Data privacy is top of mind for today’s enterprises.
The National Security Agency’s PRISM electronic surveillance program, large-scale surveillance practices on the part of European Union member states, highly publicized data leaks and thefts, and bring-your-own-device (BYOD) policies are bringing greater awareness of data privacy.
Meanwhile, global corporations know they must adapt their IT infrastructure to support increasingly varied regional data protection regulations or face potential sanctions or legal repercussions.
Data privacy is a multi-pronged issue. It begins with how data is stored and secured, but it also includes processes and controls to address broader privacy concerns. As more and more data moves to the cloud and consumer applications are adopted by the workforce, new privacy concerns are surfacing. Sensitive financial data, personally identifiabl information, and other data are making their way onto devices and networks outside the view of IT.
Despite this fragmentation and lack of visibility, under the terms of data-privacy regulations, organizations are morally and legally required to protect the privacy of their users’ data. While many organizations have the foresight to put policies and procedures in place to ensure data security and privacy, it does not mean that they’re always followed. Putting that responsibility in the hands of individuals and expecting them to strictly follow those guidelines is unrealistic.
Today’s global data-privacy landscape requires that businesses take a proactive, holistic stance on data privacy. Data privacy should be part of every company’s day-to-day operations; policies, procedures and technologies should be in place to address potential risks. Companies need to comply with data-residency laws to protect corporate and employee data privacy. Also, companies need to not only govern and protect data, but also ensure that cloud service providers meet stringent data-privacy guidelines for storing data in the cloud.
How can companies ensure they meet regional, employee and corporate privacy mandates? In today’s new data-privacy landscape, how can leaders ensure their company is compliance-ready?
Here are 11 questions that can help you gauge your company’s data-privacy “readiness” regarding regional, employee, corporate, and scenario-based privacy.
1. Data residency: Does your IT admin have the ability to determine regions for data storage?
2. Local admin: Can IT admins be segregated and delegated with pre-defined granular access rights?
3. Vendor production: Are vendors prevented from accessing stored data blocks or metadata?
4. Individual privacy: Can end users control privacy settings or opt out of admin data, metadata, or audit trail visibility?
5. Data segregation: Is data on mobile devices containerized?
6. Employee: Are there exclusionary settings for the data backup and collection process, with admin visibility to audit trails restricted via policy?
7. Officer data: Are there policy group settings for classes via Active Directory to restrict data visibility?
8. Data auditing: Can data be fully audited for compliance response for PHI and PII?
9. Tracking and monitoring: Is monitoring proactive and based on data classifications?
10. Compliance: Are there delegated roles for compliance and legal counsel?
11. Investigations and e-discovery: Is there full data and audit trail access for compliance, investigation, and litigation requirements?
If you answered “No” or “I don’t know” to more than a few of these questions, it’s imperative you look into strengthening your data-privacy stance. From global data protection regulations to HIPAA and FINRA in the U.S., data privacy continues to have a sweeping impact on global corporations. Businesses must adapt their IT operations and infrastructures to comply with these global and regional requirements or face legal repercussions. The time is now — your company’s data privacy, data integrity, and overall reputation depend on it.
Jaspreet Singh is chief executive of data protection and governance startup Druva.