Data Protection: What It Is and How to Create an Effective Strategy

One of your primary goals should be protecting your company’s data. It is not just about avoiding data breach penalties and fines — it’s about protecting your company’s proprietary information, enabling effective data sharing and providing the privacy and security your customers deserve.

The General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the U.S. are some of the world's primary consumer privacy regulations, and more than a dozen U.S. states have pending or passed data privacy or protection legislation. If you're in a regulated industry like manufacturing or government contracting — and even education — you know the hefty regulations and data protection requirements that come with your day-to-day data management. 

Your data protection strategy needs to not only protect data, but also ensure you're making the most of the insights your data can provide: Think of it like playing defense and offense. Let’s get a bit deeper into the subject to learn more about what data protection is and how to build a strategy for your company.  

What is data protection?

Data protection is safeguarding information from breaches, leakage, loss, or corruption. A data protection strategy encompasses two key components: accessibility of data and managing the data itself.

• Data accessibility. Data accessibility ensures team members can access, use, and derive value from data in order to get their jobs done.
• Data management. Protecting the data includes processes to move critical data for both online and offline storage in a secure manner. It also includes lifecycle management to protect data from corruption, breaches, and attacks; hardware or software failures; or from loss due to natural disasters.

The benefits of data protection

Protecting data — especially at scale — takes a lot of planning and resources, but it provides significant benefits and ultimately ensures your business remains viable.

When it comes to customer data, your clients care about how you are treating their personal information. Demonstrating that you are providing proper stewardship of this data can improve your relationship and build customer loyalty.  A recent study revealed that 97% of consumers say they are somewhat or very concerned about the protection and privacy of their data. Your data protection strategies can give your customers confidence that you are respecting their privacy and handling their data correctly. 

A robust data protection plan improves overall data security and protects company assets. It can help prevent data breaches and data leaks. It can protect you in case of a natural disaster and aid in disaster recovery.

In addition, it can protect and improve your brand value. In a study by Deloitte, 87% of executives recognized reputation risk as one of the most important strategic business challenges they face. A public breach can undermine the value. That’s one of the key reasons CEOs and senior organizational leaders need to be part of the execution of your data protection plans. Damage to your brand can hurt your bottom line. The same study by Deloitte said 41% of companies that experienced a “negative reputation event” reported the loss of revenue and brand equity. A proactive data protection strategy helps protect your brand’s value.

How to create a data protection strategy?

While your data protection should certainly take into account compliance with laws such as GDPR and CCPA, it goes farther than that. Your data protection strategy will serve as a framework for how your business operates and how it respects your company’s data and customer data. Use our data sharing calculator to see how much sensitive data you’re sharing and how to better protect it. As such, it is not just about meeting the minimum levels of compliance, it is about creating a secure infrastructure and the guiding principles that will govern your business now and in the future.

Using this 7-step approach you will be able to create and maintain a data protection strategy for your company. 

1. Ensure key stakeholders are on board.
2. Take an inventory of all available data.
3. Perform a risk analysis. 
4. Set your data protection standards. 
5. Develop a data protection policy.
6. Create specific data protection procedures. 
7. Teach and monitor your data protection strategy within your company. 

1. Ensure key stakeholders are on board

The first step in creating a data protection strategy may be the most important of all, ensure key stakeholders are bought in and engaged. Data protection is no longer the domain of only IT and infosec departments. To protect your company, you need to have executives in the loop. Their support will be crucial when it comes to compliance throughout the company. 

One of the most important aspects of any business is its customers. When company executives play a role in your data protection strategy, it’s more likely your company will see compliance from team members, which in turn trickles down to your customer’s data. Customers will trust your brand more when you ensure their data is protected, which in turn boosts your company's reputation. 

Data protection needs to be woven into an organization's culture and processes. It's not just IT policy. 

2. Take an inventory of all available data

A data inventory needs to encompass all information that is stored or processed by your organization. To adequately protect your data, you must first know what data is collected, where it is being stored, what it is being used for, and how it is shared.

You may be surprised how much sensitive information can reside in the various parts of your business. In our Cross-Department Data Protection Checklist, we break down the departments of a typical organization and highlight some of the sensitive data you should be looking for — and making a plan to protect. 

Companies may find it useful to create a data map that shows the complex ways data travels through their systems. Most companies now store data locally; in public, private, and/or hybrid clouds; and have data that is accessible for third-party SaaS applications or providers — tools like Salesforce, Confluence, and Zendesk.

It's critical that you do not overlook unstructured data here: Data shared externally via email, file sharing, and SaaS apps. Unstructured data can account for nearly 80% of your data, and it can include significant amounts of sensitive information. 

Managing this data governance is a must and should take into account each of these data sharing vectors. Keep in mind that your company is responsible for what happens to your data downstream in third-party apps and beyond.

3. Perform a risk analysis

Some legislation requires you to conduct a thorough risk analysis and take steps to mitigate the risks identified. This is the smart and right thing to do. It underlies organizational accountability and is necessary to uncover deficiencies and potential threat points.

Think of your infrastructure as a giant spider web with pathways flowing in many directions. Your data moves across these pathways and take various routes to its destination. Each strand of the web provides a potential problem area and must be assessed individually for risk. It can be a time-consuming process. You are responsible for the protection of your data within your environment, and that includes your data that is shared outside of your environment. That also includes what happens to data that is in the hands of cloud providers or third parties that have access to your data.

Conducting a proactive risk analysis is required under GDPR and the CPPA. Beyond that, doing a thorough data inventory and risk analysis is necessary to use as the underpinning for your data protection policy, so your policies align to your existing data workflows.

4. Understand data protection standards

To develop a data protection policy, it’s vital to understand what standards you’re going to use to measure compliance. In addition to government regulations, many companies have their own internal governance rules. There are also other legal requirements that may impact how you create your data protection policy, including components of:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Cybersecurity Maturity Model Certification (CMMC)
• Sarbanes-Oxley (SOX)
• Federal Information Security Management Act (FISMA)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Gramm-Leach-Bliley Act (GLBA)
• Children’s Online Privacy Protection Rule (COPPA)
• Criminal Justice Information Services (CJIS)
• International Traffic in Arms Regulations (ITAR)
• Family Educational Rights and Privacy Act (FERPA)

Depending on your industry, your organization may also need to follow requirements for the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Cybersecurity Maturity Model Certification (CMMC) standards.

The list of regulations will continue to grow and depending on your industry and the kinds of data you handle. There are also additional industry-specific and location-specific regulations you may need to comply with. Keeping your organization in compliance with the appropriate regulations and building an effective data protection policy takes a careful examination. Creating a formal data protection policy can help you stay in compliance.

5. Develop a data protection policy

Once you have completed your data audit, risk analysis, and identified which regulations and policies you are subject to, it is time to build your data protection policy. You may want to think about this in the way you would think about a company’s mission statement. The data protection policy will start with a broad overview of your company’s principles regarding data protection and the expectations for how data will be treated throughout the organization.

Your data protection policy should also list basic data protection rules along with a clear definition of roles and responsibilities within the organization. Data protection is everyone's job, so it's important that the policy is clear and easy to understand — and that your employees will have the tools to easily and successfully implement your policy. 

You may also need to identify a Data Protection Officer (DPO) within your organization. GDPR requires a designated Chief Privacy Officer (CPO) in each company who is responsible for overseeing data protection strategies, implementation, and compliance. CCPA does not require naming a DPO, but most companies designate someone in their leadership group that acts in the role regardless of the title they hold.

6. Create specific data protection procedures

Your data protection policy is the overview, and your data protection procedures are where you get more granular. These will detail the strategic ways you will treat data at every level to establish how you will comply with data protection laws, industry regulations, and company policies.

Your data protection procedures should include items such as:

• Data handling and processing procedures
• Employee policies and procedures
• Employee tools to achieve secure data exchange in existing workflows
• Monitoring and tracking data
• Mechanisms for auditing and tracking compliance
• Breach response and crisis management plans
• Data recovery procedures

Your data protection procedures will need to account for specific ways you will practice data loss prevention (DLP).  This includes controlling the flow of data and making sure its use is controlled, approve, and monitored.  It should also include threat detection to avoid breaches. If you are audited or investigated for compliance, your data protection policies and procedures will be examined to see if you are following the guidelines you established.

In today’s business environment, these policies and procedures also need to take into account the prevalence of remote workers’ and employees’ personal devices. The Bring Your Own Device (BYOD) movement and the number of employees accessing company resources using mobile devices has increased the complexity of data security. 

Virtru’s Data Protection Checklist can serve as a resource for building your protection, security, and privacy framework.

7. Train your team, consistently reinforce good data sharing practices, and monitor your data protection strategy

After building your data protection policy and procedures, it’s time to put these into motion. This means creating the systems and setting up policies within your software that govern how data is collected, stored, and accessed. It’s important to communicate your policies and procedures to team members ensuring they understand and implement them effectively. 

It’s crucial that your company can monitor compliance. Include automated triggers within your system that flag things, such as unauthorized access or sharing, along with manual reviews for logs and spot checks for employee compliance.

Conclusion

Companies are hearing the message. According to IDG, more than a third of CIOs report security as the number one driver of IT spending at their organization. There is no doubt that all of those surveyed would say data protection is crucial to business operations.

When considering your data protection strategy, protect your company, employees, customers, and yourself by taking a proactive approach. Powerful tools ensure you stay ahead of compliance, governance, and data regulations that are constantly evolving.  

Virtru end-to-end encryption allows you to easily protect your data wherever it is created or shared. No matter where you are on your cloud journey, with Virtru, you can: 

• Take control of the data your teams share externally, via email, file sharing platforms, and SaaS apps
• Easily secure your data throughout its lifecycle, with tools that are simple to deploy and use
• Collaborate with confidence while maintaining full visibility and control

Book a demo with our team to see how Virtru’s end-to-end encryption can help safeguard your data so that you can share it with confidence while maintaining compliance.