Data Protection Series: 5 Things Your IT Team Needs to Know about Data Security

Published On June 28, 2017

Data security is an important IT issue in the midst of increase privacy laws in the US and Europe.

With the onset of new data privacy laws being put in place across Europe and the U.S., it can be tempting as an IT manager to let it all go over your head. After all, what does that litigation have to do with you and your company? In short, a lot. Here are some suggestions for improving your IT department’s focus on data security.

1. Fully understand the greater business and its functions. If you don’t understand your business units, you’ll never truly understand what data they need to keep, why they’re keeping it and for how long it must be kept. To reach this goal, work on the ability to communicate what the impacts are of keeping that data in terms of time, money and risk. The more you know about the business functions, the more you can influence the mindset of the C-suite and your business partners—and keep control of your data so it doesn’t control you.

2. Recognize the retention policies for your company and industry. Understanding what your organization requires in terms of compliance is of the utmost importance. Keep in mind statutes of limitation, general contracts and other legal concerns. Be sure to stay tuned for my next blog for more information on this topic.

3. Keep Your Eye on the Law. It’s vital to stay on top of current and upcoming data security legislation for your industry in particular and for organizations in general. The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information. This represents the biggest shake-up to privacy regulations in 20 years, according to experts. Under this new litigation (which comes into force in 2018), companies could face could face fines of up to 4% of their global annual turnover during the e-Discovery process. Here are a few other ways this litigation will change the way organizations approach data privacy:

• Tech firms will have to report serious data breaches to regulators within 72 hours.
• Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history. Example: a user could request to have his or her Twitter profile removed.
• Consumers have the right to transfer their data from one company to another. Example: A consumer could request that all of his or her data related to an online shopping purchase be sent to him so that his personal preferences can be used by a new preferred retailer.
• Companies that handle significant amounts of data will have to employ a data protection officer.

 

Stewart Room, head of data privacy at PwC, explains: “The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU”- BBC

4. Reconsider what information needs to be kept and how. Some information needs to be kept online, while other information can be archived for long-term storage. Keep a redacted, easily accessible copy online with enough to affirm business requirements, while also reducing the exposure to customers/ employees. This will ensure that you aren’t as heavily affected in a breach (and that your customers and employees are protected). This about how this is traded off against latency of recovery for a fully populated offline copy. If you’re worried about managing the archival information located on tapes because you don’t have the resources internally and/or want to focus on core business, consider partnering with a vendor that can provide a managed tape service.

5. Keep Employees and Customers Top of Mind. Know how much personal information your organization is keeping on its employees and customers and the existing practices around this data. Build up your organization’s passwords and firewalls, and educate both groups about following data privacy best practices. You’ll also want to reach out to senior leadership to get them on board with your data privacy policy and keep them in the know.