The amount of data being created, captured, copied, and consumed has increased exponentially with society’s tectonic shift to digital reliance. As a result, the pace of data privacy and data regulation has accelerated on a global scale. Ensuring the security of your proprietary and customers’ data is paramount to staying in line with ethical and regulatory standards and retaining customer trust.
When strategizing how to best understand your data and determine if you have the appropriate data controls in place, you should consider the following steps:
1. Classify your data. Each category has a different sensitivity and will require different security controls.
- Public Information: There is no specific restriction required for this type of data, and there is no negative repercussion if data is shared. i.e., Information shared on a company website.
- Private Information: Information that is only for internal use but there are no severe consequences if data is leaked. i.e., employee salaries.
- Sensitive Data: Regulated. Data leaks might result in high business impact and financial loss. i.e., Customer credit card information.
- Highly Sensitive Data: Subject to high regulation. Should only be available to authorized individuals. Data leaks could result in losing permission to continue operations.
2. Identify your sensitive and high-risk data. Sensitive and high-risk data include:
- Personally identifiable information (PII): Name, address, SSN#
- Protected health information (PHI): Patient records, health insurance details, and medical records.
- Sensitive personal information (SBI): Religion, sexual orientation, criminal convictions, racial or ethnic origin.
- Non-public or financial information: Company Strategic plans, contract information, tax records, employee salary.
- Intellectual Property: Patents, trademarks, trade secrets, licensing, copyrights.
3. Determine your type of data. Each type of data has different levels of difficulty to manage data:.
- Structured data: Easy to access, search, identify and protect. i.e., Data stored in a database.
- Unstructured data: Not organized and not in a predefined format. i.e., Microsoft Office or Adobe PDF documents stored in a shared drive or computer folder.
4. Understand your data.
- How is this data being captured?
- Where is this data being stored?
- What is your true source of data? What are the critical data elements?
- How is this data being shared? i.e., via reports, messaging, etc.
- What is the quality of this data?
- How is this data archived, removed, and destroyed?
5. Review risk and controls.
- What is the purpose of collecting and processing this data?
- Is this data subject to local or global regulations? i.e., GDPR, CCPA, Irish DPA, Schrems II, etc.
- Do I have consent to store and share this data?
- Are there entitlements and security controls in place for sensitive data?
- What are the actual threats and risks for this data? Is this data secured from external threats?
- What are the current processes for data monitoring and incidence response?
- Are there specific regulatory requirements for this data’s archive period, and how must it be removed and destroyed?
***
Perficient’s financial services and data solutions teams have extensive experience building and supporting complex data governance and data lineage programs that ensure regulatory compliance (e.g., BCBS 239, CCAR, MiFID II, GDPR, CCPA, FRTB) and enable data democratization. In addition to understanding how to navigate financial institutions with many complex systems, we have experience with various platforms and tools in the ecosystem, including ASG, Collibra, and Informatica Enterprise Data Catalog (EDC).
Whether you need help with business and IT requirements, data acquisition/sourcing, data scanning, data linking and stitching, UAT and sign-off, or data analysis – we can help.
Reach out today to learn more about our experience and how we support your efforts.