Click to learn more about author Charles Choe.

Data privacy regulations, interconnectivity (virtual machines, Cloud, IoT, BYOD), and cyber threats are changing the global digital landscape. With this transformation comes inherent risk, and adapting to a data-centric mindset can reduce compliance risk and mitigate damage in the event of a cyberattack.

When evaluating your organization’s Data Strategy, it’s important to ask five critical questions: What data is considered sensitive? Where is it? Who has access to it (and should they)?  When is data being transferred? And how is it managed?

Answering these basic questions is increasingly difficult due to the exponential growth of electronic data, shadow IT, data sprawl, and other digital challenges. Nevertheless, this inquiry is the indispensable starting point to gain the necessary insight into sensitive data to manage security and regulatory risk.  Sensitive Data Management is not only the cornerstone to mitigating risks, but a means to demonstrate business priorities, corporate ethics, and competitive differentiation.  But before crafting any Data Management Strategy, it is critical to first ask and answer the following five questions.

1. What Counts as Sensitive Data?

Most U.S. employees understand that any work they produce during employment belongs to their employer; by contrast, in the EU all work product belongs to the employee. The difference in how we view data ownership across geographies is but one reason the definition of sensitive data may be different for each organization.

Retail firms may be most concerned about customer financial data, while pharmaceutical companies may prioritize the protection of trade secrets and intellectual property. Law firms, on the other hand, may consider client data and privileged information of utmost importance.

To properly secure high-risk, high-worth data, risk management solutions need to allow the flexibility to create custom definitions for sensitive data and then be able to discover, categorize, and control it throughout the enterprise.

2. Where is Data Located (and for what purpose and for how long)?

In the past, security teams worked to manage data that was often stored in siloed geographic locations. Today, virtualization and Multi-Cloud hybrid environments mean security teams must deal with a multi-dimensional landscape with an increasingly large amount of data in “borderless” data stores. Not only do information security teams need to completely map sensitive data across private networks, cloud repositories, and third-party applications like Office 365, but new regulations also require them to define the business rationale for any data stored or archived longer than necessary.

Mapping the data landscape also helps organizations focus their security efforts around their most sensitive and business-critical data. In the unfortunate event of a security breach, these organizations will have a better sense of what information was actually impacted; knowing this will also guide potential breach notification requirements.

After data is successfully mapped, organizations will likely realize the vast extent of their data sprawl and the risks that entails. Security teams can, however, mitigate some of these risks with proper training. For example, human error is often to blame for propagating sensitive information — data stored in hidden rows in Excel spreadsheets, included within notes in PPT, or as part of long email thread. Companies can avoid accidental distribution by scanning the enterprise for sensitive data, and then proactively removing them from unauthorised locations.

3. Who has Access to Sensitive Data?

Once the questions of ‘what constitutes sensitive data?’ and ‘where is it stored?’ are answered, access rights should be assigned based on roles and responsibilities within relevant departments or business functions. Unauthorised access to customer PII, for example, is a major source of risk, yet organizations are often shocked by who has access to this type of information. A good first step is to involve HR to educate employees about the importance of proper data handling; understanding the value of data reinforces its value as an asset that needs to be protected, just like physical property.

While employee training is imperative to ensuring sensitive data stays with authorized personnel, technical controls will further support proper data hygiene. In today’s perimeter-free world, organizations must have a mindset that hidden threats are lurking within their networks. With this assumption, user access to sensitive information should be continuously validated with a trust system that incorporates strict access controls. Usernames and passwords can be easily stolen and are no longer effective against advanced cybercriminals. Multi-factor authentication, identity access management tools, and ‘least privilege’ frameworks are necessary to ensure only the right people have access to the right data. Users should be required to prove their identity and access rights with each and every request.

4. When is Data Being Transferred?

This is perhaps the most important question for maintaining compliance. Organizations need to understand when sensitive data is transferred to data processors, partners, vendors, legal counsel, or others outside the organization. And multi-national organizations subject to the General Data Protection Regulation (GDPR) must also track how EU data subjects’ personal information is processed and handled outside the European Economic Area (EEA). It’s important to note that the rules follow the data; under these regulations, data cannot be transferred unless appropriate protections are in place. Even simply viewing a file from outside the EEA is considered a transfer of that data. The challenge is to systematically collect, cull, and review data in-country under local rules unless specific derogations exist.

Cross-border data transfer issues will likely remain a top priority for the foreseeable future.  Organizations should start the process of designing and implementing a privacy-compliant cross-border data transfer strategy now, as this can potentially become a lengthy and drawn-out process.

5. And Finally, How is Data Managed?

Understanding the answers to the previous questions allows an organization to begin building a data-centric privacy strategy and management process. To do this effectively requires an up-front investment in thought, energy, and yes, budget. In 2017, the Ponemon Institute found that the global average cost of a data breach was $3.6M and rising, even excluding regulatory, legal, and reputational costs. Risk can never be fully eliminated, but with a data-centric approach, the surface area of digital risk can be reduced.

Protecting data and ensuring compliance with new regulations like the GDPR is about asking simple, but inherently challenging, questions. Trust is something businesses work hard to establish with customers every day and, once lost, it is exceedingly difficult to regain. Proactive data management policies, combined with the right technologies, make it much easier to comply with new regulations and sustain that trust.