An integral data policy in order to prevent data leaks
The Dutch legislation mandating notification of data leaks that was introduced on 1 January 2016 has inspired a large number of articles warning about large fines, reputational risk and IT suppliers who leak data. Many of these articles focus mainly on the technical challenges involved in preventing data leaks, but neglect the risks posed by the way end users handle data. A solution for the latter is formulation of and adherence to an integral data policy, and to teach employees to handle data responsibly. This can be achieved on the basis of the Landscape Data Governance model.
A common method to mitigate risk of data leaks is locking everything down: the IT department ensures that end users have limited access to the data. Many IT professionals refrain from educating the end user: this takes a lot of perseverance and whether the end user is able to correctly and safely handle data is uncertain.
The urge to lock up data as much as possible is understandable, especially when the IT department is distant from the workplace. We have seen this in multiple companies. However, limiting data access is unnecessarily restrictive and prevents the end user from learning how to handle data responsibly. This might even increase the risk of a data leak. Formulating an integral data policy that gives users just the right amount of freedom and educates them is a better idea, since this helps preventing data leaks. The new legislation regarding data leak notifications has made data security a priority in many boardrooms. Hence, now is the time to set up a solid data policy.
Integral data policy – Data Governance
Data Governance is created jointly by IT professionals, end users, board members and suppliers. To get an insight into the status of the data governance within an organisation, the Landscape Data Governance Model can be used as a guide. This model addresses the following aspects, among others:
- Data assets;
- Data quality;
- Data access;
- Data life cycle;
A good overview of the available data sources, and the information contained therein is necessary for prioritisation: what is the importance of the Confidentiality, Integrity and Availability of the data (also known as the CIA triad). Such a prioritisation reveals where the organisation uses personal data. This knowledge forms the basis for the prevention of data leaks.
The usage of different data sources is mostly dependent on the data quality. If the quality of this data is low, users look for replacement data elsewhere, possibly in unsupervised places. This increases the risk of a data leak. Data of sufficient quality can be guaranteed by a good definition of the desired quality (generally higher quality data costs more money), of how to acquire the desired quality, and of verification of data quality.
Metadata contains the definition of what the data is. Storing metadata properly, for example in a data dictionary, strongly increases the usability of the data, thus decreasing the likelihood the end users will start looking for data elsewhere.
A good data policy is incomplete without an extensive access policy. Prioritisation is important here too: securing everything to the highest standards is expensive and rarely required. Therefore, it is important to determine both the required level of security and available budget for security for each data set.
Having a good overview of the entire life cycle of data, from generation to deletion or archiving of the data, is important to ensure compliance with data retention and removal directives. It also prevents databases from growing too large or basing analyses on outdated data.
Setting responsibilities and increasing a sense of responsibility should be part of every data policy. This can be achieved by mapping the data landscape: how does data generate value for the company? Then every individual is taught his or her role in the generation of value with data.
Measuring is knowing
The first step in creating a formal data policy is measuring what the current status is. Landscape developed a Data Governance Scan to quickly and effectively gain insight into the current data governance. The measurement is being displayed in a chart, making it easy to identify high and low scores:
The autoriteit persoonsgegevens (Dutch privacy protection authority) has said: “Everyone is entitled to […] a careful handling of his or her personal data.” It is important that ‘a careful handling of personal data’ is not confused with ‘limiting access to personal data’, but is interpreted as ‘formulating and adhering to an integral data policy and teaching employees to handle personal data responsibly’. This is both a social and technical challenge, the task of which the responsibility rests on the shoulders of the entire organisation.