Whether data is generated by and within your organization or collected by your organization through a third party (customer, vendor, partner), the only way you can effectively protect it is by understanding it. Ask yourself: Does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?
While this is a good practice in general, this topic is especially relevant for those who will be subject to the European Union General Data Protection Regulation when it comes into full effect in May 2018. The GDPR does not just affect companies in the EU – companies with a significant European presence, even if they are not established in the EU, will be subject to its requirements:
- Privacy Impact Assessments
- Privacy and Security “By Design”
- Inventories and data mapping of personal information across your business systems
- Mandatory appointment of Data Protection Officers
- Evidence that your privacy program includes these factors
We’ve highlighted the importance of protecting data from the moment data is collected and building privacy and security into the foundations of any project, but the fact is data changes throughout its lifetime and is often stored for years – whether for record or “just in case”. Let’s define a few steps organizations can take to build data privacy policies into how data is managed throughout its lifecycle.
Data Protection through Data Lifecycle Management
Data without controls can create operational, privacy, and security gaps that could put company assets at risk. Once you know what it is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should live. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet. Data sovereignty rules also dictate what controls are needed, including:
- What should be kept on premises
- When can or should you go to the cloud
- Where to store data
Putting Data Lifecycle Management Best Practices in Action
Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these areas will allow you to better optimize resources and risk management to support responsible, ethical and lawful collection, use, sharing, maintenance, and disposal of information.
Four Steps to Better Data Lifecycle Management
- Be organized when it comes to data collection. Contemplate how data is created or collected by your company. Think about excessive collection, how you will provide notice to individuals about that collection, provide appropriate levels of choice, and keep appropriate records of that collection and creation. Then, tag your data by collection method (or source) and purpose for collection.
- Create a permissions structure to prevent misuse or improper access. Think about how you are going to use and maintain this data.
- Consider inappropriate access
- Ensure that the data subjects’ choices are being properly honored
- Address concerns around a potential new use or even misuse
- Consider how to address concerns around breach
- Ensure that you are properly retaining the data for records management purposes
- Set boundaries for secure sharing. Consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.
- Build in retention/deletion rules based on your classification scheme. All data must be disposed of properly. You should keep data only for as long as you are required to per records management, statutory, regulatory, or compliance requirements. Ensure you are not inadvertently disposing of it, either. Tagging will help you match content types to requirements, which will help you build accurate retention policies. As long as you hold sensitive data, you run the risk of breach.
Finally, as an overarching but truly foundational best practice, understanding the difference between what can be shared and what should be shared is always the key. A good program must continually assess and review who needs access to what types of information and should work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to do the right thing than it is to do the wrong thing or to simply neglect the consequences of their actions. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.
Compliance with GDPR requirements will require a major shift for many companies, even those that already have a privacy program. New obligations for the CIO, CISO, and the business mean that waiting for the law to come into effect may mean that you are already too late. Organizations failing to meet these requirements will meet significant fines for data breaches – up to four percent of annual global revenue.
Sign up for our GDPR Response Guide to understand the legislation’s requirements and how to take a risk-based approach to compliance.