Data is valuable. So much so that for many organizations, it is the core of their business. Aside from commercial imperatives, ever-tightening regulations require you to protect certain types of data to the highest standards. Knowing which data and information represent the biggest risks (and rewards) is increasingly important.
This can best be thought of as a scale. At one end would be open information “owned” by the organization, like that published publicly on a website. At the other end would be personal information collected from individuals not part of the organization. This information is highly sensitive—meaning that its breach would pose serious risk of harm. These harms may be concrete, like financial loss, but they could also be more emotional losses, like reputational damage or simply a sense of lost privacy.
The gradations on this scale are subtle and depend on each organization’s circumstances to a huge extent. What exactly they do; the relationship they have with the owners of information; and the regulatory environment(s) they operate in all dictate what they need to restrict.
Needless to say, regulatory requirements override subjective decisions. It is important to know where the authorities in different jurisdictions have a different take, particularly on what constitutes sensitive data.
How do we define sensitivity?
Under its General Data Protection Regulation, the European Union defines personal data (PD) warranting protection as “any information concerning an identified or identifiable natural person”. It reserves its most stringent protections for “special category” data which closely aligns with decades-old anti-discrimination legislation around the issues of race, religion, health, sexuality and so on (with biometric data a fairly recent addition).
In the US, meanwhile, we instead have the concept of Personally Identifiable Information (PII), which centers on data with the ability to distinguish or trace an individual’s identity. In the absence of an overarching federal framework, the US has legislated for the protection of PII in context-specific ways and created individual frameworks for the oversight of the most sensitive kinds. One example is personal health information protected under the Health Insurance Portability and Accountability Act (HIPAA). There are hundreds of rules to contend with under both federal, state, and sector-specific regulations.
This complexity is actually the norm in most jurisdictions, making it easy to become lost in a maze of overlapping (and ever-evolving) regulations. But while the task of finding and keeping to the right path is unique to each organization, keeping things as simple as possible will serve you well.
How do we classify data, and why does its governance matter?
The starting point for classifying sensitive data is obviously to determine which regulations apply at both the macro and micro level. Then, with your stakeholders in mind, you can apply a risk-based approach.
Focusing on what really matters is a great foundation. It will ensure that you mitigate risks more aggressively where they are highest, and good practices tend to flow down to the lower risk cases as well. Develop and apply very robust policies where they are vital, and you have an operational—and cultural—blueprint which can be applied elsewhere.
This is why data classification is such an essential first step to ensure focus and a risk-based approach. It is also the foundation of sound data governance, something that should be front of mind in a world where data is likely to be among your most precious assets (if not the very most).
What are the critical challenges?
While technology and automation are catching up fast, they are “not quite there yet.” Data classification and governance still requires manual work and human judgements, which means that clear taxonomies and tagging are indispensable to good data hygiene.
The concept of personal data is broad and difficult to define, which in turn can make it tough to build a model for how you treat it, and even more so for sensitive data. Keeping it simple initially and focusing on what you know you must do brings clarity to the situation.
Just as important is the issue of responsibilities. Infosec, privacy, data protection and data governance overlap (and diverge) in innumerable ways, which means it can be hard to determine who “owns” these things. The fact that responsibility straddles several areas may be unavoidable. In that case, you must ensure that data protection concerns don’t fall through the cracks. This is a common trap where there are both complexity and commercial concerns at play.
This brings us to the realities of confidentiality and disclosure. In an increasingly cloud-native world, where complex data lifecycles invariably involve multiple parties, ownership, and stewardship of personal data make it a challenge to uphold individuals’ data rights. Pay great attention to the chain of custody here and, needless to say, pick your partners carefully, documenting (and contracting for) your counterparty relationships carefully every step of the way. Your credibility – and avoidance of liability – depend upon it.
How can companies practically look after sensitive data?
Principles and policies mean little if they are not enacted, so it pays to take a highly pragmatic approach. And, while organizations shouldn’t zero in solely on risks, they do focus minds. Consider what your ‘crown jewel’ data assets are – the ones that would cost you most to have breached – and proceed from there down the risk scale.
On the flip side, always have front of mind what you don’t really need. Observing the principle of data minimization is not just a regulatory responsibility, but also one of self-preservation. In simple terms, ‘they can’t hack what you don’t hold’, so make sure that you only collect—and retain—data which is demonstrably necessary for the purpose. Anything else is a waste of resources and a source of unnecessary risks.
In short, know precisely which data you have and the risks it represents from a regulatory, reputational and ethical perspective, and you will have made an excellent start.
