This is the second in a series of posts in honor of National Cybersecurity Awareness Month. Each day this week, we’re sharing a practical cybersecurity tip for small businesses.
Modern data privacy laws require organizations to respect certain rights of individuals from whom they collect personal information. Under privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), individuals have the right to access and correct the personal data that organizations collect from them, to require organizations to delete such collected data, and to limit the purposes for which the data may be used. Organizations that do not honor these rights can face enforcement action, penalties, and lawsuits.
As a starting point to complying with laws like the GDPR and CCPA, businesses need to keep track of the data they have, now and in the future. Taking inventory of data is an often overlooked step, but so very important.
Suppose a customer submits a request to your business to delete all the data that you have collected from her. Sound like a simple request? Would you be able to readily identify all the locations where that data about that customer is stored? You might look in the typical data repositories – a central server, cloud accounts – but what about not-so-obvious places, like backup media, individual workstations, or removable media like thumb drives? What about third-party vendors?
Knowing where your data lives is also essential to securing it against unauthorized access or cyberattacks. What types of security controls are necessary for a business to implement depends on the kind of data in question and how it is stored. For example, data access privileges should vary based on the needs of different users and the risk that such users will misuse or mishandle such data. Different security controls are appropriate for data stored in the cloud versus data stored on a hard drive. Evaluating the factors that affect which cybersecurity measures to implement is difficult if you don’t know what data you have or lose track of where it goes.
That’s why data mapping is a crucial component of a cybersecurity program. Data mapping is the process of cataloguing the data that’s collected, how it’s used, where it’s stored, and where it goes. A data map could be as simple as a spreadsheet or diagram, or it can be an extensive document created with special software. The scope of your data map depends on the nature of your business and how you collect, use, and store data.
Most data maps should at least address the following subjects:
- What data you collect – the types of data collected; the sources of collection; whether the data is sensitive
- Storage of data – where the data is stored; the formats in which it is stored; how long it is stored; the custodians of stored data; and the conditions under which it is stored
- Usage of data – why the data is being collected; the purposes for which the data is used
- Flow of data – where the data moves after it is collected, both inside the organization and outside of it (third-party recipients); the protocols in place to protect data transfers
For a tool to help you get started with data mapping, check out the Data Protection Commission’s Self-Assessment Checklist.