Your company’s data is valuable. That’s true both for data your company generates and data your customers generate. Within your company, it’s critical to make sure that data is accessible and easily utilized. When critical members of your organization have access to powerful data, they’re able to not only work hard but also smarter, as well. The decisions that they make are better-informed. This is good news for your customers, your employees, and your shareholders.
I’ll say it again: your company’s data is valuable. Outside of your company, it’s critical to make sure that data is inaccessible. When malicious people outside your organization have access to powerful data, they’re able to cause great harm. Thieves steal that data, package it, and sell it to the highest bidder. That data, which was so powerful in the hands of the right people, is damaging in the hands of the wrong ones.
What Is Data Compliance?
Over the past 30 years, governments and private organizations around the world have acted to ensure organizations which gather data treat it safely. They have created rules and regulations around what data companies collect, and how they use it. Data compliance is the process of understanding and abiding by these rules. Data compliance is a critical part of any organization which collects data, especially user data.
Know Your Regulations
The first and most significant part of data compliance is understanding which regulations affect your company. It’s likely that you’ve heard about the biggest regulations. Regulations like PCI-DSS, which affect the credit card industry, or HIPAA for health data in the United States, are well known. If you do business with anyone in the European Union, the GDPR is a must-know.
Many regulations aren’t as well known. In the United States, individual states may pass regulations which affect how your company stores and accesses data. You may be subject to more stringent rules based on governing bodies for your economic sector. It’s not possible to create an exhaustive list of all possible data regulations in this space, so I’m not going to try. What’s important to understand is that step one of your data compliance journey must be understanding the regulatory landscape you live in. You have good intentions about data compliance; if you didn’t, you wouldn’t be reading this far. But good intentions don’t solve the problem. You need knowledge to effectively comply with data regulations. So, your work starts with understanding the lay of the land.
Know Your Data
The second step in your data compliance journey is knowing what data your company stores. Someone’s first name is much less valuable, both for your company and someone malicious, than knowing their email address. Someone’s birthday needs less data protection than their social security number. Their phone number is less valuable than their credit card number.
When you understand the data your business possesses, you understand the importance of protecting it. Customers entrust their data to your organization to make your work possible. The more data your organization possesses, the easier that work is. The trade off is that data becomes more valuable. You need to spend more time and effort securing it.
Know How You Use Your Data
It’s important to know what data your organization stores. It’s equally important to know how that data flows through the organization. HIPAA regulations cover this very effectively. A common example is that a little bit of data by itself is often not particularly valuable or harmful. For instance, if I know that a patient received a physical at 10:15 on a Thursday, that’s not valuable data. If I know that twenty minutes later, that same patient underwent an electrocardiogram, I know significantly more about that patient. That data becomes much more sensitive if I know even one piece of identifying information about that person. Their first name, or their age, or their last name, or their street address.
How data combines as it flows throughout your business is critical knowledge. Little pieces of data combine with other little pieces to become a very big deal.
Know Who Uses Your Data
A critical part of any data compliance framework is understanding who has access to what data. Much like data changes value when it’s combined with other data, it’s exposed to more risk as it travels through more hands. Every person who has access to sensitive data increases the likelihood that a procedure isn’t correctly followed, or someone overhears a careless statement. Data in your organization is like water. If there’s a tiny leak somewhere, it’ll find it, and it’ll make a mess when it gets out.
A core part of effective data compliance is limiting who has access to what data. The first step in that process is documenting who has access, and what data they have access to. As you progress on your data compliance journey, you’ll find that many people have access to much more data than they should. Sometimes, taking that access away causes problems for your company. Many times, you’ll learn people never needed that access in the first place.
Know How You Secure Your Data
Just as important as knowing who accesses your data is understanding how it’s secured. Many companies confuse data compliance for data security, but they’re not the same thing. Data security is an important factor in ensuring safety of data, though. It’s so important, it’s written directly into many data compliance frameworks. Data security has many facets, including attributes like controlling who has access to the data. It also encompasses technical controls, like making sure that when you save data to a hard drive, it’s encrypted.
The most effective data compliance teams work closely with security teams to ensure that people who handle data treat it appropriately wherever it goes. On the IT family tree, data compliance and security are siblings. The greatest data security in the world is no use if that data is broadcast to anyone who asks after it. Having the world’s best data controls are no use if a hacker penetrates your database and reads every record inside. Your data compliance journey may reveal that you also need to improve your team’s data security at the same time. Don’t shy away from these challenges. Instead, work with your team to rise to meet them.
Data Compliance Is Worth the Challenge
If this is your first foray into data compliance, it’s likely that you’ve reached this point and you’re thinking that this sounds like a lot of work. You’re not wrong! There’s a reason that a data compliance officer is a full-time job at many companies. These people need to work hard to ensure that data remains safe and secure. But these challenges are worth meeting. The data your company collects and generates is important. It’s valuable, both to you and your customers. Laws and regulatory agencies seek to recognize the importance of that data and ensure that companies aren’t risking their customers safety or identity.
What you’ll find, as you work to improve your data compliance, is that it gets easier over time. As more employees understand both what you do, and why you do it, they’ll work with you to improve your company’s processes. Instead of fighting against the grain, you’ll find that you’ve built a culture where data compliance is the norm. People will ask questions about how they’re using your data, and whether they truly need access. When that happens, data compliance won’t be a challenge any more. It’ll be a way of life.
This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.