Finding it hard to keep up with this fast-paced industry?
The first step in data privacy and data governance is good records management. Controversial? Consider: how can you make good data privacy decisions if you have not classified and understood the data you are responsible for governing?
Only once you have an accurate picture of your data corpus can teams take action to assign appropriate policies that manage access to reduce risk and increase data trust. In this blog post we will review how scalable, consistent, and accurate governance enables teams to solve the data privacy challenge.
But first, let’s recap how we got here, and the challenging situation organizations face when it comes to managing data in an age of privacy legislation.
A privacy revolution
We’re in the middle of a data privacy revolution. Stakeholders have an expectation that data they share with you will be protected and correctly managed. Legislation is being enforced across the globe. The EU’s General Data Protection Regulation acted as a catalyst, with governments all over the world now focused on protecting their citizens’ data and limiting how businesses can collect and use it. By next year, Gartner estimates 65% of the world will have enacted some form of privacy legislation.
The technology industry is following suit, with platforms instituting their own rules (such as Apple’s App Tracking Transparency) to limit data collection in line with consumer expectations.
The specter of data breaches grows
Data breaches and ransomware attacks are becoming more prevalent and damaging for organizations, no matter the size or industry. The recent Optus data breach is just the latest example. The Australian telecommunications company recently announced it had fallen victim to a cyber-attack that had exposed the data of almost 10 million customers and former customers. For 2.8 million of these victims, data included passport numbers, driver’s license numbers, Medicare numbers, postal addresses—some of the most sensitive (and difficult or expensive for an affected customer to update) data a company could collect.
At least initially, it seems Optus did not have a full picture of exactly what sensitive data had been exposed. This makes the hack both a data security and data privacy issue. If they didn’t know where the sensitive data was, then they couldn’t have had rules for its management—who could access it, and when it was to be redacted and/or destroyed. They also could not ensure the most sensitive data was securely managed.
How do organizations navigate these changes and ensure they are compliant with data privacy legislation? This is particularly true for ‘dark data,’ all the unused, unknown data an organization may unknowingly possess.
The solution starts with good data management (AKA records)
Organizations must consider data privacy in the context of the overall data lifecycle, as part of a broader information management program. Data privacy should be informed by record keeping, by data inventory, by data categorization, and aided by data minimization. And these facets, too, are informed by data privacy.
Creating a complete understanding of the data in your possession is the first step. RecordPoint customers benefit from auto-classification for scalable, consistent, and accurate governance over all their data. This allows them to:
- Increase the value of their data with complete and consistent identification and definitions.
- Increase customer trust and brand image with responsible data practices.
- Decrease the risk of data misuse (e.g., failure to implement a right to be forgotten or not adhering to consent) to avoid large fines for privacy non-compliance.
Here are five ways RecordPoint auto-classification makes data governance complete, consistent, and efficient.
1. Automate labeling with metadata classification
RecordPoint automates classification using our Machine Learning capability (Classification Intelligence) to identify data and add descriptive labels and attributes. We know data can be messy, so we don’t depend solely on column titles. Instead, RecordPoint classifies data more accurately by analyzing samples of the data and considering the context of how that data is related across sources. Labels and attributes are automatically assigned to data based on out-of-the-box and custom classifiers that identify data important to your organization. Once you know what the data is, then you can identify what needs to be governed, how it can be used, and what needs to be protected.
You can also identify what can be defensibly disposed, reducing the size of your data inventory, and making it easier to fulfil requests to access the data which you might hold on an individual (known as data subject access requests (or DSAR).
2. Maintain a complete and consistent data inventory
Organizations struggle with consistent data governance because data comes in various forms, is stored in many data sources, or is owned by various siloed departments. RecordPoint offers a single platform to manage structured and unstructured data across all data sources. The benefit of classifying data from a centralized platform is consistent labeling and, therefore management, applied across all your data.
When your organization applies access privileges, data quality assessments, or privacy policies to be compliant with regulations, you must apply those policies to all relevant data. For example, for sensitive account numbers, you need to identify where all the account numbers are in your data, classify that data appropriately, and make sure that the records are governed with appropriate access and protection.
Because RecordPoint manages records in-place, this data inventory will always be up to date. In a constantly fluid data estate, you won’t be limited to a point-in-time understanding of your data privacy posture, increasing data trust.
3. Enrich the catalog with privacy and security data details
Auto-classification with RecordPoint extends functionality to enrich your data catalog with privacy and security details. Automated labels and warnings surface sensitive data for awareness, eliminating the need to manually identify data that requires more careful management. RecordPoint’s native catalog is populated automatically, allowing RecordPoint to connect external data sources with an enterprise-wide classification. Security teams benefit as they have visibility that sensitive data is secured with risk reduced. Privacy teams benefit with confirmation that private information is protected, and regulations are enforced. Data Governance, Privacy, and Security teams can track their progress, assess risk, and monitor compliance by running reports and self-audits proactively to identify and correct any gaps before they become a compliance problem.
4. Reduce the impact of data breaches or ransomware attacks
Understanding what and where your most sensitive customer data is located puts you in the best possible position to respond to a privacy breach or ransomware attack. Organizations with significant amounts of ‘dark data’ struggle to weather such an attack because they do not know what personally identifiable information they hold and whether and how it has been accessed. This problem can be made worse when data has not been disposed of when it reaches the end of its retention period. Also, once teams understand where the most sensitive data is stored, they can take actions to improve data security.
5. Make better, more defensible decisions
By understanding what sensitive, private data is in your possession, you can make better decisions about how to manage it, ensuring you are complying with relevant privacy obligations. You can make sure access controls for sensitive data are secure, you can make sure it is disposed when it reaches the end of its retention period, and you can back those decisions up with a clear audit trail that shows the history and the provenance of the record. Responding to a Data Subject Access Request (DSAR) is much easier when you have an accurate, up-to-date data inventory, and you show not only what data your organization has, but why you have it and when it will be disposed.
For example, for organizations collecting sensitive data like passports, such as banks processing loan applications, RecordPoint means they can prove the data was collected for an appropriate business purpose, managed in line with appropriate statutory laws and regulations and then appropriately disposed of when the purpose of collecting that data was no longer valid.
With RecordPoint, you can responsibly manage data from the beginning so when a DSAR request happens, it will be easier to retrieve and supply the data and there will be less of it, because the platform would have been managing data retention/disposal and helping you get rid of data you don’t and shouldn’t need to store.
RecordPoint Completes Full IRAP Assessment — What It Means for You
We're pleased to announce we have completed our independent Infosec Registered Assessors Program (IRAP) assessment.
Making the case for records management in your organization
Records & information management professionals struggle to promote their field. Learn how a strong strategy, understanding budget & communicating value can help