization is exchanging personally identifiable information (PII) data related to European branches or customers, your burdens of understanding and certification are more complex than if you focus solely on the United States. You may not be aware yet however, that the EU is modernizing its Data
Protection Directive and moving toward instituting a regulation requiring the same policy for all
the member states—instead of 27 different data laws. Under the proposed regulation, companies
will be required to appoint a Data Protection Officer (DPO) who has a specifically mandated
responsibility to ensure that companies comply with the regulation. Change is the norm so:
DON'T
Assume that as long as nobody steals PII off of your servers in the night that you're safe.
Wait until the last minute to run though a privacy checklist that you find somewhere on
the internet before you launch a new product or marketing campaign.
Expect marketing pros, product mangers, and engineers to instinctively make the right
choices about PII based on their standard education and experience.
Rely on a snapshot of what it all means at a specific point in time and then assume that
you know it all.
DO
Hire a Chief Privacy Officer or empower another executive in your organization to serve
in this capacity. Have her or him consult with TRUSTe or other privacy experts about
Privacy By Design so that it can be properly evangelized throughout your ranks.
Mandate from the top down that you believe Privacy by Design is a philosophy your
entire organization must wholeheartedly embrace to build trust in order to survive and
thrive in the modern business environment
Identify privacy champions in every functional group of your organization and educate
them on the power of privacy and the power of choice under that umbrella.
Nurture and reward those who embrace privacy as a business enabler every time they
can demonstrate to you that your business is more successful because privacy is at the
center of your vision and decision making.
Source: TRUSTe.
“What's important is balancing that decision with the appropriate controls so that the organization is protected,” says Leizerov. For example, if employees travel a lot and need to keep sensitive information on portable devices, make sure to have a security mechanism on the device in the event that it gets lost or stolen, he says.
Dieterich says a good starting point is to appoint a “privacy champion” within the organization, who is responsible for meeting and working with each business unit leader to map data flow in each department. Typically, this individual resides in the privacy, compliance, legal, or IT department.
Having one person, rather than multiple groups, lead the data mapping process helps ensure “consistency in the questions that you're asking and the responses you are getting,” says Sagi Leizerov, practice leader, Americas, for Ernst & Young Privacy Advisory Services.
Don't Be a Data Hoarder
A growing trend among organizations is to minimize the flow of information to what is absolutely necessary, says Mossburg. Traditionally, companies have long believed that they could gain value from holding onto data; that's not so much the case anymore. “Organizations are really focused on trying to figure out how they can minimize their data footprint in order to minimize the risk to the organization,” she says.
“If you don't need it, destroy it,” agrees Miller. If you need to save the data for whatever reason, encrypt it and store it behind “well-defined and well-controlled firewalls,” he says.
Data mapping is “definitely a larger effort the first time you do it,” Dieterich says, but one way to ensure consistency is to do annual reviews or internal audits to ensure business units are keeping up-to-date on their processes.
As the privacy leader for the organization, pushing responsibility back on to the business unit leaders and using those individuals as your “eyes on the ground” may also help, Dieterich says, to alert you to any changes to the business operations.
No comments yet