Do you know where your data is hiding? If you don’t, it can easily become a target for hackers and cybercriminals. Additionally, it can open you up to liabilities under consumer data protection laws if the data is misused, mishandled, or not deleted after the correct retention time.
Taking a detailed audit of what data you collect, where you store it, and where it’s going can help you to improve your security and protect your business.
What data do we collect?
The first question to ask in a data audit is what data do we collect and from whom? You may collect personal data from a number of different individuals, including:
- Customers
- Employees
- Vendors
- Potential customers/prospects
You likely collect different types of data for different purposes. This could include:
- Names
- Phone numbers
- Email addresses
- Shipping and billing addresses
- Payment card information
- Social security numbers/ID numbers
- Banking information
As you can imagine, not all of this data represents the same risk level if it were to get out. So having a clear picture of what types of data you collect — as well as the reasons for collecting it — can help you understand how to better protect that data.
How do we store data?
Next, you’ll want to identify all of the locations where this data could potentially be stored. This could include:
- Email system
- File servers
- Document/workflow management systems
- Hard copies/paper files
- Internal databases
- Cloud services
It’s a good idea to audit all of the cloud-based services used by your company to confirm how much data is being stored in them. For example, if you use a workflow tool like Trello or a communications platform like Slack, do your employees routinely share sensitive data through those channels? While it may be convenient to share information through these systems, everyone needs to be careful about how much and what type of data they are routinely posting — and how it is cleaned up.
What happens to our data?
The third area to examine in a data audit is data disposition — what happens to our data when we don’t need it any longer?
For example, do you need the address of every customer who has ever placed an order with you? Or can that data be retired after a number of years?
New data privacy laws like the GDPR specify a period of time after which data must be deleted. You can specify your own time limits through a data retention policy. After the retention period has expired, the data should be deleted.
You should make sure retention policies are applied to every system that stores data, and that you conduct periodic audits on these systems to make sure that these policies are being followed. In doing so, you’ll limit the risk of storing too much data and the liabilities that come with it.
You should also ensure that any data leaving your company is handled properly. Both paper files and computer equipment can contain sensitive information that could fall into the wrong hands if not disposed of properly. You can limit that risk by partnering with a trusted data destruction company like CyberCrunch.
Our NAID AAA certified data destruction processes ensure that your sensitive data is destroyed and your company is protected.