Data Privacy and Security: What you Need to Know

No matter what type of data your organization retains, it is most likely worth securing. Protecting data is no longer just a technical discussion, but requires dedicated coordination between many different areas of an organization.

The importance of protecting data

Corporate transactional data, client information or other sensitive data are often at risk of being stolen or exploited, and you could be held accountable for the breach. In fact, there are many cautionary tales of widely publicized data breaches with and of boards of directors taking action on breach accountability. Beyond the technology, it takes time, planning and practice to guard your organization’s data. Here are some important steps to guard your organization’s data.

Develop a data protection plan

A data protection plan is a useful starting point and provides focus to protecting your data. This plan has several key components.

First, you must define the location, risk level and recovery options for each different data type you have. Location is important for documenting where different data is stored, as it may influence how it is protected and will be helpful when needed urgently during a recovery operation. Evaluating the risk level for loss also helps define where the most attention is needed. The evaluation of recovery options is essential as well, since different types of data will have different recovery options. Some data may be stored on data tapes that require time to extract and recover, while others may be much easier to retrieve using online recovery tools.

Central to the recovery options will be an evaluation of the data backup strategy. While beyond the scope of this article, backups should be routinely scheduled and tested with a mind to recovery speed. A solid backup plan not only protects your organization from lost data or technical issues – it will also significantly contribute to the speed of recovery as well.

Build your data protection plan with the potential for change. Technology is ever evolving and governmental regulations are always being updated. Specific individuals should be assigned responsibility for various components and then held accountable for remaining current on the regulatory environment. The plans should be reviewed, updated and tested on a regular basis.

Develop policies and procedures

Data privacy requires constant vigilance. For organizations to be successful creating a protected environment, effective policies and procedures need to be agreed to and properly documented. These policies should define your data types, detailing what data is flowing into the organization, how it is used and what needs to be maintained or purged, as well as how that is done.

Access restrictions are also important determinants that impact risk. The more open access to sensitive data is, the higher risk it carries of being compromised – so the more complex those data protections must be. Access should always be limited to those that have a specific and definable need of the data. While access to something like customer account details makes obvious sense, this principle applies to general accounting and ERP system access too. Well-defined access policies are essential to eliminating unnecessary risk.

Use the right technology
While the plans and policies lay the foundation for protecting your organization’s sensitive data, the right technology will take the security to the next level. To ensure you have the right technology in place, check that all data transfers are using encryption. Look for specifications on your communication applications at the 256-bit level. Although 128-bit encryption is still common, it is in the process of being replaced with 256-bit as the standard for more complex security.

Firewalls, malware protection and password authentication are all integral, technological defences of your data. Firewalls must be kept up to date with stringent protocols in place to manage the data that will travel in and out of your network. Similarly, malware protection needs to be constantly maintained with the published virus files to remain effective. Recent advances in this space are beginning to use artificial intelligence to predict malicious actions. The use of strong passwords still represents one of the easiest defensive actions you can take. As an enhancement to strong passwords, multi-factor authentication applications can also provide further protection to your organization.

Invest in a proactive privacy culture
Many organizations spend a significant amount of effort to extract value out of their data resources, but there is also a growing expectation among stakeholders that organizations should better protect the data in their care.

All aspects of how data is acquired, used and managed should be thoughtfully controlled to affect the best protection. Technology will always play an important role in this defence; however, building a culture that embraces data protection at every level is the most powerful and effective preventative measure your organization can take.


Disclaimer:

BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.

BUSINESS MATTERS is prepared bimonthly by Chartered Professional Accountants of Canada for the clients of its members.

Author: Cory Bayly

Previous
Previous

Federal Budget Tax Changes