Storage
Mobility
Protection
Analysis and control
TOPICShare
The modern enterprise collects, accesses, uses, and stores mountains of personal data, which is data that identifies a person or that can be used to identify a person. This data is used in a wide variety of business functions, and accessed via a range of different applications and storage systems. But at the same time, data protection laws have been coming into force in response to public concern about user data privacy.
So, with such a large amount of data you now need to protect and control, where do you start? What kind of compliance risk does this data pose? This post can help by outlining the main types of data that can be compliance concerns.
Read on below as we cover:
Primary Areas of Concern
The following are the main avenues a typical enterprise should explore to identify potential compliance issues.
1. Human Resources (HR) Data
The day-to-day running of the HR department relies heavily on the use of personal information. It has to store, process and protect employee records and job applications that contain a wealth of personal information, such as social security numbers (SSNs), telephone numbers and home and email addresses.
It also handles many types of sensitive personal data, such as information concerning an employee's health, ethnic origin, or trade union membership.This type of sensitive information may need additional protection as required by certain regulatory schemas, such as the GDPR or the U.K. Data Protection Act.
In addition, HR professionals will perform background checks, which can reveal details of criminal offences. Criminal offence information, under numerous global, national, and regional laws, is considered personal information that requires enhanced data protection due to the sensitive nature of the data..
2. Payroll and Pension Plans
Payroll and pension departments process a lot of personal data—ranging from names, addresses and dates of birth to bank details and social security numbers. Pension records will also contain details about third parties, such as each member's partner and children or other potential recipient of death benefits.
Even though you may have legitimate grounds to process personal information for payroll and pension purposes, there are legal limits to collecting more data than you actually need. And, finally, if you outsource your payroll then you should revisit your contract with the provider to ensure it addresses the responsibilities of both parties under new data privacy laws.
3. Legal Document Data
Many types of legal documents, including non-disclosure agreements (NDAs), patents and vendor-customer contracts, don’t generally contain personal information but rather contain confidential corporate information that may require a similar high level of data protection, applicable to personal information, to meet your organization’s compliance requirements. The data in such documents could prove particularly problematic given the formats in which such material is so often stored.
It generally comes in the form of MS Word or PDF documents stored in external cloud-based services, such as Office 365 and Google Drive. This presents challenges to maintaining full data visibility and control, which is so important in ensuring you have blanket data protection coverage.
What's more, document formats, such MS Word, provide only limited tamper-resistance. So, to protect document integrity, you'll need to switch to a more secure file format, such as PDF, or implement tighter access controls.
4. Sales Data
For many organizations, sales or consumer data will represent the vast majority of the personal information they collect, process and store. This will include not only details captured from sales orders, but also customer support, enquiries made through their website, prospect lists and users of trial and free-tier services.
Under the GDPR, you can no longer sign consumers up to your mailing list by prefilling a checkbox in your online checkout and assuming consent. Instead they must actively confirm they wish to do so, usually by ticking an unchecked opt-in box.
The CCPA focuses more on the sale of personal data, whereby California citizens have the right to know if you sell their information and the option to prevent you from doing so.
5. Supplier Records
Purchase orders and supplier records can also contain personal information and confidential corporate information. So you should implement much the same protection measures as you do for other forms of personal and/or confidential corporate data.
For example, you should seek approval first before you set up a new supplier account. It's also good practice to periodically clean up your database of suppliers, removing accounts belonging to those you no longer intend to use or haven't used for some time.
6. Payment Card Details
Payment card details are another source of personal information you must protect. If you store, process, and/or transmit cardholder data, in the United States, under the requirements of PCI DSS compliance, you must protect this cardholder data by implementing security measures like strong encryption that render the cardholder information unreadable. And remember, you should only store such data where strictly necessary and only for long as you actually need it.
In addition, you should take steps to prevent payment card fraud through measures, such as:
- Using up-to-date antivirus software and other malware protection
- Installing and maintaining a firewall
- Restricting internal access to cardholder data
7. Website Visitors
The company website is generally seen as the public face of an enterprise. As a result, it's often high on the list of an organization's compliance priorities.
So when the GDPR came into force, legal and marketing teams were quick to respond to the new requirements and made significant website changes.
For example, they:
- Revised the company's privacy policy, outlining what they do with the personal data they collect, the lawful basis for processing it and the rights of visitors to control the use of their data.
- Included a privacy notice and link to the full privacy policy at appropriate points on the website, such as contact forms, mailing list signup boxes and comment streams.
- Provide website visitors with tools so the user can give consent to use their information..
Many also had to rebuild their mailing lists from scratch, as they hadn't previously sought active signup consent from their website users.
However, maintaining compliance is an ongoing effort. Websites are continually evolving, adding new data-driven features to improve the user experience and increase sales. And privacy laws are constantly changing to keep up with technical evolution. Even if your company has followed suit and fulfilled its legal requirements, you'll still need to periodically review your site to ensure it remains compliant.
8. Email Content
Your company should issue staff with clear guidelines to prevent personal data, exchanged or potentially exposed via email, from ending up in the wrong hands.
For example, employees should:
- Share personal information in emails only where strictly necessary.
- Protect their email accounts by using a strong password and two-factor authentication (2FA).
- Avoid using company email addresses for private messages.
- Beware of phishing emails and email attachments from unknown sources.
You should also promote email practices that reduce the amount of data in inboxes. For instance, employees should maintain copies of email conversations for only as long as necessary—particularly if they contain personal data. And rather than exchange sensitive documents by email, they should ideally share them using links to a secure repository, which supports access control and logging.
9. Backup Copies
Backups and the personal data contained on them remain one of the key technical challenges to meeting international and national privacy requirements.
For example, you may not be able to delete individual records with personal information from incremental backups without breaching the integrity of the backup as a whole. Likewise, outmoded tape storage systems aren't generally designed for granular detection and deletion of personal data.
As a result, it may not be technically feasible to erase all the data about an individual in response to a right-to-be-forgotten request. Nevertheless, you can still pursue options that can help you ultimately fulfil your obligations—such as moving archival data to low-cost cloud storage.
Information Classification: A Key Component to Data Compliance
Data classification is one way that companies can assess their data for compliance concerns. It can help you understand the types of data you collect and store about individuals. It can help you locate sensitive data so you can take appropriate measures to protect it. And it can help you align your data protection strategy to legislative requirements.
But manual data classification is a time-consuming, complex, and, in some cases, impossible undertaking. Companies at the enterprise level should look to streamline the process by using a solution that assists your organization by automatically classifying data according to your data classification schema.
This will not only save your business time and money, but will also reduce human error involved in manual processes and help ensure you have eyes on your data at all times. There are numerous new data governance tools being made available that can help organizations better address privacy concerns, including NetApp Cloud Data Sense.
NetApp Cloud Data Sense is available for use with any storage repository, whether on-prem or in the cloud. No matter where you keep your data, you can help address your compliance concerns with the use of its easy-to-use data mapping and reporting features.