Getting the Basics Right: Building Data Compliance within a Business

Posted on: February 20, 2015 by Paul Visser

Each year on January 28th, Data Privacy Day takes place (or Data Protection Day in Europe) to raise awareness about the types of data that is collected and stored about people. It also gives an opportunity to discuss best practices for protecting the privacy of personal information online and encourages compliance with privacy regulations. Here we take a business perspective on what can be done to ensure compliance and keep data safe.

We know that compliance is a thorny issue; it requires investment to ensure any organization is doing everything needed to keep data safe, ensure safe operations, build trust with customers by protecting their data while also avoiding any potential fines for poor security practices. And while regulations vary by country there are several basic principles that a business can follow to keep data secure:

1. Know Your Data

Business must ensure they understand exactly what data they have, its sensitivity and its value to the organisation. Once you know this you can take the right measure in storing and protecting it.

Its vital to keep track of all data – even when it is copied! Backing up is important but if it is improperly stored it could offer hackers an alternative way in.

2. Assess your Appetite for Risk

Think carefully about the level of risk your organisation is willing to operate under. While all data can be of value, it is excessive to try and lock down everything, businesses must find a balance between cost and risk. The fact is that compliancerisks should be factored into all decisions and are a vital focus area in the journey to optimal security and compliance processes.

3. Communicate Clear Security Policies

Make your employees part of the solution rather than an area of risk. Organisations should look to raise awareness among staff members, demonstrating the importance of their role and advising them on how they can avoid the numerous risk areas in cyber security.

4. Outsource with Caution!

Outsourcing is a vital tool in developing a comprehensive IT estate. However, storing data with a third party provider is not an opportunity to wash your hands of the responsibility for compliance. When outsourcing any critical functions it is up to you to ensure that any data is secured in a safe and well protected environment.

This means selecting a provider who is transparent and allows comprehensive real-time monitoring of your data’s location and provides te relevant access rights.

5. Research the Relevant Regulations

All markets, regions and sectors have a concrete set of specific data compliance regulations. And as new technologies become available these regulations are adjusted, often quickly and without extended warning periods.

IT complexity is increasing, an organisation’s data is rarely stored within a single location but often spread across multiple providers. Businesses must stay on top of all areas, ensuring all data is stored in an up-to-date manner.

6. Check whether you own your data in the cloud

Sometimes cloud services are paid for, other times they are ‘free’ but in the latter case it’s likely ‘you’ are the product i.e. the information you generate is likely to help recover the supplier costs of providing the service. Ensure your employees are educated on this topic so your IP isn’t compromised.

7. Understand when it’s time for data to disappear

As the value of an organisation’s data changes over time, ensure it’s managed appropriately, choosing to retire or archive data or ultimately remove it. For business critical apps, trust and control are important considerations.

It may take time to develop a robust security strategy upfront, but this will pay dividends in future. It’s about developing a policy which predicts, understands and eliminates past, present and future cyber threats and this is essential to the success of any organization.

To hear more on the risks that data compliancy failures pose to business, check out our previous blog here.

Share this blog article

  • Share on Linked In

About Paul Visser
Practice leader Governance Risk & Compliance
Paul Visser is the Practice leader Governance Risk & Compliance within Atos Consulting in the Netherlands. With over 16 years’ experience, Paul has developed expertise in risk-based auditing as well as the use and management of complex control frameworks. Offering expertise in a number of fields - including risk analysis and management, data protection and process control - Paul is service leader for the Audit and Assurances services and the Cloud consulting offerings. As a principal consultant he advises organizations on the strategic choices regarding quality management, internal control and external compliance.

Follow or contact Paul