We've talked about
building a culture, why it
applies to all data environments, and some specific
types of data protection features you should be considering. Today, we'll be considering the culture of protection the actual owners of the data (customers, employees, vendors, financial partners, etc.) expect from your stewardship of their data.
Data owners expect you will:
- Know what data you collect
- Know the purpose for which you collected it
- Tell them the purposes for which you collected the data
- Be appropriately transparent about data uses and protection
- Use skilled data professionals to architect and design data protection features
- Document those purposes so that future users can understand
- Honor the purposes for which you collected it and not exceed those reasons
- Categorize the data for its sensitivity and compliance requirements
- Document those categorizations
- Track data changes
- Audit data changes
- Version reference data
- Use strong data governance practices throughout
- Protect non-production environments just as well as production environments
- Prioritize data defect fixes
- Make the metadata that describes the data easily available to all users of the data
- Know the sources and provenance of data used to enhance their data
- Secure the data as close as possible to the data at rest so that all access, via any means, provides the most security
- Mask the data where needed so that unintentionally disclosure is mitigated
- Back up the data so that it's there for the customer's use
- Secure your backups so that it's not there for bad actors to use
- Limit access to data to just those who have a need to know, know it
- Immediately remove access to their data when staff leaves
- Do background checks, where allowed, on staff accessing data
- Test users of data regularly on good data hygiene practices
- Ensure data quality so that processes provide the right outcomes
- Ensure applications and other transformations are done correctly
- Ensure applications and other transformation do not unintentionally apply biases to outcomes of using their data
- Provide data owners access to review their data
- Provide data owners the ability to request corrections to their data
- Provide data owners the ability to have their data removed from your systems
- Monitor third-party data processors for compliance with your data security requirements
- Secure the data throughout the processing stream
- Secure the data even when it is printed or published
- Secure data even on mobile devices
- Use strong authentication methods and tools
- Monitor export and transfer of data outside its normal storage locations
- Train IT and business users on security and privacy methods and tools
- Protect user systems from bad actors
- Monitor uses of sensitive data
- Monitor systems for exploits, intrusion attempts, and other security risks
- Securely dispose of storage hardware so that data is protected
- Securely remove data when its lifecycle comes to an end
- Accurately report data mis-uses and breaches
- Treat their data as well as you'd protect your own
And after all that:
- Actively steward the data, metadata, and data governance processes as business and compliance requirements change
Sound overwhelming? It should. We need to think of data as its own product, with a product manager, data models, metadata repository, a business user portal about the data products, and all the process that we put in place to protect code. Reread the list, changing the word
data to
code. We do most of this already for applications and other code. We should, at the very least, provide the same sort of process for data.
Your customer might not know they need all those things, but they sure expect them.