Data is a precious asset and a potential liability if lost, stolen, or mishandled. The larger and more sensitive the data set (think Personally Identifiable Information and Intellectual Property), the more precious it is. Which is why, key company stakeholders of an organization must know how data is collected, where it is stored, how to protect it, and whom to give access to it.
Data Handling Policy is a necessary tool to have in the company's arsenal to achieve those goals.
A Data Handling Policy is a set of rules for employees to follow when working with data. It is designed to complement a Data Protection Policy, which is a security policy created to monitor and manage an organization's data. Both policies fall under the broader discipline of data management, i.e., collection, processing, analysis, storage, and protection.
Creating a Data Handling Policy involves knowing what data your organization manages.
First, an inventory is taken, and a classification system is designed to identify different levels of sensitivity and corresponding levels of risk. For example, publicly available data could be classified as level 1 with a very low level of risk. In contrast, Social Security Numbers and credit card information may be labeled as level 5 and require substantial protections such as multifactor authentication to access.
Next, once everything is correctly categorized, a framework can be created that outlines how end users store, transport, and handle the data.
For example, the company could require that sensitive data not be stored locally on employee workstations and only on particular secure network drives. Also, the more sensitive data may only be accessible to specific employees and require encryption to be transported outside the network, whether via email or physical media, whereas public data is available to anyone and does not require special treatment.
Keep in mind that a sound Data Handling Policy will also define which devices are allowed to access the different levels of data.
A trusted device may have enforced policies on it that the user cannot change and is owned by the company and strictly governed by the IT department.
If this device is lost or stolen, it could be remotely wiped to protect any sensitive data that may be stored on it. A managed or registered device may be personally owned and under a BYOD policy but unable to access higher levels of sensitive data.
Compliance is key to data protection and handling. Failing to comply with regulatory bodies can mean hefty fines and penalties, including losing the opportunity to do business in certain geographical regions or areas of commerce. Regulations like CPRA, CMMC, GDPR, HIPAA, GLBA, and PCI-DSS evolve over time and can use comprehensive language.
As a result, data management policies must be written as living documents to keep up with the constant changes and sometimes vague wording.
Experts recommend, especially for global organizations, having a Data Protection Policy that covers the following areas:
Contact us today. We’re always here to help.