Instead of waiting until after the damage of a data breach has been done, companies should begin the process of assessing the data that they have stored in their systems and start keeping an up-to-date inventory of such information. Assessing the data includes reviewing the following items:
- The network;
- The information stored; and,
- The access to the information.
Assessing the network includes not only your current system, but also any old computers and/or external hard drives that your company may have in storage. If your company has old computers in storage, it is important to see what information is stored in those systems. You may be surprised to find what may be sitting on those hard drives.
Assessing the information stored focuses on the content of the information and the purpose of the information. The content of the information may be considered to be personal identifiable information that is considered to be the subject of data protection statutes. If the information is considered personal identifiable information, then you are under an obligation to provide measures to protect that information. Your obligation to protect that information depends on the state that your business is incorporated.
Besides reviewing the content of the information, you must also review the purpose of the information. The purpose of the information answers the questions, “Why do I need this information?” and “How long do I need this information saved?”
Finally, the issue of accessing the information focuses on the question of “Who needs to have access to this information?” If the information is of a personal nature, then access to that information must be limited. Another question to consider is “How much information should that person have access to?” In other words, “How much access would that person need to complete their work?”
Suppose you own an accounting office. The executive assistant may need a client’s name and address because that person is mailing something. On the other hand, the accountant working on a matter for that client may need access to said client’s financial information, in addition to the client’s name and address. The access is dependent on the employee’s role.
Assessing your network, the content of the information, and who has access is a crucial step in developing a data privacy policy. Answering those questions allows you to implement and develop a data privacy policy that addresses your corporate needs, instead of having a one size fits all approach.
Please do not hesitate to contact us to discuss how we can help you assess your data security needs as well as implement a data privacy policy that fits your corporate needs.