Companies collect and process vast amounts of personal data, from where we live and the places we holiday, to our spending habits, down to the kind of coffee drink we prefer. Although data collection enables businesses to tailor offerings according to our preferences – something many of us have come to expect – these practices also introduce risk through increased exposure of our personal information.
Complicating the matter is that many businesses are now trading across borders. Many of the data protection laws in existence today are country specific, and thus difficult to enforce. Should a data breach occur, who exactly is responsible?
Comply (Or Else)
All over the world governments have taken this issue seriously and are in the process of implementing new laws that will legally require companies to adopt a modernized and comprehensive approach to data protection.
It’s imperative that businesses put together a well thought out strategy – a kind of blue print for compliance. Having a realistic and executable plan in place will minimize both the initial costs of adjusting applications and practices to become compliant, prove compliance and maintain compliance.
Here are five steps to consider when putting together a plan for attaining, proving and sustaining compliance.
- Understand the implications of the legislation on your operations. The first step businesses should take toward compliance is understanding the implications of the current, as well as the new legislation on their operations, including what changes need to be made and how it will impact their overall IT spend. And the impact is large. Many companies still use real (live) customer and consumer data in development and testing with little consideration for sensitive data protection. So, with the new legislation coming up, companies will need to rethink their testing approach.
- Analyze where your personal and sensitive date resides. Before mapping out a technical solution, companies should carefully assess their data usage across environments to see where there is risk of data breech. In other words: Who has access to what data and where is that data stored? It’s important to note that the analysis of where personal and sensitive data resides, and how it interacts with other data, can take much more time than initially estimated.
- Determine how you can desensitise this data while still using the data. Once the location of the personal and sensitive data and potential security risks have been mapped out, it will be easier to decide how this data can be desensitised. Data anonymization can be built into existing workflows and processes or new workflows can be created from scratch to comply with the new regulations. This exercise will also help build the requirements for a third party solution if required.
- Develop the solution using the chosen toolset. When the requirements for a data privacy solution have been determined, it is time to actually develop the solution that will help keep your data safe and stay compliant. A solution could be a new set of business processes, revision of data access rights, test data management technology, or a combination of these and other potential measures fitting to the situation and chosen approach.
- Deliver the solution into the exiting operational framework of the IT division. The analysis of where personal and sensitive data resides and how it interacts with other data can take much more time than initially estimated. Most companies need assistance in complying with current regulation let alone preparing for the directive. They need to assess capabilities and experience fully before making decisions and implementing them, as mistakes are costly from both a project and fine standpoint.