Over the past decade, reforms around data regulation have re-enforced the message around data security and the need for robust security measures. These reforms are essential, considering how data creation, collection, and storage have evolved recently. Today, data exists in so many formats and locations, even within an enterprise, that a proper Data Protection Assessment strategy is imperative to guarantee complete data protection.
What is Data Protection Assessment?
Data Protection Assessment is a process through which an organization evaluates the current level of data protection measures within its ecosystem and makes necessary improvements to reduce cyberattack threats and risks. While the assessment is vital for many reasons, including instilling confidence in customers by outlining the actions taken to curb data violation and bringing the operational costs related to data storage down, it wasn’t mandatory until GDPR came into effect. After GDPR, all organizations are mandated to carry out Data Protection Impact Assessment (DPIA) to assess and improve the level of data protection.
Tips for a Data Protection Assessment Strategy
Data protection programs vary widely from company to company, but they all attempt to achieve complete data privacy and security. Designing a data protection program needs a thorough understanding of the data types, classifications, sources, flows, and uses. There are two philosophies when it comes to assessing a data protection program.
- The top-down approach starts with policies, procedures, and standards and moves towards technical implementation and controls.
- The bottom-up approach starts with understanding data, its movement across the enterprise, and the controls securing it to build the governance around these systems and business processes.
However, both approaches have the same goal: to attain “privacy and security for enterprise data by design.”
Here are five tips to follow using the top-down approach:
- Identify the right stakeholders: The first step is to define the main objective for the assessment and identify the key people involved in the process. Data definitions and objectives provide a contextual understanding of the various data types and the sensitivity with which they need to be handled. While it’s essential to sensitize all the employees and contractors about the exercise, you must identify the security experts and advisors who can create the assessment strategy and sign it off in time.
- Define roles and responsibilities: Set the right expectations for everyone involved and institute roles and responsibilities for the assessment. These two steps provide clarity, transparency, and accountability to all stakeholders. Ensure that all third parties involved in this process also have a clear understanding of their roles.
- Establish procedural practices: Develop and enforce standard practices to review and assess the level and impact of risks. Objectively identifying the threat landscape and classifying risks according to their severities help manage the risks better in the long run. Put guidelines in place to perform the data protection audits at a defined cadence.
- Record the observations: Record the risks and their severity as and when you identify them. Also, simultaneously, define measures to mitigate them. The measures could range from reducing the retention time for a data type to completely stop storing a specific type of data altogether. Whatever the risks and mitigation measures are, documenting them ensures everyone in the organization identifies the actions that can make the enterprise data vulnerable.
- Establish a data breach response plan: Based on all observations made during the assessment, establish a data breach response plan that details the steps to be followed when sensitive data is exfiltrated. Provide a toolkit for the response and forensic teams for such situations. The tool could be a call list of internal and external contacts to report the turn of events.
Safeguard the privacy and confidentiality of your enterprise data
A sound data protection assessment strategy helps organizations identify and minimize all risks associated with data processing. While there are many guidelines available on the Internet on “How to conduct Data Protection Impact Assessments,” it always helps to partner with an experienced service provider who can help you perform this assessment and guide you throughout your data protection journey.
Elizabeth Patrick is the chief information security officer (CISO) at Synoptek. She has over 25 years of proven success in managing and delivering security-focused solutions that streamline operations, manage risk, increase capability, improve service quality and accelerate growth across public and private sector organizations.