Three years ago, I started as a PreSales consultant covering the topics of Data Analysis and Data Management. These topics were directly connected to the topic of Data Privacy and all the regulations around it, so it was naturally part of my conversations. One year later I also started to cover solutions for Data Security and Encryption, which we have combined as one portfolio under Voltage Data Privacy and Protection. Since combining protection with privacy, I have had even more conversations on Data Privacy.
During many Data Privacy discussions, and noticing a lot of different approaches and opinions, I noticed that Data Privacy projects can be compared with a road trip. It is a topic with different elements to look for and with different steps you can do. And from every step you can take a result for your Data Privacy project – a souvenir from your road trip stop.
I would like to show you how I understood this road trip and give you perhaps some interesting ideas to think about. If you look at some details of a Data Privacy road trip, you’ll see you can do several stops at different topics and actions to realize a Data Privacy project. So, the following is just an example:
The first stops are your requirements regarding Data Privacy, followed by an analysis, a classification, and final actions on data.
Our first road trip stop: Requirements
Discussing the requirements regarding Data Privacy as a first road trip stop is necessary to clarify what you want to achieve: Which compliance requirements do you need to fulfill? Which other requirements like cost or time-savings do you need to consider? Especially if you have several sub-projects for Data Privacy you should think about the requirements in detail.
While these questions are clarifying the next steps, you should also consider your current situation: What is your current state? What compliance requirements do you already fulfill? How do you manage data? You can focus on the important tasks if you know what you have already done and can maybe also learn from processes you have already implemented.
Our second road trip stop: Analysis
The next stop on the road trip of Data Privacy would be the discovery and analysis of your data. It is key to understand your data as all your data can fall under compliance requirements, so you have to look at your data in all systems. This means you should proceed with sensitive data discovery, to find and drive insight to unstructured data in files, as well as structured data in databases.
This data is also distributed in many systems across your corporate IT environments, so you should have a look at your on-premises data and also your data in the cloud, as all of this data is your company data. Doing this analysis needs to be supported by tools and by risk scores so you can prioritize and automate your work to reduce costs and time efforts of this road trip stop. Of course, you also need to define some criteria for the analysis – as you have your own organisational-specific types of data – to have good results in this effort. Clear criteria and effective tools help you to work through your data analysis.
The analysis enables you to have an overview of your data and more easily work with your data. We noticed that customers often know specific locations, for example, where they store sensitive files, but they have no control or insight to possible copies of these files. But it is important to find these files as they contain sensitive regulated information such as employee or customer data. With an effective analysis of unstructured and structured data in your corporate IT you greatly increase the likelihood to find all important data.
Before you work with this data directly and take action you are on your way to make another stop on our road trip: the classification of data.
Our third road trip stop: Classification
Classification can be a helpful step to simplify your work as you can decide the next action for a specific classification of data instead of every single document. So, for example, you can decide that all personal data or all contract information should be moved to a central location to store securely.
For this classification we can use the information from our previous stop at Analysis: We can define that specific content of a file classifies the document automatically as sensitive information. For example: If we found a contract number in a document combined with some names and addresses it could be classified automatically as a contract.
The type of classifications you will have can depend on different factors: Do you only want to classify files by the type of content like health data or finance data? Or do you also want to classify how sensitive it is and use classification levels like sensitive, highly sensitive, and public? These are also steps to define on this stop.
Our fourth and last road trip stop: Action
With these classifications from our previous stop it is easier to go to our last stop of our road trip where we take action on classified (and unclassified) data. This step is not limited to only one specific action. Instead there are many different actions which can be selected based on the type of data and what is needed. So, some data can be encrypted while other data can be moved or copied to other locations. It is also possible to extract test data or manage data with retention policies.
These are just some examples as there are different possibilities to manage data appropriately. What is an appropriate action depends what you have defined in your first stop of the road trip when you determined the requirements. In some situations, it could be necessary to encrypt data while other data should be hashed so that it is anonymized or copied to a secure location.
One important fact connects all these road trip stops: It is necessary to do these actions continuously. So, the road trip does not really end with actions. Because data is created and flows into your organization on a continuous basis, instead you can and should be working the entire data privacy process on a regular and continuous basis. A continuous process of data discovery, analysis, classification and action helps to fulfill all requirements regarding Data Privacy because you always get new data which needs an analysis and classification followed by actions like encryption, archiving, or management.
I hope that gave you an interesting overview about the Data Privacy road trip.