Data Privacy Principles
As amazing quantities of data are gathered, aggregated and stored, the world is taking notice and imposing restrictions on organizations in an effort to protect the people to whom this data is connected. There are a number of leading organizations and governments worldwide with documented privacy principles that have guided this effort. Although the details differ, they generally agree that:
- Data subjects should be given notice that their data is being collected and the purpose of its use.
- Data subjects should have control over whether their data is used, and have the ability to withdraw consent of its use.
- Data subjects must be allowed to view and verify the accuracy of their data in a timely manner and at reasonable expense.
- Organizations that collect data must ensure that it is accurate, securely protected and disclosed/used only for the specified purpose(s).
Privacy vs. Protection
According to a recent IBM/Harris poll, 75% of consumers now refuse to purchase from a company — no matter how great their products are — if they don’t trust the company to protect their data.(2) So getting this right can affect a business’ survival.
Data privacy is the right to own and control your own data. Data privacy laws uphold the data subject’s ownership of their own data, no matter where it is collected or stored. Organizations that collect the data must respect and follow the laws, by setting policies and procedures to ensure that the subjects have access to and control over their data, determining who may access it and whether it is shared or sold.
Data protection refers to protecting an organization’s assets, and also the organization’s responsibility to protect personal information about others that they collect and store. Data protection is mainly about preventing unauthorized access to sensitive information.
Ensuring data privacy includes a responsibility to ensure that the collected data is accessible, protected and used responsibly. Data protection is a system to ensure that data is maintained securely.
Components of Data Protection
One of the key means of helping to ensure data privacy is data protection. Several components make up data protection.
1. Capture, Storage, Use and Transporting of Data
Each piece of data has inherent risks that come with it. The goal of data protection is to minimize those risks. Understanding how your organization captures, stores, uses and transports data is the first step toward making good decisions that will minimize the risk.
2. Data Subject Security and Safety
Sensitive data about a person really can’t be separated from that person. Having information in a spreadsheet or on a piece of paper is often the first step towards exploiting someone. Identity theft, blackmail, extortion and even domestic violence all begin with information about a person. If someone has access to your data, then they can exploit you.
Data Protection Best Practices
Designing and building a data protection system is critical for safeguarding not only proprietary organizational information, but also any personal or sensitive information you gather about your employees and customers.
Following industry best practices for data protection and data privacy will help ensure that your organization meets compliance guidelines and can prove secure handling when asked or audited. If you don’t already have a data protection system, here are the steps to create one that will help keep your data secure:
Before you can effectively protect your data, you must know what you have and where it is stored. Create a Data Asset Log to track the data points you collect. Include information about the reason for collection/need the data meets, whether you obtain consent to store it, where it is stored, and how it moves.
During this process, it is also a good idea to scrutinize your reasons for collecting each data point. As you set up your protection system, you will see more data means increased risk and more cost. If you find you are collecting data that your organization doesn’t use, or uses immediately and then never again, then stop storing it so you can reduce your costs and risk.
2. Reduce Scope
Privacy laws and regulations generally require limiting data collection to data that is necessary for current business. Following this practice will keep your organization in compliance, reduce your data protection costs, and also reduce your likelihood of becoming a target.
Using a Data Classification System is an organized way to ensure that each type of information you collect is appropriately protected. During this process, consider why someone might want your data and separate it into specific protection categories based on its sensitivity, value and potential usefulness. Each organization must determine the appropriate categories for their data. Some organizations only need two categories – public and confidential; others may need more levels of restriction, such as internal only, restricted and secret. This process allows you to separate valuable data that may be targeted from less important information. Classification categories are also useful for people using the data, by informing them of its sensitivity and need for protection.
4. Write Official Standards and Processes
Documenting and disseminating official policies is the best way to ensure that all employees follow the same procedures when working with organizational data. Drafting and maintaining procedures for data collection, storage, transfer and deletion also means you will have the information required to be in compliance with many privacy laws and regulations. Including security policies about topics like access, encryption, and sharing also set a standard to help employees know what data handling procedures are required.
5. Document Everything
Knowing what you have and where you have it is a basic requirement of data protection; but if all the information or plans are stored in someone’s head, it is impossible for anyone else to use. Documentation is critical for policy dissemination, and tracking adherence to policies and procedures. The documents should also be used as the basis of your incident response plan and actions if your organization faces a security breach. For small and medium-sized businesses, where responsibilities are often designated to only one person, documenting information is especially important as a safeguard against employee unavailability or loss during an incident.
6. Develop an Incident Response Plan
Even some of the world’s top security systems have been the target of breaches, so no matter how strong your system is, everyone is at risk. Crafting and practice using a reliable response strategy is the best way to mitigate your risk. Begin by practicing redundancy – regularly create multiple backup copies of your data, preferably with one stored off-site. Follow this with documenting processes and procedures for regular system inspections and an escalation procedure to follow if anything unusual is found. Include a reporting procedure for non-IT employees to follow if they notice anything suspicious. And finally, be sure to include a regular process for testing – particularly allow your IT staff time to practice installing back up data, so that if the need ever arises, the process will go smoothly.
7. Educate Your Employees
Human error is the greatest risk to data security. To protect your organization, all employees should be trained in your organization’s specific data protection techniques, as well as general cybersecurity awareness. Data privacy training and data protection training topics should include:
- Data handling processes and procedures
- Background and requirements of internal security policies
- Recognizing and resisting social engineering/phishing
- Using secure passwords and multi-factor authentication (MFA)
- Keeping devices safe, particularly when out of the office
- Incident response
8. Harden Your Borders
Implement strong anti-virus, anti-malware and firewall systems and install them on all devices that access your network, including smartphones, tablets and even IoT (Internet of Things) devices. Look for tools that are designed to detect problems at endpoints and block them from network access if anything suspicious is found.
9. Review and Repeat
Finalizing this process does not mean data protection is “done.” The data an organization holds is constantly changing as business transpires. The only way to maintain security is to review your system regularly, at least annually, and repeat the process any time you add or remove data points.
If your organization hasn’t already started, now is the time to address data privacy and protection. Changing laws and increasing awareness means that secure data handling is critical to gaining and maintaining customer trust. When you are ready to educate your staff, let us help. GLS’ library of materials includes a full curriculum for secure data handling. It focuses on maintaining confidentiality of the data by increasing risk awareness and instituting secure cybersecurity practices for data usage. Using short videos, elearning modules and awareness posters, we can help you quickly build a robust data privacy training program to secure your human firewall.