A staggering 68 percent of business leaders feel their cybersecurity risks are increasing, and it’s believed that cybercrime damage costs hit somewhere in the region of $6 trillion (US) in 2021 - that’s up from $3 trillion in 2015.
That’s why data protection is a crucial strategy for modern businesses.
As organizations increase the amount of data they store, the risk of cyber attacks also increases. Data protection helps mitigate the risk of a company’s sensitive and personal information being stolen from fraudulent activities such as hacking, phishing and identity theft.
Unfortunately, data breaches can cause devastating damage to an organization, resulting in hefty fines, reputational damage, a decrease in sales, a loss of trust and legal penalties from governing bodies. The United States, for instance, follows a data privacy approach that is guided by various state laws and sector-specific privacy laws, meaning you have to understand the various regulations that apply to the states and industries you operate (or collect data) in.
Are you looking to improve your data protection strategy and reduce your cybersecurity risk? To help, we’ve answered some of the most common data protection FAQs to help get you started.
Question 1: What is data protection and why does it matter?
In its simplest definition, data protection is a strategy that focuses on protecting a company’s data from data breaches and fraudulent activities, such as hacking, phishing, identity theft and other threats from external forces.
Data protection mitigates risks and strengthens vulnerabilities through a variety of best practices, from employee training, encryption, data management, data backup and recovery, data loss prevention, and firewalls.
There are two reasons why this is important. Firstly, because protecting this data is crucial to the seamless operations of your business, and, secondly, because when handling personal data your organization must comply with the data privacy regulations that apply to your business.
Question 2: What data protection regulations do I need to comply with?
The data protection regulations that your business is required to comply with depends on where you operate. Typically, if you offer goods or services, or if you monitor the behaviour of residents within a specific location, then you are required to comply with that jurisdiction's data privacy laws.
For example, a company based in the US will still need to comply with the European Union's General Data Protection Regulation (GDPR) if they offer goods or services to EU residents or collect consumer data within the union.
Some of the most prominent regulations to look out for include:
- General Data Protection Regulation (GDPR) in the European Union
- California Consumer Privacy Act (CCPA) in the US
- Lei Geral de Proteção de Dados (LGPD) in Brazil
- Personal Data Protection Act (PDPA) in Thailand
There are also industry specific regulations that may apply to your business, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).
Question 3: How do I gain visibility into where my data lives?
Ever heard the popular business saying, you can’t manage what you can’t measure? Well when it comes to data protection we’ve changed that slightly - you can’t protect what you can’t see.
Gaining visibility into where your data lives, how it’s being used and who has access to it is crucial to understanding your company’s data risk and building a data protection program. It’s for this reason why data discovery should be an integral component of your data protection strategy.
You can learn about data protection in our blog, What is Data Discovery and Classification, and Why is it Important?
Question 4: What is considered personal data?
Personal data is typically referred to as personally identifiable information (PII), and the various legislations we discussed above set the rules and standards for how your organization can use and handle this data.
PII includes directly identifiable data, such as names, addresses, telephone numbers, bank details and social security numbers, as well as information that can be linked together to identify an individual, such as an employee record number.
All personally identifiable information must be stored and handled based on the regulations that apply to your business, including consumer information, employee information and transaction details.
Question 5: What is data processing?
Data processing refers to any operation which is performed on personally identifiable information. Typically, this is any step that your organization takes to collect and manipulate that data into meaningful information. Data processing is likely to involve various stages, such as collection, validation, sorting, storage, classification and reporting.
Question 6: Our business was hacked, will we be fined?
Not necessarily. The consequences of non-compliance with data privacy regulations can be eye watering. For example, a breach of GDPR can see organizations fined up to 20 million (euros) or 4 percent of their annual turnover, whichever is greater.
Yet, despite this, data breaches aren’t 100 percent avoidable, even with the most robust measures in place. A fine is for noncompliance with data privacy regulations, not for the actual act of being breached itself. As long as you are compliant with the regulations, then your business should avoid a fine - but hopefully your data protection strategy will do enough to mitigate the risks of a breach in the first place.
Question 7: Who is responsible for data protection in my business?
The responsibility of data protection compliance lies with what is known as the “data controller”, which is the ‘person’ that collects and processes the data. This ‘person’ includes individuals, organizations and companies.
You can appoint a data protection officer to ensure compliance with data privacy laws and you can also outsource your data protection to a managed security services provider (MSSP), but ultimately it is your business that will be liable for noncompliance. That’s why, no matter which route you take, it’s crucial that you ensure you have a robust data protection strategy in place and the person, or company, you hire to protect your data is both experienced and skilled in data protection.
Question 8: Are there technology solutions to manage our data protection strategy?
There are a number of technology solutions that can improve your data protection strategy. For example, here at Cavelo we help enhance companies data protection programs through continuous and automated data discovery and classification. After all, the first step to securing data is to first understand where it’s stored and how it’s being used.
Are you interested in learning more? Watch the Cavelo virtual demo today and find out how our innovative platform can help your business gain complete visibility into its sensitive data.