Data is the gold that’s driving insight, innovation and improved efficiency within businesses. But with data proliferation comes an intensifying spotlight on data protection.
The spotlight on data isn’t new. Organisations have long been in the sights of both regulators and cyber-attackers because of the amount of personal and commercially sensitive information they hold. Clients and colleagues have also been looking to legal counsel for guidance on how to comply with increasingly exacting data protection legislation. However, they often overlook the role technology can play in understanding the organisational data landscape and how it can be used to protect data.
More recently, organisations’ vulnerability to data breaches and compliance lapses have been raised to a new level by societal changes such as hybrid working, geopolitical crises and increased regulatory scrutiny. The risks can be further heightened by the sharing of information across multiple managed service providers, something we explored in a previous blog, and the blurring of home and office devices and data usage as a result of the move to hybrid working. As the rising incidence of cyber-attacks shows, sophisticated perpetrators are continually probing for weaknesses within these increasingly digitised organisations. In fact, our Global Economic Crime Survey shows nearly 70% of organisations experiencing fraud reported that the most disruptive incident came via an external attack or collusion between external and internal sources, with ransomware being the most prolific threat.
Your data is only as secure as the weakest link in the chain.
So, how can your organisation equip data protocols and controls for this changing risk landscape? Drawing on recent discussions and our experience, five priorities stand out:
Classify what data is public, internal, confidential or restricted. This can help inform your privacy impact assessment and provide a risk-focused approach to data management, control and lines of accountability.
Map what data you hold, where, what for and its level of sensitivity. The results can help you to identify and focus protection on the data at greatest risk, while eliminating duplicative and obsolete information.
Knowing your data can also improve your ability to respond in the event of a breach. This includes swiftly notifying affected clients and colleagues about what data has been compromised, the implications and what remedial action they can take. In turn, you can demonstrate to the regulator that you have clear visibility and proactive procedures in place.
From an ethical and privacy perspective, it’s important to challenge your business about why and how it uses data. What do you intend to use the information for and how long do you plan to keep it? Do you have more than you need? How easy is it for people sharing their information to know how it’s used and opt out if they prefer?
Build data protection into the design of systems and processes up-front rather than vetting at the end when weaknesses may be harder to detect and address.
