Concerned about future DPA legislation? Don’t be. You already have obligations to protect data now. But do you know where all your data is?
The ‘Data World’ is seemingly spending every spare minute crystal ball gazing, trying to second guess the next wave of Data Protection legislation from Europe. Whilst this is all very worthy, the truth is, with 3,000 tabled amendments and deals to be made and broken, nobody really knows what the new UK DPA will look like or even when it will actually come into being.
So why not start a bit closer to home and look at how you’re handling your valuable data right now. In recent exclusive research commissioned by DQM Group, UK marketers were asked to identify where the pain points and likely challenges sit within these proposals. It revealed that many organisations are falling short of their existing obligations - let alone any future ones. One of the key action points was to conduct a data discovery exercise to identify where data is being stored who it is shared with and who has access to it.
You need to ask yourself a simple question: Do I know where all my datasets are located and who has access to them?
The answer to this question may vary depending on where you are on the data maturity curve but if it’s the first time you’ve ever considered undertaking a data discovery exercise of this kind or it’s part of a regular review process the exercise has real value.
The ultimate aim of the task is to make sure all applicable data is located in a controlled access environment even when it is replicated or processed in some way. The exercise will often uncover data lying on unsecure media – CDs, USB sticks, unencrypted laptops or print media.
Maintaining an appropriate level of security requires clear process documents, which when properly trained into the organisation, will ensure that all personnel touching data have clear paths to follow for the data which they have access to - including where to locate and save date, naming conventions, and version controls. You may want to create different protection levels and processes for different classifications of data. Once you believe you have traced all data elements within your organisation, classifying that information will help in securing the data proportionate to its sensitivity.
The process document you create should be reviewed periodically to ensure it reflects the current situation. It’s important to remember that process documentation is organic and should reflect changes to working practices, new legislation and technical improvements or upgrades to existing equipment. In addition, it’s crucial to ensure that the processes are being adhered to, so occasional spot checks or audits will identify any data touch points which need adjustment or personnel who require additional training.
If you don’t already have one, an accurate data log is essential in being able to monitor valuable electronic data assets within your secure environment. If you don’t know where every data element is, how can you be expected to protect it? A data log provides a visual journey of data through your organisation from the moment it is saved or created on your network to the moment it is destroyed - and all points in between. It is likely that you will be receiving or sending data periodically – maybe marketing data from external sources, data for or from a promotional campaign being handled by a third party. All these data sets require entry into the data log.
Once you’re confident the data in your organisation is as secure as it can be, the next key consideration is access controls but I’ll cover that in another blog.
The results of a data discovery exercise will help you ensure the confidentiality of the data in your care, which is a fundamental principle in the existing UK Data Protection Act. You can guarantee this will not change in any future legislation. So don’t worry about the future, you have obligations now.