Why is it so difficult for organizations to get a handle on their data lifecycle management practices?
It’s not for lack of trying.
Poor Decisions = Increased Risk
In reality, many of these organizations have paper-based policies that are largely unenforced for a number of different reasons.
First and foremost, these polices are often written by legal and compliance professionals who know very little about a day in the life of the normal business user.
Second, these policies are often written without consulting IT and security, so they do not always reflect what is technically possible to enforce or even the reality of what workers are doing every day.
Left to their own devices, business users will most often make poor decisions when it comes to data management and security. Most business users believe that their information is critically important, so they tend to keep it for longer than necessary with the thought that they might need it again someday.
They also keep it where it’s easiest for them to access it, rather than in the places across their networks that have been properly secured. This can lead to a proliferation of data across corporate and personal networks and devices, a loss of good knowledge management and critical corporate intellectual property, and an increase in potential security and privacy risk.
Nothing Lasts Forever, Including Data
In reality, very little information should live forever. Most data should be subject to very specific and prescriptive lifecycle management practices.
Data should have a beginning, middle and end. Whether data is generated within your organization or collected by your organization from a third party (customer, vendor, or partner), the only way you can effectively protect it is by understanding it.
Data without controls can create operational, privacy and security gaps that opens company assets to risk. Once you know what it is, who can access it, and who has accessed it, you then can make decisions about where it should live.
Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website. Data sovereignty rules also dictate what controls are needed, including what should be kept on premises or if it should go into the cloud, and the exact location of the data.
Implementing a Best Practice Approach
So what does this look like in practice? In a standard organization, data is created or collected by your organization, used by the organization, shared within the organization or by the organization with others, and then ultimately should have a disposition which is in compliance with any regulatory or statutory records management requirements.
The longer you have the data, the more at risk you are of having that data breached or shared inappropriately.
Here are some key considerations you must address before you start the process:
- Understanding how data is created or collected by your company
- The possibility of excessive collection
- How to provide notice to individuals about data collection
- Keeping appropriate records of collection and creation
Next, think about how you are going to use and maintain this data.
Here you should consider inappropriate access, ensure that the data subjects’ choices are being properly honored, address concerns around a potential new use or misuse of data, plan actions around a potential breach, and retention of data for records management purposes. You might also want to consider with whom this data is going to be shared, data sovereignty requirements, cross-border restrictions, and inappropriate, unauthorized or excessive sharing.
Finally, remember that all data must have an appropriate disposal. Keep data for as long as you are required to do so for records management, statutory, regulatory or compliance requirements, and ensure you are not inadvertently disposing of it. However, as long as you have sensitive data, you run the risk of breach.
Putting Your Data Plan Into Practice
Once you’ve created a plan considering each of these areas, it’s time to implement your program. Operationally, this is how that kind of program would work in four simple steps:
1. Discover and classify your data
Always begin by determining the type of data you have. An example of a common data classification schema revolves around the notion that data must be classified as public, internal, sensitive or restricted.
The classification of the data dictates its disposal method. This does not have to be completed as an all-or-nothing effort, but rather can be done through a phased approach, or as part of an initial discovery project across a limited scope of data to help build the business rules that can then be disseminated across the organization’s data repositories.
2. Determine retention
Once you have determined how to classify your data, ensure that it is not subject to any retention policies. Regional and government-specific laws and regulations, requirements of accrediting and other external agencies, and prudent management practices govern the retention and disposal of organizational records. These records must be retained appropriately and disposed of in a timely manner to meet the requirements of external regulations.
3. Assign historical value
After you have determined if the data in your possession is not subject to any retention policy, evaluate whether the documents have any historical or archival purpose for the organization. In some instances, data ready to be disposed of may contain information with enduring legal, fiscal, research or historical value, and should be preserved indefinitely.
4. Appropriately dispose of files
After data in your possession is classified, reviewed for retention and archival purposes, and is determined that it can be properly discarded, the last step is to dispose of your data based on standard IT practices set by your organization.
A good program must continually assess and review who needs access to what types of information. Privacy and security officers should work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to do the right thing than the wrong thing, or neglect the consequences of their actions.
Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.
An Investment in Your Organization's Information
Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources and risk management for information assets to support responsible, ethical, and lawful collection, use, sharing, maintenance and disposal of information.
Title image Stephen Di Donato