Sensitive data management

Your organization’s approach to sensitive data management determines how you protect and maintain one of your most important assets: your data.

According to Gartner, 91% of organizations are currently undergoing some form of digital transformation. This shift towards digitization is driven by the increasing importance of data, which is now at the core of how businesses operate and make decisions. But with that advancement come obstacles like data breaches, compliance regulations and data privacy laws. Companies are rushing to modernize their infrastructure, applications and capabilities to democratize data and make it accessible to everyone who needs it.

As your company continues to reinvent itself and focus on data, every decision you make will involve analyzing and using data to drive insights and accelerate your transformation. Sensitive data management grows more important as you navigate this new digital landscape.

What is sensitive data?

It’s a fact of business life that not all data is created equal. No matter how much data you have — and you surely have plenty — sensitive data is the kind that bubbles to the top in priority.

Sensitive data is classified differently within your organization. It includes personally identifiable information (PII) like social security numbers, driver’s licenses, passwords, financial information and medical records. At the organizational level, sensitive data includes information about your customers, business practices and intellectual property. It extends to material, nonpublic information like upcoming corporate actions and high-risk data like trade secrets and financial data.

What’s driving the need for sensitive data management?

By definition, sensitive data is at-risk data. Companies are keen to mitigate risk with sensitive data, and sensitive data management is how they accomplish that. The global market for sensitive data discovery, for example, is projected to reach USD 12.4 billion by 2026, as organizations begin to understand the risk and address it.

Unfortunately, most of those dollars are in the form of services and engagements, as companies try to patch holes in the ship. Almost every company that’s moving to the cloud and modernizing infrastructure is simultaneously worried about losing whatever control they currently have over sensitive data.

Any company with products to sell and customers is sure to be storing and managing sensitive data, and with that data come several different kinds of risk.

The risk from data breaches

Consider breaches like the ones that Equifax, Target, Facebook, Twitter, OxyData, Apollo have endured. What are the threat actors after? Either sensitive data they can expose or the opportunity to shut down your operations and hold your organization’s data hostage. They’re getting smarter and quicker at disrupting businesses and effectively using your data against you.

Internal threats

Most of those data breaches are external threats. But internal threats are a high priority for more and more companies, too. Besides the treachery of insider attacks there’s the frustration of accidental breaches, in which employees do things with data that they don’t know are risky and non-compliant.

What are the highest-risk IT assets you have? Your corporate databases. Your data is in a lot of places, but it’s those databases that really hold the gold and are the most difficult to bring under sensitive data management.

GDPR penalties

The General Data Protection Regulation (GDPR) imposes penalties on companies for non-compliance. After the long run-up to GDPR, with all of its warnings, the EU has begun assessing those penalties. The effects are significant not only monetarily but also as a matter of reputation.

If your customers can’t trust you as a custodian of the data they share with you, then you can expect that they will transact elsewhere.

Global data privacy regulations

GDPR is just one example of the trend in data privacy laws taking effect all over the world. Most of those laws are trying to achieve the same thing, but they introduce additional complexity to your operations. Some regulations are at odds with others in areas like amount of time to keep data on hand, the right to be forgotten and the right to anonymity.

Business objectives – Sensitive data as a priority

Our research tells us that most organizations have a sense of what they’re trying to achieve with sensitive data. Almost nine out of 10 companies regard data governance — an important part of sensitive data management — as a top-ten priority. More than six out of 10 companies consider it their number-one priority.

First of all, it’s a priority not only for sensitive data but also for all data. Companies have realized they aren’t sure what data they have, how it affects the business, where it poses a risk to them and how they can get more out of it. So they’re turning to build data governance frameworks to get a better picture of all that.

Next, they want to tie that picture to their business functions, especially as they go through digital transformation. Why? Because as organizations modernize applications and move different processes into, say, the cloud, they want to make sure they stay in compliance during the transition.

Then, there’s the sheer number of places where data, and specifically sensitive data, can be at risk. Besides the breaches and non-compliance mentioned above, data governance addresses risk in your everyday processes like running data through the development lifecycle and using production data to test new applications. When that data leaves the safe container you’ve built for your regular corporate data, you expose yourself to risk.

Finally, data governance prepares you for audits, so that you’re not diverting resources from higher-value tasks to audit-related fire drills. It’s no fun scrambling to respond to auditors in an effort to avoid a negative outcome.

Sensitive data management

Sensitive data management is the process of implementing governance for sensitive data in an ongoing and sustainable way.

1. Define

The first step is to define what sensitive data is in your organization. That includes specifying how it affects the business and how it is managed and stored throughout the organization. You clearly classify the kind of sensitive data it is and what it pertains to.

2. Discover

Next comes the process of discovering where in your organization the data lives. In which databases does it reside? Through which pipelines is it flowing? You refine your definition and general understanding of sensitive data by applying appropriate policies and tagging physical data for compliance initiatives like GDPR. You profile your data so that, even if it doesn’t appear to be sensitive, you can determine from its contents whether it is sensitive and has slipped through the net.

3. Defend

Then you look at the variety of ways to defend your sensitive data.


Naturally, you start by encrypting, masking and redacting sensitive data at each stage in its lifecycle:

  • moving through production
  • sitting in your data warehouse where it’s used every day for analytics and business intelligence
  • being shared with your business partners
  • going through the development lifecycle
  • being used to test the results of your digital transformation initiatives

Your goal is to apply the right and appropriate defense so the data is in the right state, both during the stage and afterwards, when the data is at rest somewhere.

Setting policies

You’ll want to be able to audit activity around that sensitive data in your databases. That means setting, testing and maintaining policies for access to it.


Data protection entails robust backup and recovery of your data, none more so than sensitive data with regulatory requirements. Make sure that, as you restore from backups into production, your sensitive data is restored with all the policies that apply to it.

Hardening devices

All of the hardware that your sensitive data touches should be hardened using unified endpoint management to keep it from, say, slipping out through sloppy handling of USB drives. Harden your endpoints for everywhere they’re used, down to rebuilding or destroying hard drives when computers move among employees, so no sensitive data is accidentally passed along.

A framework for enterprise architecture and business process modeling

A viable framework for sensitive data management starts with enterprise architecture and business processes. This framework brings your sensitive data, along with applications and technology, into the context of your business goals, strategies, capabilities and processes.


You start by mapping sensitive data to:

  • your different business components
  • the applications that are serving up the data
  • the business processes that are consuming it
  • all of the technology underneath
  • the overall business capabilities that enable you to go out and be successful in the market

Take GDPR, for instance. You can use this framework to define your GDPR remediation and processes and ensure you’re in compliance. This framework can help you document them in great detail, including associated data. With the full architectural governance and context of your data, you can answer persistent questions:

  • Where does sensitive data touch our organization?
  • Where are we at risk?
  • Where do we need to protect ourselves?
  • How do we orchestrate an enterprise view into sensitive data?

Metadata management

In metadata management, you harvest every physical data asset in your landscape. That covers streaming data and data in motion among applications as well as data at rest in databases, files and data sources. Based on where the data is, how it’s affected and how you’re managing it, you can start assigning sensitivity classification tags and descriptors.

Again, with GDPR as an example, you tag all GDPR-related data sources so that you can have a consolidated view and can make decisions about them. Metadata management provides a foundation for drilling into the data, understanding the policies and risks behind it and seeing the appropriate way to use it.

Business glossary management

A business glossary gives you a view into sensitive data according to a special ontology for financial services or health care or manufacturing, for instance. People in your industry have often already done the work of classifying sensitive data elements and documented that work. You can incorporate that to your glossary and map it to the physical metadata catalog you’ve created.

From there, you construct dashboards and graphs for navigating sensitive data and understanding the relationships and associations in it. The glossary is useful not only for educating your internal users, but also for responding to auditors tasked with getting to the bottom of your data.

Data modeling

Whenever you design new data elements, data modeling comes into play. Use modeling to go out to your data catalog, discover the types of data you can already use and bring them into your new design. Whenever you create new data elements, you can classify and document them as sensitive from the outset so that there’s no guesswork or unnecessary discovery required.

Your data model is reusable. You can make it available again to your data management and data governance environments. It’s useful in educating users and in providing insight to everything happening with data in general and sensitive data in particular.

Discovery and protection

With your enterprise architecture, data catalog and business glossary in place, you profile your data to see whether any sensitive data has fallen through the cracks of your framework. You then pass that information back up for inclusion in the mapped inventory informing a sharper view of the sensitive data in your organization and take action to mitigate any risks.


There are many places to look for sensitive data and many ways you can protect yourself against the risks associated with it. But piecemeal approaches don’t give everyone in the organization a strong feeling of confidence that you’re managing those risks wisely. Sensitive data management is the way to address the questions they constantly ask.

Having an end-to-end approach and framework for sensitive data management takes care of the high-profile concerns of potential breaches and regulatory compliance. It also addresses the risk that arises in your common, everyday business practices.

Your main goal, of course, is to stay out of the headlines when there’s a data breach. You want to maintain your reputation and the trust your customers have in you. You want to be identified as a partner in that data. Sensitive data management ensures that you’re doing all the right things as a corporate citizen and a custodian of people’s data.

Meeting the challenges of sensitive data with comprehensive governance

Organizations have a legal, ethical and financial responsibility to safeguard sensitive data. Learn how to define and classify data, identify sensitive data across your environment and defend it throughout the entire data lifecycle.

View the Guide

About the Author

Danny Sandwell

Danny Sandwell is an IT industry veteran who has been helping organizations create value from their data for more than 30 years. As a Technology strategist for Quest, he is responsible for evangelizing the business value and technical capabilities of the company’s enterprise modeling and data intelligence solutions. During Danny’s 20+ years with the erwin brand, he also has worked in pre-sales consulting, product management, business development and business strategy roles – all giving him opportunities to engage with customers across various industries as they plan, develop and manage their data architectures. His goal is to help enterprises unlock their potential while mitigating data-related risks.

Related Articles