The news these days is all but overrun with stories of hackers, cyberattacks, cyberterrorism, and the importance of cybersecurity. While concerns about external threats to network security are completely valid (I think Target and its former CEO would vouch for us here), this only makes up one side of the coin; to be truly secure, you have to look at not only how easily outside forces can make their way into your network, but also how easily your sensitive data can make its way from the inside of your network out.
This is especially critical if your organization handles sensitive data in any capacity, and if you’re subject to any form of compliance regulations. How can you be sure that you have a firm grasp on where your data is going? By creating and enforcing a thorough data privacy policy.
Putting this policy together, of course, can be easier said than done. That’s why we at Optimal hear a lot of questions about what elements a successful data privacy policy needs to address (and if we aren’t hearing these questions, you can bet that we’re asking them).
There are many factors to consider when creating a data privacy policy, but we’ll break down the steps to take and key elements to consider in your policy below.
What steps to take before creating your data privacy policy
Before you can make any strides towards putting your actual policy together, first you need to:
1. Look at your data. What kind of data do you handle on a day-to-day basis? Financial information? Personally Identifiable Information (PII)? What data is most sensitive? What is least sensitive? If it helps, rank the different kinds on a scale.
2. Determine what is allowed to happen to this data. Can it leave your network? Can it leave your network, but only in encrypted form? Can it not leave your network under any circumstances whatsoever? Are there only certain people in your office who can have access to certain data?
Once you know what boundaries you need to create, the next step is actually putting actionable policy in place to keep your data private.
What does your data privacy policy need to address?
Ultimately, your policy will dictate what the folks in your organization can and cannot do with your company data. Some of the most important elements to look into are:
1. Internal Permissions. How do you control which people have access to which data? What tools or settings do you need to achieve the proper restrictions?
2. Email. Most PII can only be sent in encrypted form. Do you have the tools in place to send sensitive information securely? Is your staff educated on when and how to use these tools?
3. Remote Access. What data can your people access remotely? Are they able to synchronize it to another device? Do they know the limitations? Are you leaving it to their discretion?
4. Devices. What kind of devices are allowed to tap into your network? Personal? Company-owned only? Is network data only allowed on devices that are encrypted at the hardware level? Will you differentiate between what is allowed on these devices, and what isn’t?
Clearly there is a lot to consider when it comes to creating a successful data privacy policy for your organization. Once you create it, too, you must take your policy beyond the document and fully ingrain it into your daily operations.
Sure, some aspects of the policy may be a bit burdensome. Sure, some can make collaboration more difficult for your staff. And sure, some may require that you invest in additional tools in order to stick within the boundaries you’ve created.
But we can’t tell you how many times we’ve encountered people who have been separated from a company for years and still have corporate data in their personal Dropbox account.
And don’t worry—there are plenty of resources out there to help you work through the strategy and the technology behind your data privacy policy, and to help make sure your data is secure both from the outside in and the inside out.