Transforming IT
cancel
Showing results for 
Search instead for 
Did you mean: 

The 5 P’s of Data Protection

Lois_Boliek

 

“Are we doing everything we can to protect the private data of our customers and employees?”

It’s a question that’s on the minds of pretty much everybody in the C-Suite these days, given the constant drumbeat of headlines about data breaches at high-profile businesses. And it’s not just large enterprises that are at risk; IT leaders at small and midsize organizations are increasingly aware of the potential for reputational damage that could be every bit as severe as the impacts suffered by the big guys.

GettyImages-523257476_high_800_0_72_srgb.jpgNo question, data protection is in need of an overhaul at many organizations. The nature of data has changed. The days are long gone when private data resided mainly in what were basically digital representations of paper – forms, document files and spreadsheets. Personal data is pervasively present in today’s world of consumerized IT, mobile devices, big data, and social media. Yet procedures for safeguarding it haven’t kept pace.

Legislators are starting to take notice. In the European Union, for example, the General Data Protection Regulation (GDPR) will create a new regulatory foundation governing how companies protect and derive value from sensitive customer information. GDPR will become mandatory in May 2018, and will affect all businesses (including multinationals) that hold data on EU citizens, regardless of where they are domiciled.

A 5-point data protection cheat sheet

Developing a modern, comprehensive data protection strategy is not a prohibitively heavy lift for most organizations. But it does call for a holistic approach that can seem daunting, given its ramifications across multiple security dimensions. Here’s a checklist that I’ve found useful in helping security leaders tackle an upgrade. We call it the HPE P5 Model, or you can think of it as the five P’s of data protection:

  1. People. Beyond ensuring that you have the right staff and that they’re in the right roles – both hugely important steps – it’s worth putting considerable effort into raising the overall level of awareness of data protection requirements in your organization. For example, your people should know that safeguarding confidentiality means keeping a careful inventory of all the locations where you store individuals’ private information, so transferring sensitive data on USB sticks, for instance, raises serious issues. IT can lead an educational initiative to make sure everyone knows that handling private data of consumers, employees and partners should be done with extreme care.
  2. Policy and Procedures. Now’s the time to review your data protection policy and procedures, the high-level documents that govern how data security is managed in your organization. Your policy should describe, for example, how you will protect data from unauthorized access, where it can (and cannot) be stored, how you will destroy it when it’s no longer needed. Procedures translate the policy into general operational terms that staff can refer to whenever they need to. For example, they should describe how a new hire is added to your IT systems, and how an employee’s data is deleted from your system when he or she leaves the company.
  3. Processes. More detailed than procedures, processes specify actions at the level of systems and applications, including backup, recovery and archiving strategies as well as transfers of data to off-premises providers. For example, it’s increasingly important to require strict processes and records around the erasure of personal data by cloud storage providers. The act of transferring information to a third party doesn’t relieve the owner from responsibility for that data. Yet cloud processes can be challenging, since providers often hand off data to other partners and data processors, resulting in visibility gaps. Businesses should carefully investigate and validate their cloud vendors’ data protection services and commitments.
  4. Products. Do you have gaps in your data architecture that new solutions could help you fill? You may want to investigate innovative encryption products, cloud access security broker (CASB) technologies, data loss prevention solutions, data management tools, and modernizing backup/recovery systems.
  5. Proof. Make sure you have the right set of validation methods, metrics and KPIs in place to track compliance effectiveness and close the loop with your policy and procedures. This is where compliance management becomes critical. Ideally, you should consider compliance management instrumentation that can provide a dashboard view and insights for your executive team. More importantly, these tools can detect that something is wrong, suggest corrective actions, and even automate compliance to the relevant controls.

New regulatory mandates like GDPR are both a wake-up call and an opportunity to review your data protection activities to ensure that they’re delivering the best value for the money, and perhaps even uncover new ways to improve customer service and drive more value from your data. HPE Pointnext can provide the right data management expertise to help you understand, manage and reduce the business and security risks around information privacy management. Together with our extensive partner ecosystem, we can help you at every stage of the journey, from initial risk assessment, to roadmap design, to implementation and ongoing continuous improvement.

Make the step to start protecting sensitive data today. Learn more about HPE Security and Digital Protection Services here.

Join the experts in Madrid

Stocksy_79085 smaller.jpgThousands of IT professionals from around the world will be joining us for Hewlett Packard Enterprise’s largest IT event of the year: HPE Discover. Meet us in Madrid and sign up for this session to continue learning about Data Protection: “How to prepare your IT organization for General Data Protection Regulation (GDPR)” led by experts Richard Fermont and Felix Martin.

For Additional Resources, see the following:

0 Kudos
About the Author

Lois_Boliek

The worldwide security leader for HPE Pointnext Advisory and Professional Services and certified CSO.

Labels
Events
See posts for
dates/locations
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates/locations
Reimagine 2018
Join us at one of the Reimagine 2018 stops and see how we Simplify Hybrid IT, innovate at the Intelligent Edge and bring it all together with HPE Poin...
Read more
View all