The current regulatory environment is driving urgency to meet modern enterprise data handling challenges
At their core, data privacy regulations like GDPR and the California Consumer Privacy Act (CCPA) require good data handling practices. Continuous defensibility to meet compliance requirements boils down to doing two things well:
1) Understanding where sensitive data resides across all data source types.
This should include structured, unstructured, semi-structured, data in motion, at rest, on-premise or in the cloud. The ability to scale up and down is critical.
2) Mapping data back to existing data handling obligations.
Not just regulations, but also contracts and internal policies, as well as the ability to take action within your data ecosystem, such as encrypting files, or processing a consumer’s data access request.
Seven data handling best practices
Having visibility into where sensitive data resides and tying it back to obligations is critical to enabling these seven data handling best practices:
1) Implement data security controls.
Documenting policies are important, but to be defensible you need to be able to show that you can identify different types of sensitive data across your enterprise, and that you have compensating controls in place to keep it encrypted, hashed, or masked. Be cautious about solutions that simply map IDs to pre-existing metadata. You’ll run the risk of creating a false sense of security about the data you have, which security parameters are being applied, and whether they’re in compliance with regulatory mandates. Metadata can be misleading. Integris operates at the data element level to inform you exactly what personal information is in your dataset, not just what the metadata implies. By using a combination of contextual awareness, natural language processing, and machine learning, Integris maps all sensitive data elements so as to assess privacy, integrity, and handling violations.
2) Establish and enforce a data retention policy.
You probably have different retention policies for different types of data. Make sure you’re calculating retention in a consistent way such as creation date, date of last transaction or another metric. Of course, to be defensible, you’ll need to be able to identify your sensitive data, and show that you’re adhering to your own retention policy.
3) Identify mislabeled data.
Data handling policies only work if your data has the right labels. For example, it’s not uncommon to find databases backing webforms to have mislabeled data. For instance, a customer accidentally typing in their credit card number in a phone number field could put you in violation of a regulation, because you’re not encrypting the phone number column in your database.
4) Identify misclassified data.
Much like mislabeled data, misclassified data poses a significant risk. For example, SSN’s found in a phone number column will not have a high enough classification tied to the data set. Don’t rely on manual data mapping efforts, which can be riddled with errors. Integris automates the identification of misclassified and mislabeled data, then surfaces issues for human intervention or kicks off automated remediations.
5) Tackle data proliferation, including data in motion.
You probably have data handling policies that restrict where sensitive data resides. For example, it must sit in Oracle or Hadoop, but not in network file storage or Dropbox. For data streaming into an organization from places like Facebook, Instagram, or business partners, data in motion can be a big blind spot. Identify and monitor your data streams to ensure you know what is entering and leaving your organization and that you are adhering to all data handling policies. Integris’ ability to handle data in motion is key to helping you understand which data is entering or leaving your organization via data sharing agreements, and the streams and feeds your company relies on for continuous innovation.
6) Residency-based policy-making.
Both GDPR and the California Consumer Privacy Act (CCPA) indicate that data handling policies apply differently depending on a person’s residency or citizenship. Track data against residency policies to ensure effectiveness. Integris can infer residency from geospatial data, a country code, or phone number.
7) Handle what GDPR calls data subject access requests (DSAR).
Under both GDPR and CCPA, individuals have the right to inquire about their personal data, what data companies collect about them, how it’s being used or shared, and to exercise their right to “be forgotten.” In order to address DSAR, you must understand where all personal data resides and be able to map it back to your users.