What is Data Protection?

What is Data Protection?

Data privacy is the responsibility to ensure that collected data is accessible, protected and used responsibly. Data protection requires maintaining data securely. Assuring data privacy and data protection is essential to winning your customers’ trust. Business leaders and their technical teams can start by understanding these concepts and adopting best practices for handling data within their organizations. 

Data is Here to Stay

Digital transformation (DX)  is a term we hear a great deal these days. The idea behind DX is actually quite simple: create an infrastructure and processes for using the digital technologies your organization can access in order to change your business for the better. Change can occur in any aspect of a company – sales, marketing, customer support, etc. No matter the path you take towards digital transformation, one thing is always true – it takes data. We live in a data-driven world.

“The data-driven world will be always on, always tracking, always monitoring, always listening, and always watching – because it will be always learning.”(1) In fact, by 2025, it is predicted that there will be 175 zettabytes (1021) of data in the world.

Data Privacy Principles

As amazing quantities of data are gathered, aggregated and stored, the world is taking notice and imposing restrictions on organizations in an effort to protect the people to whom this data is connected. There are a number of leading organizations and governments worldwide with documented privacy principles that have guided this effort. Although the details differ, they generally agree that:

  1. Data subjects should be given notice that their data is being collected and the purpose of its use.
  2. Data subjects should have control over whether their data is used, and have the ability to withdraw consent of its use.
  3. Data subjects must be allowed to view and verify the accuracy of their data in a timely manner and at reasonable expense.
  4. Organizations that collect data must ensure that it is accurate, securely protected and disclosed/used only for the specified purpose(s).

Privacy vs. Protection

According to a recent IBM/Harris poll, 75% of consumers now refuse to purchase from a company — no matter how great their products are — if they don’t trust the company to protect their data.(2) So getting this right can affect a business’ survival.

Data Privacy is the right to own and control your own data. Data privacy laws uphold the data subject’s ownership of their own data, no matter where it is collected or stored. Organizations that collect the data must respect and follow the laws, by setting policies and procedures to ensure that the subjects have access to and control over their data, determining who may access it and whether it is shared or sold.

Ensuring data privacy includes a responsibility to ensure that the collected data is accessible, protected and used responsibly. Data protection is a system to ensure that data is maintained securely.

Data protection refers to protecting an organization’s assets, and also the organization’s responsibility to protect personal information about others that they collect and store.  Data protection is mainly about preventing unauthorized access to sensitive information.

Components of Data Protection

Each piece of data has inherent risks that come with it. The goal of data protection is to minimize those risks.  Understanding how your organization captures, stores, uses and transports data is the first step toward making good decisions that will minimize the risk.

Sensitive data about a person really can’t be separated from that person.  Having information in a spreadsheet or on a piece of paper is often the first step towards exploiting someone. Identity theft, blackmail, extortion and even domestic violence all begin with information about a person.  If someone has access to your data, then they can exploit you.

Data Protection Best Practices

Before you can effectively protect your data, you must know what you have and where it is stored. Create a Data Asset Log to track the data points you collect. Include information about the reason for collection/need the data meets, whether you obtain consent to store it, where it is stored, and how it moves. 

During this process, it is also a good idea to scrutinize your reasons for collecting each data point. As you set up your protection system, you will see more data means increased risk and more cost. If you find you are collecting data that your organization doesn’t use, or uses immediately and then never again, then stop storing it so you can reduce your costs and risk.

Privacy laws and regulations generally require limiting data collection to data that is necessary for current business. Following this practice will keep your organization in compliance, reduce your data protection costs, and also reduce your likelihood of becoming a target. 

Using a Data Classification System is an organized way to ensure that each type of information you collect is appropriately protected. During this process, consider why someone might want your data and separate it into specific protection categories based on its sensitivity, value and potential usefulness. Each organization must determine the appropriate categories for their data. Some organizations only need two categories – public and confidential; others may need more levels of restriction, such as internal only, restricted and secret. This process allows you to separate valuable data that may be targeted from less important information. Classification categories are also useful for people using the data, by informing them of its sensitivity and need for protection.

Documenting and disseminating official policies is the best way to ensure that all employees follow the same procedures when working with organizational data. Drafting and maintaining procedures for data collection, storage, transfer and deletion also means you will have the information required to be in compliance with many privacy laws and regulations. Including security policies about topics like access, encryption, and sharing also set a standard to help employees know what data handling procedures are required.

Knowing what you have and where you have it is a basic requirement of data protection; but if all the information or plans are stored in someone’s head, it is impossible for anyone else to use. Documentation is critical for policy dissemination, and tracking adherence to policies and procedures. The documents should also be used as the basis of your incident response plan and actions if your organization faces a security breach. For small and medium-sized businesses, where responsibilities are often designated to only one person, documenting information is especially important as a safeguard against employee unavailability or loss during an incident.

Even some of the world’s top security systems have been the target of breaches, so no matter how strong your system is, everyone is at risk. Crafting and practice using a reliable response strategy is the best way to mitigate your risk. Begin by practicing redundancy – regularly create multiple backup copies of your data, preferably with one stored off-site. Follow this with documenting processes and procedures for regular system inspections and an escalation procedure to follow if anything unusual is found. Include a reporting procedure for non-IT employees to follow if they notice anything suspicious. And finally, be sure to include a regular process for testing – particularly allow your IT staff time to practice installing back up data, so that if the need ever arises, the process will go smoothly.

Human error is the greatest risk to data security. To protect your organization, all employees should be trained in your organization’s specific data protection techniques, as well as general cybersecurity awareness. Data privacy training and data protection training topics should include:

  • Data handling processes and procedures
  • Background and requirements of internal security policies
  • Recognizing and resisting social engineering/phishing
  • Using secure passwords and multi-factor authentication (MFA)
  • Keeping devices safe, particularly when out of the office
  • Incident response

Implement strong anti-virus, anti-malware and firewall systems and install them on all devices that access your network, including smartphones, tablets and even IoT (Internet of Things) devices. Look for tools that are designed to detect problems at endpoints and block them from network access if anything suspicious is found.

Finalizing this process does not mean data protection is “done.” The data an organization holds is constantly changing as business transpires. The only way to maintain security is to review your system regularly, at least annually, and repeat the process any time you add or remove data points.

Next Steps to Ensure Data Privacy and Protection

If your organization hasn’t already started, now is the time to address data privacy and protection. Changing laws and increasing awareness means that secure data handling is critical to gaining and maintaining customer trust. When you are ready to educate your staff, let us help. GLS’ library of materials includes a full curriculum for secure data handling.  It focuses on maintaining confidentiality of the data by increasing risk awareness and instituting secure cybersecurity practices for data usage. Using short videos, e-learning modules and awareness posters, we can help you quickly build a robust data privacy training program to secure your human firewall.

CMYK_GLSIcon-Color1200px

Don't Pass Up This Free Data Privacy Kit

What Can YOU Do to Increase Data Privacy?

As part of our Human Firewall 2.0 security awareness program, Global Learning Systems offers targeted courses for data privacy and protection. Contact us to get started! 

References

1 IDC White Paper. (2018, November). Data Age 2025: The Digitization of the World From Edge to Core. https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf

2 Harris Insight and Analytics. (2018, April 13). IBM Cybersecurity and Privacy Research. Retrieved from https://newsroom.ibm.com/Cybersecurity-and-Privacy-Research

GLS Logo
Front-End Exercises
React Angular Vue.js
Cross Site Request Forgery Cross Site Request Forgery Untrusted HTML Rendering XSS
Direct Dom Manipulation XSS Direct Dom Manipulation XSS Direct Dom Manipulation XSS
Components with Known Vulnerabilities Template Concatenation Cross Site Request Forgery
Untrusted HTML Rendering XSS Sanitization Misuse XSS Untrusted Template Usage XSS
GLS Logo
OWASP Top 10 – API – 2019
ID Topic Covered in SecureDev Modules Programming Languages Available
API1:2019 Broken Object Level Authorization Broken Object Level Authorization JAVA, C#, Python (Django), Python (Flask), Node.js, GO, PHP, Ruby on Rails, Scala, Kotlin
API2:2019 Broken User Authentication Broken User Authentication
API3:2019 Excessive Data Exposure Excessive Data Exposure
API4:2019 Lack of Resources & Rate Limiting Lack of Resources & Rate Limiting
API5:2019 Broken Function Level Authorization Broken Function Level Authorization
API6:2019 Mass Assignment Mass Assignment
API7:2019 Security Misconfiguration Security Misconfiguration
API8:2019 Injection Injection
API9:2019 Improper Assets Management Improper Assets Management
API10:2019 Insufficient Logging & Monitoring Insufficient Logging & Monitoring
GLS Logo
OWASP Top 10 – 2021
ID Topic Covered in SecureDev Modules Programming Languages Available
A01:2021 Broken Access Control Vertical Privilege Escalation Horizontal Privilege Escalation JAVA, C#, Python (Django), Python (Flask), Node.js, GO, PHP, Ruby on Rails, Scala, Kotlin
A02:2021 Cryptographic Failures Weak Randomness
A03:2021 Injection SQL Injection Command Injection Header Injection XML Injection
A04:2021 Insecure Design User Enumeration
A05:2021 Security Misconfiguration Leftover Debug Code
A06:2021 Broken Access Control Vertical Privilege Escalation Horizontal Privilege Escalation
A07:2021 Vulnerable and Outdated Components Session Fixation Forced Browsing
A08:2021 Software and Data Integrity Failures Reflected XSS
Forced Browsing
Stored Cross-Site Scripting
Insecure URL Redirect
Clickjacking
Directory Traversal
DOM XSS
Cross-site Request Forgery
A09:2021 Security Logging and Monitoring Failures PII Data in URL
Token Exposure in URL
A10:2021 Server-Side Request Forgery (SSRF) Server-Side Request Forgery
GLS Logo

Your download is complete!

Need more training?