The Key to a Successful Privacy and Risk Strategy? Know Your Data.

One of the most important steps in building an effective privacy and data protection practice is having a risk and security strategy built around privacy and security by design. And for that you must start with an data inventory. To make that inventory effective, you need to be able to accurately identify and classify personal and sensitive data at scale.

This is not an easy task, but if you read on, we offer some suggestions that can help.

The risk of data graveyards

When you consider that in 2021, 1.7 MB of data is being generated every second¹, it’s easy to understand why your organization may not have a good handle on the type of data it collects, if the information has been collected in a compliant way, and whether it’s properly secured, erased, or destroyed.

Too often enterprises end up with giant repositories of data on services.  Not only are these data graveyards expensive, with costs ranging in the millions of dollars per year. But these unmanaged data stores are easy targets for cybercriminals.

Data privacy and protection regulations continually expand what type of data is considered sensitive and regulated, and all use slightly different terminology for the data, including sensitive personal information, nonpublic personal information, personal information, personally identifiable information. material nonpublic information, and the list goes on.

Automate data classification

It’s one thing to classify something that always follows the same pattern—like a credit card number, email address, or social security number—and another thing entirely to classify data that might look different, like a customer ID, first name, or password prompt. 

 In order to classify data accurately (and reduce false positives), you need a multi-layered, in-depth approach that includes:

• Regular expression (RegEx) and pattern matching to classify data that follows a known pattern
• Natural language processing and deep learning to identify data that doesn’t follow a known pattern
• Graph technology to map related data, inferred data, and discover dark data
• Fuzzy classification to identify similarities within the data

Luckily, there are new technologies that automate these techniques, along with the discovery of data types, content, and categories. These data management solutions automatically:

• Discover data sources
• Scan structured and unstructured data at scale
• Classify data by category, type, sensitivity—and identify high risk data more accurately
• Find and classify all types of critical, regulated, and sensitive data
• Identify data by context and content
• Classify data by business policy and regulation

 Then, these data insights can be automatically pulled into your integrated risk and privacy management solution to provide a comprehensive view of data and your data assets.

Set a high data security bar

Such insights are not only beneficial to the business: they also empower security, privacy, risk, and data management teams to set and reach higher security standards. By understanding what data assets exist, the different types of data elements that are stored in them, contextual meaning around that data, and the sensitivity of that data, security teams can assess what types of controls that exist—or should be placed—around those assets to minimize the risk of data breaches. 

Every successful security strategy starts with identifying the data you have (the data you know — and the data you don’t) and classifying it accurately to protect the data, understand the value of the data, and reduce the attack surface.

Enable smart data retention

Having a clear understanding of data assets means that if your company discovers it has data from the 1980s sitting in systems, and your retention policy is to keep data for only eight years, it makes sense to anonymize or disposed of the personal information to reduce costs and security risks. 

Data protection and privacy regulations require specific types of data follow certain data retention policies—all the while encouraging you to minimize the data you collect.  Data retention and records management rely on accurately classified data, so that your teams can enact and enforce the right policies around it.

Conclusion

Smart and comprehensive data identification, classification, and retention strategies are essential to successful privacy, data protection, and security practices. By adopting the multi-layered, in-depth approach we’ve discussed you can better protect personal data and improve compliance to build trust and loyalty with employees, customers, and third parties.

Learn more

To learn more about data classification visit www.bigid.com.  BigID is a ServiceNow technology partner with deep integration to the Privacy Management product. You can find the BigID Data Exchange application on the ServiceNow Store.

1. Source: https://financesonline.com/how-much-data-is-created-every-day/