In this two-part series, I'll discuss what data security and privacy mean in our world today. I'll also talk about activities and tasks that you may want to consider as your company moves forward to protect its data.
I've had the privilege of working with data for most of my adult life. I know that data can be used incorrectly or maliciously. It can be over-utilized, stored redundantly, or end up in the hands of the wrong people. As we read in the headlines every day, there are more and more stories about mishandling data. So, what can we do to safeguard the security and privacy of our corporate data?
A look at the definitions of data security and privacy
I see data privacy as the act of allowing access and use of any data – based on privacy requirements, guidelines or procedures. The key word here is requirements for data privacy. (Got some!) Data security, as I see it, is the act of implementing the data privacy policy, procedure or guidelines to secure or protect the data over time. It's also important to consider being able to report on data security and privacy.
Making the distinctions in these definitions helps me to communicate and understand what a customer or company may need to do to create or enhance their data privacy policy. SAS has published a lot of information (including many blog posts) on the topic of the European Union GDPR and the tactics we need to consider when securing personal data across the enterprise. Some of those same tasks and activities can be applied more broadly to encompass privacy for all our data.
Creating a data privacy statement – where to start
To create a data privacy statement (procedures, guidelines, etc.) you first need to gather current requirements. You should do this to understand what has already been completed, what can be enhanced and what your next steps may entail. I propose a task group that can define exactly what data privacy means to your organization.
Consider answering the following questions:
- What procedures and guidelines do we use today to safeguard data?
- Where is our personal data stored?
- Identification and documentation of where the data lives will always be required.
- Can we assess, document and understand the interfaces or data flows between data stores? This is important so you can understand what application or system created the data, as well as what applications or systems update or delete the data.
- I encourage use of an enterprise data model (if you have one), as well as application system data models to help you understand the data.
- What is the data quality, based on profiling or sampling the data stores?
Next, gather an overview of what data security and privacy will mean in the future for your organization. Include flexibility for changes and future enhancements.
Changes could include:
- Opt in and opt out for customers.
- Multiple, easy ways for customers to view their data.
- Customer reports on who has read or accessed private (or personal) data.
- A way for the customer to delete data they do not want anyone or any process to view or access.
It's best to start with a systematic approach that makes sense to you and your corporation, then make a task list. I always prefer to look for goodness in the work a company has already implemented, then move on to the next steps with that in mind. Clearly, more policies will be required in the future as our data becomes more accessible in many different data stores. We need to be as prepared as possible for whatever the future may bring.
Read the results of a SAS survey on GDPR readiness