With so many data created every day and different devices used across organizations, there is a continuous generation of data .This data becomes “information when it’s presented in a context so that it can answer a question or support decision making”.
Businesses/organizations are collecting data such as names, data of birth, credit/debit card numbers and email addresses among others for different purposes such as providing services to their customers and improving customers experience among others.
“With data collection, comes responsibilities” as data regulations are increasing thereby defining how data must be managed and making sure everyone’s data is managed properly.
The cost of not complying with these regulations could result in fines and reputational damages among others. In addition, with the data overload experienced by businesses, discovering and managing data is also challenging because data sits on different devices and environment. There are several regulations on data protection all over the world such as the General Data Protection Regulation (GDPR), Nigeria Data Protection Regulation (NDPR) and the Kenya Data Protection Act among others.
In May 2023, Meta (Popularly known as Facebook) owner was fined €1.2bn for mishandling data by the Ireland’s Data Protection commission (DPC) while they have said they will appeal against the “unjustified and unnecessary” ruling, the importance of data protection can no longer be overemphasised. As a business, it has become a necessity to identity and protect your data from being misused by authorised or unauthorised person.
What is Information Protection?
This is the protection of information from unauthorized access, use, disclosure, disruption, modification, or destruction. Information Protection helps you discover, classify, protect, and govern sensitive information regardless of its location.
What to Consider When Defining Your Information Protection Strategy
Protecting information for businesses can be a challenge if not managed properly. As a business, you must define a strategy to achieve this. To achieve this, there are some important questions you must answer:
1.What type of data do I have: While there are most common data collected by all businesses such as names, email addresses and phone numbers, data collected by businesses varies depending on services provided. E.g., A financial institution will collect data related to credit cards, a health institution will collect health related data. You need to know what type of data your business or organization is collecting – Are this personal data, health data, transaction data? Etc. This helps you to identify most critical data and at-risk data.
2. Where is my data located: This is one of the hardest questions to answer. Does your business know where all the data you have identified is stored? Is it on a drive, a folder, on an excel sheet on an employee’s desktop, server, database, or a SharePoint folder?
3. Can I see what is happening to/with my data: You need to have an oversight of what is happening to your data. Who has access to it? was it moved? deleted? altered? archived?
4. How can I classify my data? Classifying your data is a great strategy to identifying and understanding the various data your business holds. This also gives you a great way to manage data regulation and what controls needs to be in place for the different types of data.
Starting Point for Your Information Protection Strategy
Identify where your data is stored and what they are used for
This is a crucial part of a business information protection strategy. As a business you need to conduct a comprehensive data inventory. This is achieved by identifying systems, applications, cloud services, devices, databases, and storage locations where data is collected, processed, or stored. After identification, a collaboration with business stakeholders is required to identify the purpose and usage of each type of your data. This will help in assessing associated risk and implementing appropriate protection measure.
Identify all critical and sensitive data
Once data identification has been completed, you need to classify the data based on sensitivity and criticality. The classification will help you prioritize your protection efforts. you need to identify which data is sensitive and critical to your business. One of the common ways to determine this is to think about the impact of the loss of integrity, confidentiality, and availability of this data to your business.
Manage Data Access
It is very important to identify who has access, what access they have and why they have access to the data. One of the principles of security is least privilege. This means you only give only the minimum access required to an individual.
Have control over what data can be shared and how it can be shared within and outside the business/organisation
In protecting information, you must have control over your data. Control means you can manage how data is shared and accessed. While this is a component of access management, it is importance to define and implement controls that manages sharing of data in the organization. E.g. As an individual in the HR team who has access to employees personal information, you should not be able to share employees payroll information to an individual in the Helpdesk team.
You also need define and implement controls that manages how information is shared to outside the organization Are Personal information allowed to be shared over emails? Is encryption implemented during this process? individual in the help desk team, you have no business having access to the organization’s access management is a component of this, it is important that there is control in place to ensure users with access to this data cannot mishandle or share information
Ensure you have a defined policy on how data should be protected, and everyone’s responsibility is clearly defined, communicated, and understood.
Protect Your Data
As part of your information protection strategy, you need to implement measure to minimise risk of data loss. This includes data encryption and data backups among others;
- Data Encryption; Encrypt sensitive data, both at rest and in transit to protect data from unauthorised access even if encryption protects data from unauthorized access even if it is lost, stolen, or intercepted. Ensure encryption keys are managed securely.
- Data Backups; Regular data backups should be performed to provide safety net in event of incidents such as system crash, data tampering. Backups should be tested regularly to verify its integrity and availability. Consider using offsite or cloud-based backups for additional redundancy.