How do organizational best practices help minimize risk to an organization’s confidential data?

It seems there is no end to the steady stream of high-profile data breaches. In the first six months of 2022 alone, everyone from government entities like the Texas Department of Insurance to healthcare providers such as Kaiser Permanente and companies like Crypto.com has been affected. It’s no wonder why regulators are doubling down on security and privacy issues and working to develop new directives. As a result, many technical leaders and executives are taking a closer look at how they handle data security and privacy procedures within their organizations. Protecting information that can identify employees, customers, clients, or business partners stored within your organization is critical. That data is likely used to conduct daily operations. making it immeasurably valuable. However, it is also incredibly vulnerable to identity theft and fraud, leaving companies of all kinds at risk – especially given evolving data privacy legislation.

For example, the General Data Protection Regulation (GDPR) is the most widely recognized global privacy law. Created in the EU, it ensures companies are held accountable for protecting personally identifiable information and can include data such as financial details, healthcare records, government-issued ID details, and even criminal history. While the legislation was designed to protect the data of European residents, it impacts any global company that handles residents’ personal data in EU countries. 

Are you collecting data on your website from individuals in the European Union? Marketing products in that region? Then you must comply with GDPR; otherwise, you will be facing the potential for significant fines and penalties.

Given the heightened attention to GDPR and other data privacy regulations happening in North America, such as the California Consumer Privacy Act, companies need to know how to implement data protection and privacy best practices from the start – before a breach and before a hefty fine for non-compliance. Here are five tips to prioritize data privacy and help your company protect the personal information collected, stored, and transmitted as part of operations: 

1. Take Inventory of Your Data 

The foundation of the security and privacy program is data and system asset inventory and maps. Data sets need to provide valuable information about the types of data collected and where they are stored and transmitted to identify third parties who can access the data. Mappings help teams understand this flow of data.

During this process, take stock of servers, devices, and cloud services used to collect, store, and transmit data. Include information being stored on mobile devices and personal devices, including PC hard drives and flash drives. This is key in meeting subject data requirements, identifying employee-related risks and training opportunities, and ensuring proper data security management. 

2. Minimize the Data You Keep

Less data means less opportunity for the bad guys. Limit data collection and retention to only the minimum necessary for intended purposes. Any personally identifiable information should only be retained for as long as needed to complete any intended tasks. A best practice at the onset of data collection is to collect only the required information. If additional personal information is not essential for the intended purpose collected, scrub data sets to remove these data fields.

Retaining personal data for longer periods of time also increases the risk of a data breach if and when an incident occurs. By minimizing the amount of data stored, we reduce the risk of personal information theft and fraud... Also, deploying methods to anonymize the data properly can further curtail the risk.

3. Safeguard Data with a Trifecta of Controls 

Implement a trifecta of physical, technical, and administrative controls to safeguard personal information. These safeguards are meant to reduce the risk of data damage, loss, or alteration as well as minimize the risk of unauthorized access. 

It may seem unthinkable, but a simple compromise can start at the ground level with physical access. These breaches often involve unauthorized access to stored documents; perhaps files were left in an unlocked cabinet or accidentally left on a printer. Alternatively, a dishonest employee may have found a way to watch how other team members enter their passwords into key systems to gain access. Furthermore, Mother Nature can play a role here too, as the integrity of the physical infrastructure can be compromised following a natural disaster.

Physical controls are put in place to limit these risks. Simple yet effective strategies include; 

• storing physical drives and documents in locked cabinets or storerooms, 
• training employees to keep their computers locked as often as possible, and 
• creating access restrictions for employees across different locations.  

To implement technical controls consider deploying software and other technologies that handle encryption and multi-factor authentication to mitigate risks. And finally, implement administrative controls that leverage policies, procedures, and employee training to ensure best practices are being followed.

4. Don’t Make Your Data “Trash” Someone’s Treasure 

The adage “one person’s trash is another’s treasure” absolutely holds true for information security in terms of identity theft and infiltration of data. As such, it is important to ensure that personally identifiable and protected information is stored securely, retention periods comply with regulations, and the data is disposed of properly.  

Conduct proper disposal of physical copies of personal and protected data. Ensure regulatory requirements for the disposal of certain types of protected data are met. In addition, wipe data from devices, flash drives, and hard drives prior to disposal. And don’t forget about any PC that is undergoing refurbishment. Those devices must also be wiped and overwritten to prevent old files from being recovered. 

5. Get Proactive and Get a Plan

Data breaches are costly on several fronts; financial, reputation, consumer trust, etc. To help mitigate these costs, ensure you have an incident response plan in place. Assign a senior staff member to coordinate response efforts with a backup point of contact and keep a written document that outlines the contingency plan to ensure operations are maintained. Employees should also have designated documented roles and responsibilities. Strategic incident response is important to respond swiftly, reduce the impact on your business operations, and mitigate the risk of additional losses.  

As regulations continue to evolve and security threats increase in volume and complexity, organizations need to be proactive. Prioritizing information security and privacy programs, processes, and procedures to safeguard data throughout the organization and its lifecycle is paramount. By employing these data privacy best practices, your organization can reduce the risks to your business. 

How do you think organizations can create data privacy best practices? Let us know on Facebook, Twitter, and LinkedIn. We’d love to hear from you.

MORE ON DATA PRIVACY

• Data Privacy Day: Top Six Common Privacy Myths Debunked
• Why Security Does Not Equal Privacy
• Why Marketers Should Not Be Too Confident About Their Data Privacy
• Is Data Privacy a Concern in the Metaverse? Q&A With Smarsh’s VP of Information Governance

What are best practices for protecting private data?

How can you help to protect data within your Organisation?

What do organizations need to do to secure and protect information?