Manage Your Data From Cradle to Grave
Data is a living, breathing thing. Don’t let it get out of control.
Commercial data has a life of its own. Left unchecked, it will spread organically throughout your company via emails and shared network files. That represents a serious problem for directors, who could find themselves on the hook for mismanaged company information. This article explains how to rethink your data management processes and secure your company against a growing regulatory threat.
Company directors are already personally liable for data breaches under the UK Data Protection Act that stem from negligence. The UK Information Commissioner’s Office can currently impose fines of up to £500,000 for such breaches, and new laws will raise the stakes.
The forthcoming General Data Protection Regulation (GDPR), which comes into force in May 2018, will significantly expand company responsibilities for data privacy. It will also increase the penalties. Expert to pay up to €20,000 or 4% of company revenue for certain classes of privacy violation.
This mixture of growing regulating the pressure and personal liability makes auditing and compliance a key driver for data governance. In a survey of 304 IT professionals from across the UK, data security and governance consulting company HANDD found that regulations, legislation and compliance were among the top data security challenges, concerning 21% of respondents.
Company directors can mitigate these threats by exercising due care in managing customer and company data. Begin by considering data’s journey through your organization. All business data has a lifecycle, progressing through several common stages. Managing these phases of your data’s journey will give you better visibility and control into one of your most valuable – and potentially dangerous – assets.
Data enters an organization in various ways. Sales or support staff may create it manually during a phone call. It may arrive via a paper-based letter or form, or employees may collect it at the point of sale. It can arrive via forms filled out on a website, or you may even acquire it from a data broker or business partner.
As soon as information touches your company for the first time, the first step is to classify it so that you understand what it is and how to handle it. Do this by tagging it with metadata, which you can think of as a set of digital labels. Each tag, or label, tells you things such as the information’s level of sensitivity, what kind of information it is, who created it, and when.
Metadata tagging will be particularly important in the GDPR era. The Regulation introduces new rules around consent, for example. These rules require companies to document customer consent separately when using pieces of data for separate activities such as sales, support, or business intelligence.
GDPR will also allow customers to make other data requests. They can ask for a copy of all data stored about them in a machine-readable format so that they can take it elsewhere, or simply ask for all their data to be deleted. Proper data classification and tagging will help companies to manage this process, which will be highly labour-intensive otherwise.
Proper data classification is a critical factor in the next stage of your data’s journey. Records can be stored in the public cloud, or locally at your offices. They can be stored in the same country as your headquarters, or elsewhere. You may choose to make them quickly available on expensive, fast storage, or to store them cheaply in an archival system with a retrieval time spanning several hours.
A robust data governance framework will include policies to dictate which kinds of data are stored where. You will only be able to follow it automatically if you classify your information with metadata so that data management software can take the appropriate action.
Deciding where to store data, and then actioning that decision, is the most challenging stage of the data journey for UK companies. HANND found that data storage kept over a third (35%) of respondents awake at night.
The next stage, data access, is proving to be the second thorniest problem for UK companies, causing consternation for one in four respondents to the HANDD survey. That’s because defining who should access data and then policing that access can be a complex problem.
An identity and access management (IAM) system is critical here. It should understand user permissions based on their roles and responsibilities, and combine this information with your classification metadata to grant users the proper access using secure login mechanisms.
Competent data access mechanisms not only stop Joe the mailroom worker from downloading your entire customer database onto a USB drive, but can also set different access requirements based on sensitivity. It may be okay to let an approved user on the local network view (but not edit) low-sensitivity data with a simple password. Conversely, to edit highly sensitive data from a remote location, they may need two-factor authentication.
Inappropriate data sharing – whether malicious or accidental – is one of the biggest threats facing many companies. 21% of respondents to HANDD’s survey said that employee behavior was the biggest challenge to their company’s data security. Attackers have become adept at fooling employees into sharing sensitive data via email, and while security awareness training plays a part, smart companies will use technology measures to help secure their information.
Data classification will help tools such as data leak prevention (DLP) software to stop sensitive data from leaving the organization through unapproved channels. Properly implemented in conjunction with IAM tools, it can also control which people or departments in the organization are allowed to share information, and can even dictate the circumstances under which that data can be shared.
Archiving and removal
Like any asset in a company, data reaches the end of its lifecycle at some point. When this happens, it may need to be archived or securely raised altogether, and regulators will often have strict rules about this.
Your data governance solution should manage this end-of-life process, using metadata to understand how long a particular piece of digital information should be kept, and how to dispose of it afterwards.
This data governance challenge is nuanced and intricate. Parameters and challenges will vary depending on factors ranging from the sector that your company operates in, the systems it currently uses, and the type of information that you have to deal with.
Work with expert practitioners to define and document your data’s unique characteristics. Take external advice on how you can use that information as a tool to control your data throughout its entire lifecycle, and you’ll be better positioned to deal with questions when regulators come calling.