All organisations hold sensitive data that their customers, business partners, regulators, shareholders and board of directors expect to be protected. Despite this, high-profile security breaches involving personal and corporate data loss, leakage and the
“Can the recent data losses happen in my organisation?”
“How can we ensure the security of our customers’ information?”
“How can we determine if we currently have the right safeguards in place?”
“Are the risks related to third parties identified and addressed?”
“Can our corporate databases be inappropriately accessed?”
We have identified 10 key steps that we can help you work through to reduce your exposure to critical risks and potential damage to your organisation.
Identification of executive sponsorship is the first step. Without senior executive buy-in it is hard for any individual data-protection officer to create a culture of compliance. Together with the data-protection officer, the executive sponsor should agree an overall data-protection strategy including a clear vision and set of objectives.
2. Data inventory
Understand where your data is, both manual and electronic files. Data-flow diagrams should be prepared to detail where the data is collected, how it is stored, how it is used, with whom it is shared, how it is maintained and how it is disposed of.
3. Requirements definition
This will include identification of the requirements of all jurisdictions within which the organisation operates. Despite similarities that exist among various privacy models, there are fundamental regional differences.
With the increased trend to outsource processing, significant consideration must be given to the legal and regulatory requirements in relation to transfer of sensitive data outside the organisation or country.
Additionally, transferring data to a third party or outsourcing partner does not remove your responsibilities. Consideration should be given to European Union passport, US Safe Harbour or other international arrangements when operating in a global environment.
4. Risk analysis
Key risks facing your business should be identified in order to develop an appropriate policy and set of detailed procedures. Data-protection requirements have an impact throughout the business. The requirements will have an impact on technology solutions in relation to processing and security of data.
5. Data protection policy
The organisation’s desire to maintain a compliant culture should be documented in the data-protection policy. This should include details of the roles and responsibilities in relation to data protection within the organisation, for example the name of the data-protection officer. It will also include policy on other activities within the organisation such as direct marketing, information security, clear desk policy, and training.
6. Data protection procedures
Finding the balance between business needs and data-protection requirements may be difficult because of opposing forces. For example, data for direct marketing is a useful tool to increase business but there are strict requirements in relation to cold-calling customers and use of existing personal details. Detailed procedures are needed to ensure compliance with the requirements and may include marketing procedures, data retention and destruction procedures, procedures for data access requests, and breach and reporting processes.
7. Data management controls
To ensure compliance with operational procedures, controls should be implemented. To assess the control requirements, the following steps should be completed:
_ Analyse business processes.
_ Identify controls necessary.
_ Identify and design common controls and templates.
Many business processes will suit similar controls, for example data input and access controls. This analysis should include security aspects from both an internal and an external perspective to safeguard sensitive data through the lifecycle within the organisation.
8. Technology enabled tools
With large volumes of data processed within an organisation’s information-technology environment, there is a large volume of possible outlets to transfer confidential data inappropriately, which may result in a breach of legislation. All organisations should not only ensure adequate access controls but should consider the use of technology-enabled tools such as a data-monitoring tool. This will monitor the movement of data throughout the organisation, for example data printouts and screen scrapes.
There is no point in having all the documentation if nobody knows about it. It is absolutely vital that all staff are aware of the requirements in relation to working with sensitive data. Training must be appropriate to the end user, accessible and within budget.
To ensure ongoing compliance with policy and procedures, data protection should be included in the annual risk-based monitoring plan. This should include the assessment of security of sensitive data, staff awareness of data-protection requirements, review of the breaches register and review of data access requests.
Primarily the business driver must be about protecting data and protecting your business.
This article is an excerpt from a Deloitte publication called “10 Practical Steps to Data Protection”.