Data classification in 2016 is messy. There’s a massive amount of data being generated daily, but you already know this. In fact, you’re struggling to keep all of that data in order – making sure it’s available, organized, and protected as best you can.
Not only does data need to be protected from external threats, but it is also subject to a vast array of government and industry regulations. These can include data privacy regulation such as the General Data Protection Regulation (GDPR) set forth by the European Union, the United States International Traffic in Arms Regulations (ITAR), or the US Health Insurance Portability and Accountability Act (HIPAA), which deals with Protected Health Information (PHI). Data protection aside, different industries and geographical locations also place varying requirements on how specific types of data are retained as records and for how long.
It’s Not Just a Compliance Problem
Sure, compliance and data privacy responsibilities traditionally fell on your legal teams, but with the majority of your data being digital, IT can no longer turn a blind eye. The fact of the matter is, the sheer speed at which data is being produced, no legal team can keep up with manually reviewing and resolving violations effectively. That’s not even considering the potential impact that manual processes can have on the speed of business when they cause bottlenecks. So in addition to system security, firewall, and antivirus software, IT is being asked to find ways to discover and report on risks and vulnerabilities within the data itself, as well as preventing accidental internal breaches – the greatest threat to privacy and security today.
In order to provide the right level of support to meet both business and data protection needs, standardized classification of data is needed from the moment data is created, throughout its lifespan of sharing and editing, and finally through its record state until it is ultimately deleted. Depending on the size of your organization and the structure of your IT team, this could be a responsibility of a specific IT security unit or generally wrapped into the IT administrator’s role.
Data Classification is Overwhelming Until You Break It Down
The problem with standardizing data classification lies within the different key roles within your organization and the relationship each has with your data. In order to meet needs across the entire organization, you’ll need to first align the three key roles within your business that influences your classification structure. To do so, it’s important to understand what each role is and what those individuals’ greatest concerns are:
The Creator – Your Run-of-the-Mill Business User
Primary Concern: Getting the job done.
The creator uses data as a means to achieve a result – a business goal of some sort. He or she will use whatever means necessary to get the job done, and generally favors speed and simplicity over security. Creators are not out violate regulations or work outside of policies – they just can’t be bothered to remember it all, and will look for other (easier) ways of doing things if what’s provided is complicated and time consuming.
The Protector – Your Privacy and Compliance Officer
Primary Concern: Avoiding fines.
The protector minimizes your data’s risk exposure. He or she keeps up with changing government and industry regulations and standards, and will choose compliance and accountability over all else. Protectors are not looking to get in the way of business or burden IT, but will put in place complex policies and processes where viable options are limited.
The Manager – Your Master of Technology! (IT Pro)
Primary Concern: Keeping the wheels spinning.
The manager keeps the data available to keep your business going. To keep the systems running, troubleshoot issues, and providing reliable access to critical data, he or she looks for scalability and ease of implementation to maintain the stringent Service Level Agreement (SLA) demanded by a fast paced business landscape.
The Most Important Thing About Data Classification
Don’t let the conversation stall here. Get Mapping! With the understanding of how everyone is involved and what their main concerns are, it’s time to map out your data against the regulations so you can leverage solutions to automate the classification process.
Identify some crucial information about your data:
- Purpose – What’s the business use? How important is it?
- Ownership – Who’s responsible for it? Where should it live? Who should have access to it?
- Requirements – What privacy regulations, classification standards, and records regulations apply to it?
Across all of your data, you’ll need to establish classification to meet requirements. Identifying sensitivity level and data type for classification and records management will determine the level of protection the content needs. However, the purpose and ownership of the data will determine the best ways to protect it, as well as the right person/people to address any violations (whether in the content itself, where the content lives, or who has access).
The Secret’s Out!
There’s no shortage of information on how important data classification is to the health of your data governance, privacy, and security strategy – yet why do companies continue to struggle implementing a system that scales and adapts to changes in the business? While you know that aligning IT, information governance, and business needs is important, identifying the roles and knowing their involvement in the process for protecting your data is the first step towards creating your plan.
Once you have a standardized structure for how data is classified, what are the next steps you can take?
- Automate data classification to enforce that structure reliably
- Build in recertification processes to keep data classification up to date
- Use technology to enforce access control based on data classification at all times
- Automatically execute records retention policies based on data classification