All organizations have data, such as personnel files, customer data, product information, financial transactions, etc. Most, if not all decisions made by management are based on this data including the work processes followed by employees to deliver quality products and services.
In effect, data is one of the most valuable assets an organization possesses. Thus, data protection should be a top priority for any company. This includes safeguarding the availability of the data to employees who need it, the integrity of the data (keeping it correct and up to date) and the confidentiality of the data (the assurance that it is available only to people who are authorized to access it).
The General Data Protection Regulation (GDPR) implemented in May 2018 by the European Union to ensure data protection and privacy for all individual citizens of the European Union and the European Economic Area and quickly being adopted by North American companies, added another layer of importance to data security, making it not only a business requirement but also a legal requirement. The GDPR requires a controller to ‘implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.’ An important part of those measures is security awareness training; employees need to be aware of the importance of keeping to the data security procedures and processes.
Preparing for a Data Breach
In today’s threat landscape, organizations need to handle security incidents and events with a well-documented strategy and process. It also helps to practice handling data breaches in a team environment during regular security exercises. These exercises help teams measure and improve the ability to handle security incidents and data breaches in the future.
‘Privacy by Design’
Taking a ‘privacy by design’ approach to security requires that organizations approach security projects by including privacy and data protection from the outset. Leveraging this approach helps organizations when complying with global data privacy regulations. Organizations may incorporate ‘privacy by design’ when:
- Adopting any new IT infrastructure that stores or processes personal data;
- Implementing new security policies or strategies;
- Sharing any data with third parties or customers; and
- Utilizing data for analytical purposes.
By incorporating ‘privacy by design,’ organizations reduce the risk of data loss. Designing projects, processes, and systems with privacy in mind, can assist organizations to identify problems early on and raise the level of awareness for privacy concerns in the organization.
Conducting a Privacy Impact Assessment (PIA)
A PIA is a beneficial tool used to identify and reduce the risk of poor privacy practices in an organization. These assessments reduce the risk of mishandling personal data.
Key stakeholders are involved in a PIA interview which results in identifying potential privacy problems and offers recommendations on how to address challenges. Ultimately, a PIA will help an organization and its security team develop better policies and systems for handling sensitive personal data.
Ability to Measure and Demonstrate Compliance with Global Data Privacy Regulations
Demonstrating compliance with global data privacy regulations is a long-term outcome of implementing the right privacy and security controls with people, processes, governance and technology. It requires a steadfast approach to each of these areas.
Unfortunately, managing data privacy can’t be treated as a simple exercise. Global data privacy regulations are often loosely structured and can be interpreted in many ways. There’s no defined standard of security controls on how an organization should handle personal data and privacy. Managing data privacy is about creating a comprehensive governance framework that is suited to each individual organization.
Identifying and Inventorying Data Assets and Processes
If an organization is not aware of the data assets it holds, it’s difficult to assess what impact the data can make from a data breach. Decision makers in an organization should identify and confirm with key stakeholders what data the organization stores or processes. This can be done via interviews that determine where the organization’s data repository locations reside.
Scanning the company’s entire network for data in these areas will help to assess and categorize what data could be impacted by a breach. This data mapping exercise can also help categorize data according to sensitivity.
Setting Up Processes and Resources in Place to Support Data Access Requests
Under the GDPR legislation, individuals can now request access to their data, find out if their data is being processed, and request a transfer of their data to another system. A mechanism should be put in place in order to retrieve all data and securely transfer the data to the individual.
This information must be provided free of charge and without “undue delay.” Some firms may need an appointed Data Protection Officer while others will need someone that can simply handle these requests.
Appointing a Data Protection Officer
Organizations need to determine who will handle data access and deletion requests. Under the GDPR specifically, an organization may need to appoint a Data Protection Officer (DPO) who handles these requests and communicates with EU supervisory authorities directly. A DPO helps the organization monitor GDPR compliance, advise on data protection obligations, advise on Data Protection Impact Assessments (DPIAs), and acts as a point of contact with the supervisory authorities and data subjects.
Under the GDPR, there are three situations that mandate the appointment of a DPO:
- A public authority is processing personal data;
- A controller or processor conducts regular and systematic data processing on a large scale; and
- A controller or processor conducts large-scale processing of sensitive data.
A large-scale processing of personal data means that an organization considers the number of data subjects, the volume of data, duration of processing, and the geographical extent of processing. It’s also worth noting that a DPO can be appointed internally or to an outside source.
Capturing Data - The Right Level of Consent
With new global data privacy laws, organizations need to take an in-depth look at how they acquire personal data of all types. This even includes basic personal data such as first and last name. Any personally identifiable information could be used by threat actors to compromise a company’s network. And, under global data privacy laws, organizations can be fined heavily for a data breach with significant impact to individual data subjects.
Data Retention Policies
A data retention schedule or records retention schedule is another document or mechanism an organization needs to safeguard personal data. The retention schedule defines how the organization aligns with legal and compliance recordkeeping requirements. Therefore, it defines how long data records are kept on file and when they are disposed of in a controlled manner. The data retention schedule also helps inform employees on the appropriate methods for destroying or deleting data that is beyond the retention schedule.
Destroying or Deleting Data
Once a company has defined its data retention schedule and knows when data records can be deleted, it then needs to understand how data should be properly deleted or destroyed. Employees need to know how and when to destroy or delete data. An organization’s security team should also follow an industry standard for sanitizing and clearing storage devices.
Regular Audit Processes
At least once per year, an organization’s security team (or an outside third party if the organization does not have its own team) should evaluate the organization’s data retention schedule and determine if it aligns with legal and regulatory requirements for its industry.
Regularly Reviewing and Monitoring Applicable Security Controls for Securing Data
An organization’s security team should be lockstep with the organization in setting up security controls to protect and secure personal data. Much like the review of its data audits, the security team should be responsible for regularly reviewing the security controls in place to secure data. These controls include anti-malware, Security Information and Event Management (SIEM) and log management, endpoint protection solutions, encryption, data masking, and any other applicable security tool or technology responsible for securing data and detecting data breaches.
If would also be beneficial for the security team to regularly review how the organization’s security practices stack up against an industry best practice standard, e.g., NIST, SANS, ISO, COBIT, etc.
Setting Up Appropriate Incident Management Procedures to Handle A Security Incident
Once a security incident has been detected, it’s even more important that extensive triage, breach reporting, containment, and threat eradication occur. An incident response plan helps clarify the course of action when handling security incidents.
Global data privacy law now mandates that organizations implement a mechanism to ensure ongoing confidentiality, availability, and resilience of data processing. Therefore, incident response is a means of protecting personal data across all these areas. Hackers will try all avenues to reach sensitive personal data. A data breach involving any personal data that results in destruction, alteration or unauthorized disclosure could put organizations at risk.
The Litcom Approach
With the growing adoption of cloud services and mobile devices, organizations are challenged to keep track of business-critical data, while providing adequate protection and privacy safeguards. No matter where you are, or how big your organization, Litcom’s Data Protection and Privacy services can help you protect critical information and processes while keeping your operations flexible, efficient and responsive.
Contact us today for more information.