Compliance regulations are putting tighter controls on protecting data. What do companies need to know?
Regardless of size and shape, all organizations face similar challenges when it comes to storing and safeguarding business-critical data. This task is getting tougher, especially as regulations and compliance issues are becoming more impactful—while at the same time the amount of information gathered grows exponentially.
So, how do you make sure that the right data is being protected? Today, this old question demands new thinking, and the process should begin by finding a solution that can properly identify all your data. Traditional labels such as classified, top secret, confidential or protected are no longer enough. Neither is blanketing all data under a uniform code of tight lockdown. Such an approach is overkill and can bring business productivity to a standstill for both employees and customers. This tact also is shortsighted because not all data is created or valued equally.
In Protecting Data, Context is King
With the emergence of CCPA and GDPR regulations, organizations are being forced to delve deeper than superficial labels to identify data. Now, they need to take context into consideration to clarify meaning and intent, which can dramatically influence how data should be labeled. For example, is a document labeled “confidential” because it contains customer data? If so, a new policy is required to determine the proper place to store this information.
Then, is the customer data about a resident of California? If so, CCPA requires another level of scrutiny at the point of identification or classification. When considering proper next steps, remember: Context is king. For example, there’s a huge difference in context between an email saying, “That video was hilarious, but it almost gave me a heart attack,” and “Bob is out of the office because he had a heart attack.” Comprehensive data identification and classification goes beyond reliance on keywords to avoid overprotecting unworthy data.
Therefore, it is imperative to institute a data identification policy with multiple tiers that rank the importance of the content based on its context. This approach enables data to be classified via the various layers. Otherwise, it’s extremely difficult to locate sensitive data, when needed, if the search process also requires weeding through everything that isn’t sensitive. This zaps time, resources, productivity, efficiency, operations and budget.
Think Structured and Unstructured Data
Equally important is understanding that the value of most data fluctuates with age and content. Consider information about the weather: While most valuable when seen from a today-or-tomorrow lens, reports that are even a week old typically are of diminished value, making them less important, yet they are still expensive and resource-draining to keep.
If possible, consider discarding data that no longer is needed or relevant. Yes, this can be daunting or difficult, but think of it as spring cleaning in your garage or sorting through your inbox on a late Friday afternoon—it’s liberating and the result improves overall efficiency. Consider the cost savings, too. Let’s face it, we can always rent another garage—or increase the storage of your inbox—when the last one is filled, but that gets expensive and only adds to the problem In addition, if encryption is involved, so is the cost. And with budgets on everyone’s minds, why spend $10 to protect what most likely could be $1 worth of information?
When putting policies in place, be aware from the start that this must go beyond looking only at structured data. While that’s a great place to start, unstructured data—especially at the point of creation—is where the action (e.g., print, save, sending email, etc.) happens. Take into consideration that when an end user prints or saves a fresh piece of information, typically it’s more valuable than the copy that has been sitting at rest in storage.
Cloud Adds Complexity
If protecting the right data wasn’t challenging enough, added complexity comes as more and more companies look to shift all, or at least some, of their infrastructure to the cloud. Today, hybrid deployments are increasingly popular, resulting in scenarios where perhaps email remains onsite while a SaaS-based CRM system stores data in the cloud.
When employees produce a PDF of a CRM report and then save it to OneDrive in the cloud, they may have another copy residing on their desktops and maybe they emailed a copy as well. This becomes a whack-a-mole situation if your data protection solution does not take in the entire scope of all copies stored on-premises and in the cloud.
Organizations everywhere, regardless of size or business, need to be prepared for new compliance regulations as well as stricter enforcement of existing ones. The stakes are heightening because today more and more customers and employees consider a company’s ability to protect data and stay out of negative headlines as a key determinator of where to conduct business. Protecting the right data should be everyone’s concern and organizations that ensure the privacy and protection of their data possess a critical competitive advantage.