If you’re responsible for data at your company, safeguarding it is often top of mind. Data Privacy Day falls on January 28th. It serves as a reminder, not only to those of us who are security practitioners and good stewards of data but to all of our colleagues, about the importance of data security and the trust that it inspires when properly managed.
Many of us already have tools and processes to secure personal information. The effectiveness of those solutions is pushed to the limit because compliance requirements around data evolve year after year. Some of the major US privacy laws go into effect this year including the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA). These laws share similar themes when it comes to defining and securing data.
In the spirit of Data Privacy Day and keeping the 2023 regulatory requirements in mind, here are five challenges around regulated data that most of us should, in theory, be able to achieve with our existing data security tech stack.
- Find regulated data. While there’s some variation in the language used, CPRA, VCDPA, and CPA all broadly define “personal information” or “personal data” to be information that is linkable to an individual. These laws also reference other regulated data categories such as “Protected Health Information.” Chances are, if you’re part of a mature enterprise, there’s been an ongoing classification exercise years in the making. But has it enabled you to directly locate and distinguish the different categories of regulated data?
- Identify the data subject of your data. Certain privacy laws exempt, for example, employee data. Do you know what PI is about an employee versus a customer versus a third party?
- Determine what data should be encrypted. Regulated data, when used properly, can spur innovation. For example, PHI that has been stripped of identifying information can safely become part of a patient-centric dataset to help determine the risks or successes of drug trials. Your objective here is to determine what regulated data is exposed as plain text, but should instead be encrypted, tokenized, or otherwise protected via some other privacy-enhancing technique.
- Minimize unnecessary data. While the collection of data never stops, regulations compel our companies to limit data to what is reasonably necessary. Your company’s data footprint is bound to increase with every new customer engaged and every email sent. To minimize unnecessary data, determine where redundant and stale data resides.
- Reign in overly permissive access. Purpose limitation is a common theme across the three laws, and it essentially requires that we understand, disclose, and control how data is used. It’s impossible to achieve this objective when access to the regulated data is open to everyone. As a first step, can you identify data stores with overly-permissive access?
If you went through the five challenges, what was the process like? Were you able to leverage your existing tools and processes? If so, how long did it take?
What if I told you that at Cyera, we could help you start tackling the above challenges in a matter of hours? You won’t need agents or the usual overhead from IT and dev teams. And in a matter of days or weeks, you would get a comprehensive view of regulated data across your entire cloud data estate. Getting ahead of the latest regulatory requirements starts with data visibility. We can help you with that.