Put Your Data House in Order: Reduce Risks and Improve Efficiency Through Good Data Habits
The risks and costs associated with data security have never been higher. Data breaches are so common that all 50 states now have data-breach notification laws. The past year put a spotlight on individual data privacy issues. We saw multiple congressional hearings focused on data privacy. The European Union General Data Protection Regulation (GDPR) came into effect, prompting global compliance efforts. California enacted a Consumer Privacy Act (CCPA), which will impact an estimated 500 million businesses worldwide. And U.S. lawmakers are considering what a federal privacy law should look like.
Data protection is not a new consideration for businesses. Even those that do not process personal data must account for the risk of loss of sensitive information.
Good data habits, including data mapping, data minimization and implementing a written data management program, are steps every business should take. Organizations that embrace these efforts are likely to improve efficiency, increase brand trust, and reduce exposure to data related risks.
Addressing data privacy risks starts with data mapping, which involves making an accounting of the types, uses, storage, and disposal of data the business handles.
Data mapping frequently reveals data processing activities so routine that they are otherwise overlooked. For example, requiring visitors to sign in at a reception desk is data collection. Digital or automated data processing activities, especially when outsourced, can easily be missed if not mapped. Website administration is an example of an often outsourced service where the business may be unaware of all the data processing activities taking place. Even non-transactional websites frequently collect visitor data through “Subscribe” or “Contact Us” fields, as well as through “cookies.”
Data mapping provides the business with a more complete view of its data collection and processing landscape. This will inform the business of the risks associated with its practices and enable it to evaluate areas where it may be able to scale back processing.
Data minimization is the practice of limiting data collection, processing, and retention to that which is necessary to accomplish a specific business purpose.
Data minimization is required under some privacy laws, such as the GDPR. Also, both the GDPR and CCPA grant individuals a number of data rights. These include the right to know what data an organization holds about an individual, the right to request transfer of personal data to another organization, and erasure of personal data. Compliance with these requests is less burdensome for organizations that only possess the minimum amount of data needed for business purposes.
Practicing data minimization can also reduce spending. Limiting the amount of data stored to that which is needed for business purposes can reduce unnecessary spending on storage, and reduce the amount of data a company will need to pay to have securely destroyed in the future.
Storing excess data also increases costs in the event of a data breach, as remediation efforts must be performed for every record that is even potentially compromised.
Planning for data management in day-to-day operations is crucial. Data management documentation should specify the category and sensitivity of data covered, as well as any parties that must comply. Data management documentation will generally fit into one of three categories: internal, public facing, and contractual.
Internal policies and procedures should be concise and use plain language. The policy requirements need to be achievable and contemplate remediation for violations.
Public facing documentation enhances brand trust. A privacy statement is the organization’s opportunity to let customers know data privacy and protection is a priority. Modern privacy laws are rooted in providing individuals with transparency and control pertaining to their personal data. The privacy statement should inform individuals about how their data is treated and their rights under applicable laws.
Sometimes disclosure of sensitive information is inevitable, so contractual data protection is a must. Submitting bids or negotiating may require information disclosures. Nondisclosure agreements are useful for baseline protection in early stages, but their broad terms often aren’t appropriate for use in final agreements. Contractual data protection terms should be tailored to address data that will be disclosed and any applicable legal requirements.
In an increasingly digital business landscape, organizations are constantly processing higher amounts of data. Prioritizing good data habits can reduce risk and improve efficiency. Organizations should include stakeholders from any impacted departments, as well as legal, HR, and accounting, when developing data management plans.
This article originally appeared in Opportunity Magazine, a speciality publication of Pamplin Media Group.