Protecting client data

Facebook is in hot water for selling users' data. Take the social media giant's current plight as a cautionary tale: It's more important than ever to make sure your client data protection program serves its purpose. In fact, with the advent of Europe's Global Data Protection Regulation (GDPR), which the European Union adopted to raise requirements around the protection of personal data, consumers around the world expect the businesses they entrust with their data to adhere to the spirit as well as the letter of data privacy laws.1

Client data protection is a complex undertaking. Since there's a never-ending stream of cybercriminals determined to steal customer data, businesses must evolve their security programs to meet the onslaught of sophisticated and persistent hackers.

 

Know your data so you can protect your data

Before you can protect your customer data, you must develop an in-depth understanding of the type of data you possess, where it resides within your firm's IT environment, how it moves around your organization and who has access to it during each phase. Document the data life cycle in your organization, and include how you gather, create, use, store, share and destroy customer data. Keep in mind that some of your customer data may reside outside of your company's servers, on employee smartphones, tablets or laptops. In a similar vein, a company's data can also be located on outside vendor servers as well as on employee's devices.

With an understanding of the customer data your business collects, prepare a detailed inventory of the security procedures and mechanisms you have in place throughout the organization, and include who is responsible. For example, who within the organization bears responsibility for updating and approving changes to the company's firewall? In addition to determining the effectiveness of your security program, prepare for the loss of data by asking what happens in the event of a data breach.

Mapping security to regulatory requirements

Next, make sure the elements of your security program support compliance with relevant rules and regulations governing customer data privacy and protection. Deconstruct the elements of each regulation governing your company's activities and map the elements of your security program against each regulations' requirements. For example, if subject to the GDPR, how can your company comply with an individual's data protection rights?

If this exercise uncovers gaps in your ability to protect data, assign the responsibility of addressing the deficiency to someone in the organization who possesses the authority and proper resources to handle the matter. Just as importantly, establish an expected completion date and make sure a third party, such as the internal audit department, follows up with the responsible party to ensure the remediation effort takes place.

The goal here is to ensure your security program includes basic—as well as advanced—security protections, such as firewalls, encryption and malware detection capabilities, to protect data wherever it resides within the IT environment, while also achieving compliance with industry, state, federal and international data protection laws and regulations. To improve your understanding of data privacy laws and regulations in the United States and overseas, visit DLA Piper, a multinational law firm.2

 

Put it in writing

If you've not done so already, create a data protection policy that documents the people, processes and technology your business depends upon to protect customer data, and remain in compliance with relevant rules and regulations.

Make sure someone within your organization reviews and updates the data protection policy on at least a bi-annual basis. To set the tone regarding how your organization handles customer data and ensure that employees and executives know their role in the process, share a copy of the policy with employees and executives regularly. To help you develop a data protection policy, here's an example from Daimler, a German multinational car manufacturer.3

 

Commit to continuous improvement

If you've not done so already, create a data protection policy that documents the people, processes and technology your business depends upon to protect customer data, and remain in compliance with relevant rules and regulations.

With businesses of all sizes embracing digitization, the degree to which companies rely on technology grows daily. So too does the potential for a cybercriminal to uncover weaknesses in a company's digital backbone to exploit. Therefore, combating customer data theft requires an unwavering commitment to security, which includes a willingness to dedicate attention and resources to evolving your security program to combat the latest threats.

1. EUGDPR. "GDPR Portal: Site Overview". Accessed June 26, 2018. https://www.eugdpr.org
2. DLA Piper. "Data Protection Laws of World". Accessed June 26, 2018. https://www.dlapiperdataprotection.com/index.html?t=about&c=AO
3. Daimler. "Data Protection Policy". Accessed June 26, 2018. https://www.daimler.com/documents/company/other/daimler-dataprotectionpolicy-en.pdf