Starting up a data privacy program is daunting. That is especially true if you don’t have a DPO (data privacy officer) on your payroll. And for the SMBs and the MSPs and MSSPs that serve them that is likely to be the case.
In many respects, data privacy is onerous. There are many rules. Local, federal, global, industry related, market related etc.. Some overlap, some contradict and it is very hard to find a single set of rules that address all.
Yet, it doesn’t have to be daunting. At the basis there are a few basic activities that most data privacy rules follow. Each company that processes and/or stores regulated data must:
1. From all the data that the company processes and stores – what data requires oversight? Private data, controlled data, entrusted data and others.
2. Understand what and how much of that regulated data passes or reside on its workstations and apps.
3. Understand who owns the data? To whom does the liability associated with processing or storing the data belong.
4. Understand to whom does the data flow downstream. Does the data return to the owner (or its origination point) or does it flow to another vendor.
The above is an exercise in fact finding and isn’t hard to do today. Systems such as Actifile can automate most of the above fact finding and present the results in a report.
Knowing the fact goes a long way to being compliant. That is because knowing the fact enables the company to own the risks and demonstrate that the risks were known and were either addressed or decided that no remediation was necessary.
And even if remediation is deemed necessary, focusing remediation on the higher liability concerns – both saves money and reduces the amount of work.