In 2020, one of your primary goals should be protecting your company’s data. It is not just about avoiding data breach penalties and fines, it’s about protecting your company’s proprietary data, and providing the data security your customers deserve. The introduction of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the U.S. are a start to data protection. More than a dozen states have pending or passed data privacy or protection legislation and national data privacy regulations have been introduced in Congress.
It’s important to take proactive steps to provide your organization with the most robust data protection solutions you can deliver. Your data protection strategy needs to include strategic ways to safeguard your data while providing an efficient pathway for business continuity in case of a problem.
Let’s get a bit deeper into the subject to learn more about what data protection is and how to build a strategy for your company.
What is data protection?
Data protection is safeguarding information from breaches, leakage, loss, or corruption. A data protection strategy encompasses two key components: both the accessibility of the data and managing the data itself.
- Data accessibility. Data accessibility ensures team members can access and use the data they need to conduct business even if it is corrupted or lost.
- Data management. Protecting the data includes processes to move critical data for both online and offline storage in a secure manner. It also includes lifecycle management to protect data from errors, corruption, breaches and attacks, hardware or software failures, or in case of natural disasters.
The benefits of data protection
Protecting your data takes hard work and being proactive, but it will provide significant benefits.
Your customers care about how you are treating their personal information. Demonstrating that you are providing proper stewardship of this data can improve your relationship and build customer loyalty. A recent study revealed that 97% of consumers say they are somewhat or very concerned about the protection and privacy of their data. Your data protection strategies can give your customers confidence that you are respecting their privacy and handling their data correctly.
A robust data protection plan improves overall data security and protects company assets. It can help prevent data breaches and data leaks. It can protect you in case of a natural disaster and aid in disaster recovery.
In addition, it can protect and improve your brand value. In a study by Deloitte, 87% of executives recognized reputation risk as one of the most important strategic business challenges they face. A public breach can undermine the value. That’s one of the key reasons CEO and top leadership members need to be part of the execution of your data protection plans. Damage to your brand can hurt your bottom line. The same study by Deloitte said 41% of companies that experienced a “negative reputation event” reported the loss of revenue and brand equity. A proactive data protection strategy helps protect your brand’s value.
How to create a data protection strategy?
While your data protection should certainly take into account compliance with laws such as GDPR and CCPA, it goes farther than that. Your data protection strategy will serve as a framework for how your business operates and how it respects your company’s data and customer data. As such, it is not just about meeting the minimum levels of compliance, it is about creating a secure infrastructure and the guiding principles that will govern your business now and in the future. Using this 7-step approach you will be able to create and maintain a data protection strategy for your company.
- Ensure key stakeholders are on board.
- Take an inventory of all available data.
- Perform a risk analysis.
- Set your data protection standards.
- Develop a data protection policy.
- Create specific data protection procedures.
- Teach and monitor your data protection strategy within your company.
1. Ensure key stakeholders are on board
The first step in creating a data protection strategy may be the most important of all, ensure key stakeholders are on board. Data protection is no longer the domain of only IT folks. To protect your company, you need to have executives in the loop. Their support will be crucial when it comes to compliance throughout the company.
One of the most important aspects of any business is its customers. When company executives play a role in your data protection strategy, it’s more likely your company will see compliance from team members, which in turn trickles down to your customer’s data. Customers will trust your brand more when you ensure their data is protected which in turn boosts your companies reputation.
Data protection needs to be an organization mandate and not just IT policy.
2. Take an inventory of all available data
A data inventory needs to encompass all information that is stored or processed by your organization. To adequately protect your data, you must first know what data is collected, where it is being stored, what it is being used for, and how it is shared.
Companies find it useful to create a data map that shows the complex way data travels through their systems. Most companies now store data locally, in public, private, and/or hybrid clouds, and have data that is accessible for third-party applications or providers. Managing this data governance is a must and should take into account each of connection. Keep in mind that your company is responsible for what happens to your data downstream in third-parties and beyond.
3. Perform a risk analysis
Under some legislation, a proactive approach to identifying risk and taking steps to mitigate it is required. In all circumstances, this is the smart and right thing to do. It underlies organizational accountability and is necessary to uncover deficiencies and potential threat points.
Think of your infrastructure as a giant spider web with pathways flowing in many directions. Your data moves across these pathways and take various routes to its destination. Each strand of the web provides a potential problem area and must be assessed individually for risk. It can be a time-consuming process. You are responsible for the protection of your data within your environment. That includes what happens to data that is in the hands of cloud providers or third parties that have access to your data.
Conducting a proactive risk analysis is required under the GDPR and the CPPA. Beyond that, doing a thorough data inventory and risk analysis is necessary to use as the underpinning for your data protection policy.
4. Understand data protection standards
To develop a data protection policy, it’s vital to understand what standards you’re going to use to measure compliance. In addition to government regulations, many companies have their own internal governance rules. There are also other legal requirements that may impact how you create your data protection policy, including components of:
- Health Insurance Portability and Accountability Act of 1996 (HIPPA)
- Sarbanes-Oxley (SOX)
- Federal Information Security Management Act (FISMA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Gramm-Leach-Bliley Act
- Children’s Online Privacy Protection Rule (COPPA)
- Criminal Justice Information Services (CJIS)
- International Traffic in Arms Regulations (ITAR)
- Family Educational Rights and Privacy Act (FERPA)
Your organization or industry may also need to follow requirements for the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Cybersecurity Maturity Model Certification (CMMC) standards.
The list of regulations will continue to grow and depending on your industry, there may be a few we haven’t listed here. Keeping your organization in compliance with the appropriate regulations and building an effective data protection policy takes a careful examination. Creating a formal data protection policy can help you stay in compliance.
5. Develop a data protection policy
Once you have completed your data audit, risk analysis, and identified which regulations and policies you are subject to, it is time to build your data protection policy. You may want to think about this in the way you would think about a company’s mission statement. The data protection policy will start with a broad overview of your company’s principles regarding data protection and the expectations for how data will be treated throughout the organization.
Your data protection policy should also list basic data privacy rules along with a clear definition of roles and responsibilities within the organization.
You may need to identify a Data Protection Officer (DPO) within your organization. GDPR requires a designated Chief Privacy Officer (CPO) in each company who is responsible for overseeing data protection strategies, implementation, and compliance. CCPA does not require naming a DPO, but most companies designate someone in their leadership group that acts in the role regardless of the title they hold.
6. Create specific data protection procedures
Your data protection policy is the overview and your data protection procedures are where you get more granular. These will detail the strategic ways you will treat data at every level to establish how you will comply with data protection laws, industry regulations, and company policies.
Your data protection procedures should include items such as:
- Data handling and processing procedures.
- Employee policies and procedures.
- Monitoring and tracking data.
- Mechanisms for auditing and tracking compliance.
- Breach response and crisis management.
- Data recovery procedures.
Your data protection procedures will need to account for specific ways you will practice data loss prevention (DLP). This includes controlling the flow of data and making sure its use is controlled, approve, and monitored. It should also include threat detection to avoid breaches. If you are audited or investigated for compliance, your data protection policies and procedures will be examined to see if you are following the guidelines you established.
In today’s business environment, these policies and procedures also need to take into account the prevalence of remote workers’ and employees’ personal devices. The Bring Your Own Device (BYOD) movement and the number of employees accessing company resources using mobile devices has increased the complexity of data security.
Virtru’s Data Protection Checklist may be of value to you as you build your data protection, security, and privacy framework.
7. Teach and monitor your data protection strategy within your company
After building your data protection policy and procedures, it’s time to put these into motion. This means creating the systems and setting up policies within your software that govern how data is collected, stored, and accessed. It’s important to communicate your policies and procedures to team members ensuring they understand and implement them effectively.
It’s crucial that your company can monitor compliance. Include automated triggers within your system that flag things, such as unauthorized access or sharing, along with manual reviews for logs and spot checks for employee compliance.
Companies are hearing the message. More than a third of CIOs report security as the number one driver of IT spending at their organization. There is no doubt that all of those surveyed would say data protection is crucial to business operations.
When considering your data protection strategy, protect your company, employees, customers, and yourself by taking a proactive approach. Powerful tools ensure you stay ahead of compliance, governance, and data regulations that are constantly evolving.
End-to-end encryption from Virtru allows you to easily protect your data wherever it is created or shared. No matter where you are on your cloud journey or whether you’re still working with distributed teams, with Virtru you can:
- Immediately take control of your data and enhance your existing security.
- Easily secure your data throughout its lifecycle, no matter where it is shared.
- Collaborate with confidence while maintaining full visibility and control.
Request a demo to see how Virtru’s end-to-end encryption can help safeguard your data so that you can share it with confidence throughout digital workflows while maintaining compliance.