According to the Pew Research Institute, Americans have expressed a "deep lack of faith" in organizations when it comes to protecting consumer privacy information such as social security numbers, home addresses and credit card numbers.
With data loss incidents and security breaches doubling in the last two years, people aren't wrong to distrust that the companies who collect and store their privacy information can do so securely.
Organizations also have reasons other than rapport and customer trust to worry about when it comes to protecting personal information. With the Ponemon Institute's “2017 Cost of Data Breach Study” estimating the average cost of a data breach at $3.62 million, organizations are taking cyber security breaches and data loss incidents seriously.
The Information Commissioner's Office (ICO) recommends assessing your organization's risk in relation to people's personal information in order to protect that information. The Federal Trade Commission recommends 5 key steps for building a sound data security plan. Step one, echoing the ICO's recommendation, is "taking stock." In other words, identifying your organization's information assets and determining which of those contain personal information is the foundation of data privacy and protection.
Privacy and security experts all agree: you have to know what and where your privacy information is before you can manage and protect it. Today’s privacy laws and regulations typically focus on consumers, but organizations often keep far more privacy information than consumer names and credit card numbers. Consider the privacy information you keep on:
Job applicants
Board of Directors
Employees’ beneficiaries
Contractors
Interns / volunteers
Getting Started - Where's all our Privacy Information?
Identifying all the privacy information in your organization can be daunting. There are various solutions available like crawlers and master data management (MDM), for instance, that compliment other solutions. These are one piece in the larger puzzle, and it's important to understand their limitations. They may also be cost-prohibitive for many organizations.
Today’s “easy button” crawler solutions can meet some of your organization's privacy identification needs, but they often miss privacy information in locations such as:
Third parties contractors / providers
Inaccessible legacy systems
Outdated formats
Hard copy
A holistic approach may start with or include a less expensive option that uses your employee's expertise to fully "take stock" and assess your organization's information in relation to privacy information.
Fortunately there is a unique, user-friendly solution that helps organizations identify where the privacy information is that they generate, manage and store. The iGMapware software solution uses internal subject matter experts to quickly create a registry, or inventory, of all information assets while collecting pertinent information elements such as:
Level of security for the record - public, internal, confidential
Risk classification if record was released
Software application/s the record is contained in
Retention period and destruction instructions
Identifying Unnecessary Data Risk
Once you've identified the locations of your organization's privacy information you will have created the foundation for securing that data. Throughout the identification process you may find locations where privacy information is being kept that present unnecessary data risk:
Information that contains privacy information that is past its useful life for business needs and required legal retention
Multiple copies or drafts that contain privacy information unnecessarily spread across departments or software applications
Privacy information stored in locations you weren't aware of
This knowledge will inform your organization's decision-making, empowering enhanced data security by illustrating where recordkeeping policies and procedures need to be created, updated or enforced, highlighting inconsistencies in current records retention and pinpointing which locations and software applications across the organization contain privacy information.
Defensibly Disposing of Privacy Information Helps Eliminate Risk
Identifying records and the privacy elements they contain leads to another important piece in the puzzle - creating or updating your organization's records retention schedule. A records retention schedule gives guidance to employees about how long they should be keeping privacy information and when to defensibly dispose of that information.
Cyber security includes destroying privacy information after an appropriate time period - once destroyed, that information is no longer a risk for security breaches or data mismanagement. A retention schedule follows regulatory requirements and business needs to determine how long information needs to be kept. An information and records management consulting firm like iGMapware can help create a schedule based on your organization's unique records, privacy information and business needs.
Being a Privacy Hero
The process of identifying and determining where privacy information is stored across your organization is key, but can be complex to implement. By following these steps you will be able to answer an essential question for your organization's data protection - have you identified everything your organization has that contains privacy information - that if released or leaked your business and reputation would suffer or you may face fines and other penalties?
Getting in front of cyber breaches and data leaks by knowing what you have is essential to protecting your organization's rapport, financial stability and legacy. There are multiple layers to identifying and protecting privacy information, and the first step, as recommended by the leading information security experts, is to take stock and assess what you have.
Consider using a software solution with retention schedule consulting from iGMapware, which enables the identification of privacy information contained in information assets held across an organization and providing clear guidance to employees for defensible disposition of information assets.
You can reach out to iGMapware to discuss if our solution is right for you by scheduling a quick, free call here or by dialing 303-329-9545.
Resources and References:
The Information Commissioner's Office's Data Protection Self-Assessment Toolkit has created multiple checklists for helping organizations assess their cyber risk.
Information Commissioner's Office. (n.d.) Data Protection Self Assessment Toolkit.
Online Trust Alliance. (January 2018). Cyber Incident and Breach Trends Report.
Pew Research Institute. (September 2016). The state of privacy in post-Snowden America.
Ponemon Institute. (June 2017). 2017 Cost of Data Breach Study.
#softwareapplications #datainventory #InformationRisk #RetentionScheduleExperts #iGMapware #RecordsManagementConsulting #LegalCompliance #RetentionScheduleConsulting #policies #RecordsManagementConference #employees #Cybersecurity #corporaterisk #Thirdpartyvendor #personaldata #Cybersecurity #InformationGovernance #recordretentionschedule #informationassets #compliance #informationassetinventory #Defensibledisposition #datarisk #datasecurity #consumerprivacyinformation #databreaches