Data Privacy Day is celebrated on 28th of January every year. It is a global event to remind us of our responsibilities as consumers and organizations to be aware of how we share, store and protect personal information. The new work-from-home norm and consumer contract tracing apps are 2020 solutions that further complicate how organizations’ have traditionally safeguarded data. To adapt to these and future changes, organizations need to build a solid foundation through an enterprise-level program.
In this blog post, we’ll outline the steps it takes to get an enterprise data protection program going by leveraging core data governance principles. These steps close the gap between the board, who have a huge stake in getting the right data protection measures in place, and IT who are busy with geo-fencing, masking, and other physical protection measures. These guidelines will form the base for a data protection framework that is ready to support the concept of Crown Jewels, GDPR and more.
5 Steps to build an enterprise data protection framework
1. Identify business data owners
One of the most crucial changes that data governance brings to an organization is the recognition of data owners within the business (data citizens). It’s these owners that will also play a key role in establishing our data protection program. After all, they are the best source to know what critical data is being stored and processed. There might already be a list of applications in your organization or you might have to ask each data citizen to register each application/data store or data processing activity.
The end result will be a register of all applications, their context, and the data citizens that use them.
2. Define a taxonomy of sensitive data elements
At the core of the data protection program, you’ll have a taxonomy of critical or sensitive data elements (SDE). Elements such as fingerprints, customer contact information, social security number, or employee background checks. It’s from this taxonomy that each data citizen will pick assets that they use within their application or processing activity, together with other pieces of context such as the purpose, location and more.
In this taxonomy, each SDE will have an assigned classification, for example:
- Confidentiality: the required level of secrecy and cost/risk impact of unexpected disclosure
- Integrity: how tolerant (or not) any section of the information can be to being changed or lost entirely
- Availability: how important it is to have timely access to the information when we need it
- Consent: whether there are legal requirements or restrictions in place that impact where the information can go. This applies to personal information.
3. Assign compliance controls
Based on the assigned data elements and their classification, each governed application will be assigned a confidentiality classification (i.e. public, internal, confidential). With this assignment comes a set of security and compliance controls ideally owned and governed by the Data Protection Officer (DPO). These controls will be very different for public data than for restricted data. Each control is managed within the governance function together with expected answers.
By pushing these control questions in questionnaires to the business owners, you can get their assessment of what controls are in place and which ones are lacking. Alternatively, you might want to use your GRC (Governance, Risk, and Compliance) tool for this.
4. Tracking gaps and breaches, no matter how small
After this exercise, you’ll end up with a baseline view of what applications or processing activities are most at risk and what type of risk is involved. Each item of non-compliance becomes a gap, a data issue where the data owner needs to work with the Chief Information Security Officer (CISO) and security managers to put in place the right controls. This is where the actual protection comes in: what data will we encrypt? What will we geo-fence? What should not be online at all? Do we keep data longer than we should? Where should we ask for consent to our users?
Aside from these gaps we can start tracking data breaches or infractions – no matter how small – per application so we can start seeing the relations between incidents and the impact they might have on LOB’s, business owners and risk types. Prevention in the end is the ultimate goal.
5. Reporting back to the board
It will be the responsibility of the data governance council to use the heat maps and KPI’s coming out of our continuous collaboration and monitoring efforts to update the board. A 360-degree view of all critical applications and their assets, linked to the lines of business with indications of gaps and risks will be a huge differentiator to keep them well informed on their level. Apply stewardship to this and we have a data protection framework that reflects the living body of our business.
Challenges of enterprise level data protection
As you follow the enterprise data protection framework, it’ll be important to consider the challenges that lay ahead. Much of what you’ll encounter will take time and buy-in from stakeholders throughout the organization.
Pursuing the set of actions that enable your organization to sustain privacy initiatives, new regulation after new regulation, involves identifying the right data owners, especially those that are responsible for business applications and systems that hold sensitive data elements. Once identified, the data owners will need to register processing activities and keep those records up to date. It’s likely that the Data Protection Officer (DPO) will need to prompt, remind and ensure ongoing compliance among data owners. These steps translate into an ongoing process that will require time and cross-team coordination.
The output from executing the enterprise data protection framework should yield a baseline view of applications and processing activities that are most risky. To address those gaps, organizations may consider adopting the right data access controls or encrypting sensitive data elements. When this path is chosen and depending on the organization’s roles and responsibilities, the DPO may want to engage the cybersecurity or data operations team for further action.
Building an effective data protection framework
Once you’ve identified the appropriate data owners and defined the taxonomy of sensitive data elements, you’ll be ready to take action by assigning compliance controls. You’ll also be ready to monitor potential compliance gaps and report back to the board of the major risks that should be addressed.
These days, unexpected risks can originate from within the organization or through a few unassuming clicks from someone’s device at home. Data is the prize and it needs to be protected in a sustainable manner that enables organizations to adapt to changes quickly and effectively. 2021 provides organizations with a new opportunity to aggressively adopt or strengthen their privacy compliance programs around an enterprise data protection framework.