“Well,” says your boss during your weekly Teams call, “I guess data privacy and data protection really need to be a priority for us now.” She shares her screen and shows you an article announcing that enforcement of the California Consumer Privacy Act (CCPA) has begun.
“But regulations like CCPA and GDPR are about privacy,” you say. “What does that have to do with protection?”
“You can’t have data privacy without data protection,” says your boss.
As usual, she’s right.
Data privacy is getting more (and sharper) teeth all the time
Face it: Too many companies have played too fast and loose for too long with personal data. They bumbled into hacks and data breaches that ruined it for everybody — customers, users, marketers and even the companies who kept personally identifiable information (PII) safe all that time. For that matter, they ruined it for the lawmakers and consumer advocates who had better things to do than develop and pass laws that should have been common sense.
The General Data Protection Regulation (GDPR) went into effect in 2018. GDPR rules require businesses anywhere in the world to protect personal data in transactions they enter into with EU citizens. “Personal data” is defined rather broadly, even including details like email addresses. “Transactions” extend to information gathered when an individual visits a website, and “protection” means the company is obliged to keep the individual’s information safe.
That same year, California passed the CCPA, which in some ways goes beyond the scope of GDPR in protecting consumer privacy and data. Companies covered by the law must allow website visitors to opt out of data sharing. Under CCPA, consumers can sue companies that violate privacy guidelines, and they can pursue class action lawsuits for damages. CCPA went into effect on January 1, 2020, and enforcement started on July 1, 2020.
When your boss showed you the article, she was effectively letting you know that you’d better take CCPA seriously.
Data protection covers more than consumer data
“And while we’re protecting our customers’ data,” your boss continues, “we have plenty of internal data that we need to protect.”
“Isn’t that what anti-malware and intrusion detection are for?”
“Only on one level. If somebody got through them and slurped up a copy of one of our transaction databases, they’d get plenty of proprietary information along with customer data.”
That gets you thinking beyond website visitors and shopping carts, to all the other kinds of sensitive data in your company’s databases.
What is sensitive information in your company?
- financial information
- customer and vendor agreements
- personnel files
- intellectual property
- internal communications
- trade secrets
Much of that information resides in databases, which you administer and are on the hook for protecting.
But even if you knew off the top of your head all the kinds of sensitive information you keep, would you know where to find every database that contains it? You back up your production systems, right? Are those backups on site, off site, backed up to tape or in the cloud? How are you protecting the data in them?
You probably have the same database in multiple places. Do you replicate databases so your colleagues in Finance can run analysis and reports on the replicas without bogging down production? What about your developers? Do you replicate databases so they can test on real-world data? Those are two more places in the company where sensitive data may be floating.
Having those databases in multiple places increases your exposure under data privacy regulations, whether from malicious attacks or simple human error. It may be easier for a smart hacker to poke around your network for an overlooked backup copy than to try to get into a production database.
Data privacy depends on sensitive data protection
You have databases to tend to. Hundreds of them. With thousands of tables and columns. How are you going to implement the data protection you need to assure yourself, your customers and your regulators that you’re maintaining data privacy?
Protecting sensitive data boils down to solving two main problems:
Problem 1: Finding sensitive data wherever it may live in the organization
Knowing everywhere that the data resides is only the first step on the path to data protection; the next is to identify the tables and columns that contain personal data. The databases in ERP systems, for example, contain tens of thousands of columns across hundreds of tables, and not all of them are intuitively named.
The alternative, searching through databases manually, is also onerous. Even database administrators who had the time for a manual search could not state with certainty that they found all the sensitive data.
It would be necessary to define — for example, using regular expressions — what constitutes sensitive data, since each organization regards different types of data as sensitive. The work should be automated so that changes to schemas and tables are tracked.
Problem 2: Applying sensitive data protection techniques
Having identified the sensitive data, you have to somehow make it useless to prying eyes, yet keep it easily accessible to applications and users.
To be on the safe side, you could choose to hide all of the data in your databases somehow. That would protect sensitive data from internal and external threats, but it would also hamper performance, maybe prohibitively. It’s a high price to pay for data privacy.
It would be better to apply measures like encryption, masking and redaction, which are built into the database itself, to only the relevant tables and columns. The data would preserve those characteristics in any subsequent form it took, whether in backup copies, long-term storage or replicas.
Protect all your systems, applications and data.
Only getting started
“But I just keep the databases up and running,” you say. “How am I supposed to become the privacy sheriff, on top of keeping all those plates spinning?”
“I’ve got news for you,” says your boss. “Data protection and data privacy are ushering in the role of the data controller. We haven’t worked out our long-term strategy for that role, so in the interim it’s you. You manage the databases and understand better than anybody else where our sensitive data resides. You’re the logical fit.”
And here’s a little more news for you. For American companies, additional regulation may be on the way. The California Privacy Rights and Enforcement Act, likely go to voters late in 2020, would require protection of data related to health, finances, race and location, and triple fines for certain violations. There is also momentum at the federal level in the U.S. for passing legislation around a national privacy standard.
Naturally, we hope you’ll never have to say that you’ve suffered a data breach. But if you do, you’ll want to be able to say that no readable PII was leaked. By solving the problems of finding and protecting sensitive data, you could help protect your company from non-compliance, financial penalties, impaired productivity and damage to your reputation.