Learn how to get GDPR compliant FAST with this free webinar-on-demand led by AvePoint’s Chief Risk, Privacy and Information Security Officer, Dana Simberkoff.
Information Governance & Risk Management Best Practices
Whether data is generated by your organization or collected from a third party (such as a customer, vendor, or partner), the only way you can effectively protect it is by understanding it. For instance, does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?
Data without information governance practices in place can create operational, privacy, and security gaps that put company assets at risk. Once you know what your data is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should live. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website.
Depending your information governance rules, data can be a valuable asset like gold or it can become toxic like asbestos. A true best practice approach requires a sustainable ecosystem where you derive value from the data you hold while protecting company assets. Here’s what I suggest.
1. Contemplate how data is created or collected by your company.
You should think about excessive collection as well as how you will provide notice to individuals about that collection and appropriate levels of choice. You should also understand whether you need to keep appropriate records of that collection and creation.
2. Think about how you are going to use and maintain this data.
Here you should consider inappropriate access, ensure that the data subjects choices are properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.
3. Consider who is going to share this data and who it’ll be shared with.
You should consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.
4. All data must have an appropriate disposition.
You should only keep data for as long as you are required to do so for records management, statutory, regulatory, or compliance requirements. You should ensure you are not inadvertently disposing of data while understanding that as long as you store sensitive information you run the risk of breach.
5. Understand the difference between what can and should be shared.
A good program must continually assess and review who needs access to what types of information. Privacy and security teams should work with their IT counterparts to automate controls around enterprise systems to make it easier for employees to do the right than wrong or simply neglect the consequences of their actions. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.
Want more tips on information governance and risk management? Subscribe to our blog!