Why Every Risk Management Plan Worth Its Salt Should Start With Data Discovery
8/28/2020
Whether they know it or not, any business or service that collects, handles, or processes personally identifiable information (PII) is subject to various laws and regulations that set out the requirements for data privacy. Laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) do not simply act as guidelines. Non-compliance can result in hefty fines, lawsuits, and significant reputational damage.
The reasons these laws exist are twofold: to safeguard and guarantee individual data privacy, and to protect data in organizations from security risks like data breaches. Skilled compliance officers will have a risk management plan in place that covers both security risk and compliance. But more often than not the security measures in place are not enough to prevent a breach. This is because data does not rest in one place. It is stored in various databases both on-premises and in the cloud; it is shared within and outside an organization, and it can even lie on a forgotten server or a folder of scanned documents.
Simply put: you can’t protect data if you don’t know where it is, nor can you assure your customers or patients that their data is safe and private.
Sensitive Data Discovery takes a data-centric approach to data security by locating data wherever it is hiding in your business. It also classifies which data is sensitive in nature, allowing you to take remedial action, such as masking, encryption, or removal.
What is Sensitive Data Discovery?
A sensitive data discovery tool connects to databases and discovers sensitive fields based on both the metadata and elements values. It identifies any information that can be used to identify someone, such as social security numbers, account numbers, addresses, credit card numbers, and medical records, for example. Sensitive data discovery then classifies this data according to the level of sensitivity. This data can then be de-identified or removed as needed.
The data de-identification process should always start with discovering sensitive elements of PII and selecting the algorithms for the best database protection.
How does Sensitive Data Discovery Help with Compliance?
The purpose of laws like GDPR and HIPAA is to ensure organizations have the best security practices and controls in place to guarantee data privacy.
The GDPR, for example, requires organizations to follow the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. The various articles of the law set out these measures in detail, such as Chapter 3, which lays out the data privacy rights and principles guaranteed under EU law. Article 17, for example, states that data subjects have the right to request that you delete any information about them that you have.
Lawmakers have created a handy GDPR checklist to help you with your compliance strategy and to understand the role of compliance in your organization.
Compliance is only possible if you understand how personal, financial, and medical information is used in your business and where it is stored. Data discovery can locate and identify both structured (stored in databases) and unstructured (data on images, for example) data in your organization, in the cloud, on devices, and even in email.
Underestimating the extent to which data travels in your organization delays remedial action, and not only leaves you vulnerable to a non-compliance penalty, but also a serious data leak.
Risk management and regulatory compliance go hand in hand, but both are only possible if there is complete data visibility.
Request your free one-month trial of Hush-Hush Sensitive Data Discovery and take the first step towards complete compliance.