As we head into the holidays, we begin to take stock of the year and make a myriad of resolutions for the New Year. Well, the same should be true in business as you take stock of your privacy footprint in 2015 and how it might change in 2016. Here are some basics to consider:
1. Take stock. Just like going through the attic when you go to get the holiday decorations, go through the data sets you collect. Ask yourself:
a. Do I really need this information.
b. If so, what for? (“Just in case is not a good answer”)
2. Declutter and lose weight. If the answer is NO, then get rid of that information—from your live/production systems and your backups. The best security is not to have the information in the first place.
3. Give it a name. If the answer is YES, then next determine if the information is identifiable, or otherwise sensitive (trade secrets, intellectual property). If the data is that valuable, you should be able to classify it accordingly to properly alert employees as to the handling of that information. Define or classify the information in internal terms (e.g., high, risk, low risk, general use) and in external terms such as that terminology use in regulations and laws (Protected Health Information, Trade Secret, Nonpublic Personal Information). Only once you have identified and classified your information can you put a plan in place to manage it.
4. Oh the places you will go. Next step is to MAP the flow of that information inside and outside your organization. Like rodents getting into your attic and leaving treats for you to find as you drag the decorations downstairs, you might be surprised when you realize all the places your data goes and everyone that has access to your data.
5. Make a resolution. Don’t like that word? Me neither. Call it a data governance plan to outline the administrative, technical, and physical safeguards you are going to put in place to ensure the information is used properly and in accordance with the law and any commitments your business had made. Better yet, like the curls and crunches you do in January, you will see dividends later with a more efficient response and recovery--when data breach comes knocking on your door.