BY SPIRION
December 8, 2023
3 Must-Have Standards for Effective Data Protection
Data security alone does not equate to data privacy. Indeed, 451 Research emphasizes:
“While data security mechanisms are a critical component of achieving data privacy objectives, it is important to broaden the scope of efforts to ensure that data security measures are closely intertwined with perpetual data evaluation and stewardship initiatives. New data is constantly flowing into the organization. A comprehensive data privacy program will have methods to remediate or protect the data at the technical level and assess new data as it flows in and assign proper categorization and classifications.”7
A personal data protection solution is Privacy-Grade™ when it can automatically:
- Search every location where data resides
- Find every data type defined as personal, sensitive personal, or intellectual property
- Classify for context and risk
- Apply appropriate cures and controls
By supporting these critical requirements, the data protection solution meets the three “must-have” standards for Privacy-Grade protection, which include:
- Accurate discovery of any data, anywhere
- Purposeful classification of data based on purpose, process, and preferences
- Real-time remediation or response for handling vulnerable data
Let’s examine each “must-have” capability and how it contributes to the high-quality standard of Privacy-Grade data protection.
Must Have 1: Accurate Privacy-Grade Discovery
When it comes to protecting what matters most—your organization’s personal, sensitive, and regulated data—accuracy is everything. After all, you cannot secure what you cannot find. Privacy-Grade discovery describes a set of technologies used to accurately discover personal information anywhere. It also describes inspection techniques used to apply a policy dynamically, persistently tag, classify, relocate and apply third-party enterprise protections to personal data.
Four essential Privacy-Grade Discovery capabilities include:
- Ability to discover personal information in unstructured objects (files), structured objects (relational databases), data stores (file server, cloud storage, object storage, etc.), as well as endpoints (via a host agent that runs locally).
- Advanced personal data detection using various techniques—from branching algorithms and vector analysis to supervised/unsupervised learning, regression analysis, and keyword matching.
- Advanced identity association to create associations between discovered data elements and their associated persons and identities.
- Techniques to reduce false positives, such as proximity rules. These are valued by larger organizations that have complex data ecosystems.
Must Have 2: Purposeful Privacy-Grade Classification
To effectively use and protect the discovered data, organizations must identify, classify, and tag each piece of data. Privacy-Grade classification technologies and techniques apply purposeful labels based on how data is collected, the associated purpose of the data collection, and the related data subject’s preferences.
Three essential Privacy-Grade Classification capabilities include:
- Process-based data classification labels (such as HR records, PII for order processing, etc.).
- Purpose-based data classification labels identify data that can be used (or not used) for various activities.
- Preference-based data classification labels can restrict access to third-party apps and conform to portability restrictions.
Must Have 3: Real-Time Privacy-Grade Remediation
Remediation solutions enable an organization to securely process personal data, including collection, retention, logging, generation, transformation, use, disclosure, sharing, and personal data disposal. Privacy-Grade Risk remediation technologies and techniques support the risk-based mitigation, transfer/sharing, avoidance, or acceptance of risk associated with vulnerable data in real-time.
Four essential Privacy-Grade remediation capabilities include:
- Secure data erasure methods applied to the original location.
- Secure data relocation and containment via secure transmission methods, which support the ability to quarantine files to a highly secure location, encrypt data at rest and in use, and micro-segmentation to isolate workloads with personal data from one another and individually.
- Data anonymization and pseudonymization to remove identifiers that connect an individual to stored data using a variety of techniques, such as data masking by hiding data with altered values, homomorphic encryption to hide data with computer-generated ciphertext, and pseudonymization to replace private identifiers with fake identifiers or pseudonyms.
- Synthetic data and differential privacy that algorithmically manufactures data so that it has no connection to real data. A differentially private process is guaranteed to never attribute anything to a specific member of the original dataset. Instead, it only reveals information that is broadly knowable about a dataset.
SOURCES:
1, 2, 4, 5, 7: Deliver Effective Sensitive Data Protection with Three Must-Have Standards, 451 Research and Spirion, March 2021
3: Voice of the Enterprise: Data & Analytics, Data Management & Analytics Study, 451 Research, 2H 2020
6: The National Institute of Standards and Technology NIST Privacy Framework