When talk turns to protecting sensitive data, what do you immediately think of? True, commercially confidential information is one case. A competitor finding out about and blocking a new product strategy can be disastrous for an enterprise. But so can the loss, exposure or theft of data about individuals, such as healthcare data on patients or education information on children and students. Even if regulatory fines don’t drive an organisation into bankruptcy, the reputational damage alone can fatal. For these reasons, it’s worth knowing what kind of information needs to be protected and how responsibilities should be defined for employees.
Governments stipulate that many forms of information that can be used to identify someone must be protected. Depending on where your organisation operates, this may cover:
- Work. Employment history, security clearance, salary, benefits.
- Social and Education. Home address, phone number, social security data, biographical data, academic records.
- Other. Medical records and data pertaining to arrests or criminal investigation.
Correspondingly, all employees have duties to fulfil concerning the protection of data. Whereas the human resources department may be first in line for protecting employee data, sales, service, marketing and technical departments are a natural starting point for customer or patient information, and corporate products, plans, strategies and processes. However, sensitive data protection also extends to IT workers responsible for the security of the organisation’s data centres and networks, and to anyone who has access to or who handles sensitive data as part of his or her work function. This can mean the entire personnel.
Leading by example, reinforcing awareness and checking regularly for compliance make for an effective three-pronged strategy for data protection. Many protective measures are a matter of common sense, but still need to be followed up. Examples are clearly identifying and securely storing sensitive data, not leaving workstation sessions open and unattended, and immediately notifying management of any data breach. Others include encrypting sensitive information before sending it anywhere, storing such information on secured network drives (not desktop or laptop PCs), and keeping anti-virus software working effectively.