Logo Header Menu

Why businesses should identify the information they’re holding

For businesses looking to get their house in order, it's more important to know what constitutes PII, so they know what information needs protecting Why businesses should identify the information they’re holding image

Everyone knows they need to track the personally identifiable information (PII) they hold and, in light of the impending GDPR, organisations want to know how to protect it. But, what exactly is PII?

This could include names, addresses, date of birth and IP address; any information that can be used on its own or in conjunction with other information to identify a person makes up PII. Many organisations don’t fully understand the scope of the data they gather, including what kind of information it is, its sensitivity and whether they really need to be holding on to it.

The PII struggle

The biggest issue in trying to identify where PII is stored is that it always ends up in places an organisation doesn’t expect. For example, many don’t realise how or why PII is found in unexpected files or apps and have traditionally assumed that these files don’t need to be regulated. In reality, there could be a myriad of reasons and explanations as to how the data ended up where it did.

>See also: Data privacy can give businesses a competitive

PII in itself is not hard to identify. But even if you’re looking for a specific type of PII, you still need to know where it lives in the system. In the past, there hasn’t been an easy way of finding out where all PII data exists on a system outside of the typical, structured locations such as HR and finance databases. It is often assumed that sensitive data is kept in the equivalent of a locked filing cabinet whereas, more often that not, it ends up in the IT equivalent of a garage or junk drawer.

However, over the last couple of years, it’s become more critical for organisations to know exactly where their data is stored. If they have never looked for it before, they’ve never had to make decisions about how to protect it, and this is why breaches continue to happen over and over again.

Identify and protect

We are slowly, but surely, seeing a focused push towards GDPR compliance. More and more organisations are actively investigating and interrogating every file on the system, identifying those with names, emails, address and anything else that is considered PII. Whilst this can be time-consuming, it’s not the hard part; that comes with ensuring the data is properly protected.

One relatable anecdote is that of a CEO who thought he had one big problem because he didn’t know where all his company’s sensitive data was. Following data discovery, he finds himself with hundreds of thousands of problems because he now needs to protect all that data.

Protecting data is about asking a series of questions: where is the data? Who has access to it? Do the right people have access to it? Who does it belong to? Should we be deleting this data? Is it stored in the right place? Do I know who is using it? How can I make sure the data is secure and kept private? Many organisations use the terms ‘privacy’ and ‘security’ interchangeably.

>See also: What is the expanding role of IT within the business?

However, it’s worth noting that in cyber and data security, companies must bear both in mind. Data security focuses on protecting the data from theft and breaches whereas privacy governs how the data is being collected, shared and used.

It’s always a good idea to guard all the data within your organisation, but not all data needs the same fortification. The challenge is, how do you protect this data and apply relevant access permissions, if you don’t know where it is? Similarly, one of the most significant aspects of the upcoming GDPR focuses on data notification, where organisations must notify the ICO of the breach within 72 hours of its identification. An organisation needs to be able to report what happened, how it happened and what was affected.

Knowing when something goes wrong

Once an organisation knows where all its data is and is reasonably sure it is well protected, the next thing they must consider is how they will identify when/if something goes wrong and what they will do to correct this. Banks and credit cards are a good example to follow in such a situation. The majority of people who use a credit card have, at some point, been notified of unusual activity on the account. This is because banks typically know a lot about the person the card belongs to. For example, if a bank knows where and what time you would typically fuel up your car, it would then notice if the card was used to buy a different type of fuel in an atypical location at an unusual time and could reasonably deduce that your card is being used fraudulently.

>See also: Business data security: how to keeping your data

When it comes to data, many companies don’t have this kind of visibility; they have all the data but know nothing about how people are actually using it. Organisations such as banks are able to identify this fraud because they look at where every pound or dollar is going, allowing them to spot fraudulent transactions as they occur.

The companies that are best able to protect PII are those who look at every single data transaction. They know when a file is created, accessed, changed, moved or deleted.

A new normal

The world is changing and the upcoming GDPR is a great barometer which states that organisations must protect the data they hold, in much the same way as a bank does. This important and valuable information can’t just be left in the proverbial junk drawer. It will be exposed.

All data within a company should be protected by taking the time to identify PII and apply permissions so it’s only accessed by the necessary people (known as a model of ‘least privilege’). Organisations can then be assured with the knowledge they are taking the best steps to ensuring they don’t fall foul of the GDPR.

 

Sourced by Matt Lock, director of Sales Engineers, Varonis

This article is tagged with: GDPR

Sign up for Information Age Newsletters

Latest news

divider
AI & Machine Learning
Why we need XAI, not just responsible AI

Why we need XAI, not just responsible AI

18 September 2020 / AI is increasingly impacting on our daily lives, from speeding up the search for a [...]

divider
Buyers Guides
What are investors looking for in the next Fintech?

What are investors looking for in the next Fintech?

18 September 2020 / Are investors getting pickier when it comes to Fintech? It’s hard to say for sure, [...]

divider
People Moves
OneSpan appoints former Oracle executive Ajay Keni as CTO

OneSpan appoints former Oracle executive Ajay Keni as CTO

18 September 2020 / Through hiring Keni as CTO, cyber security company OneSpan will look to continue its innovation [...]

divider
Business & Strategy
Sopra Steria commits to net zero emissions by 2028

Sopra Steria commits to net zero emissions by 2028

18 September 2020 / The 2028 sustainability target set by Sopra Steria is 22 years earlier than those set [...]

divider
CIO and CTO
CTO challenges around the return to the workplace

CTO challenges around the return to the workplace

17 September 2020 / While financial services employees have been heading back to their ‘desks’, firms are figuring out [...]

divider
AI & Machine Learning
Machines inventing patents: Are we entering a diminishing innovation era?

Machines inventing patents: Are we entering a diminishing innovation era?

17 September 2020 / Today, we are on the verge of massive technological advancements in artificial intelligence (AI) and [...]

divider
Transformation in Action
NTT Transformation in Action virtual event round-up

NTT Transformation in Action virtual event round-up

17 September 2020 / Transformation in Action brought together cloud data experts from NTT Ltd. and partner organisations for [...]

divider
Data Analytics & Data Science
Adopting interaction analytics to improve contact centre performance

Adopting interaction analytics to improve contact centre performance

16 September 2020 / Interaction analytics can help organisation’s significantly improve contact centre performance. This theme was discussed in [...]

divider
AI & Machine Learning
AI bias: Why it happens and how companies can address it

AI bias: Why it happens and how companies can address it

15 September 2020 / The old saying ‘you get out what you put in’ certainly applies when training an [...]

Do NOT follow this link or you will be banned from the site!

Pin It on Pinterest