How should companies address data management concerns?
The first step in protecting data is to understand where it’s captured, stored and shared. The output of this identification stage should be twofold:
- A map depicting the life cycle of personally identifiable information (PII) in and out of your organization
- An understanding of your inherent risk. This exercise should not be taken lightly. It’s quite possible that your copy machines could contain thousands of digitally stored documents that get passed on when the machines are disposed of or repurposed at another company.
- Here are a few other key elements of an effective data management program:
- Data with class. Step two involves classifying the data and records identified during the assessment. The classification should be used to build retention and security around your data. Keep in mind you’re looking to identify what sensitive data your company possesses, capture and maintain the minimum necessary and place it on a fortified island.
- Know thy regulations. Requirements vary greatly depending on your industry. Reference resources are aplenty, however, www.aicpa.org/privacy is a great place to start, as it has industry specific information as well as both federal and state regulations.
- Risk assessment. Armed with the knowledge of what data your business is capturing/storing/sharing, its classification and the regulations associated with that data relative to your industry, your risk map (including inherent risk and prioritization) becomes much easier to identify.
- Control your risk. From a risk management perspective, one could say the opposite of risk are controls that come in the form of policies, procedures, system controls and even insurance. These risks come in a variety of forms (e.g. regulatory, reputation, litigation, etc.) all of which should be evaluated when considering the proper control used to mitigate the risk.
- Trust but verify. Your monitoring program will need to ensure compliance with privacy policies and procedures, commitments, applicable laws, regulations and service level agreements. Contracts should be reviewed and the results of such reviews reported to management.
- The human firewall. Any successful data management program will involve a significant amount of employee awareness. No system is 100 percent secure, and informing your users of the importance of data and data security will create the final barrier between your data and the outside world.
How do good data management practices translate to solid business practices?
Continuing to do what you’ve always done will only lead to increased costs, staff inefficiencies and significant risks of leaked or breached PII, resulting in loss of reputation and potentially crippling litigation. Traditional methods of throwing hardware at the problem will not deal with the core issue, and solving it requires a fundamental change in the way data management is dealt with, encompassing a rigorous, disciplined approach starting at the top. It won’t be easy, however the result will not only be compliance but increased efficiencies and, in general, simply stronger business practices.
Dan Mallory is an IT audit and assurance manager with Habif, Arogeti & Wynne, LLP with more than 10 years of experience providing data-centric solutions and consulting to a variety of businesses and industries. He also has expertise in document management with deep knowledge in the data privacy sector having developed privacy management plans for firms concerned with personally identifiable information. He can be reached at (770) 353-7182 or [email protected].