CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | JULY 20218CIOReviewIT'S ALL ABOUT THE DATA...By Leon Ravenna, Chief Information Security Officer, KAR GlobalIt often starts with the sales and marketing folks. You build a public-facing, web-based application and collect visitor information (name, address, phone number, etc.). Then you get requests from marketing to capture email contacts, demographics and user activity information. You don't really know why they want this info or what they plan to do with it, but it's easy enough to collect and they assure you there's a sound business purpose. After all, the more information you put in your data lake, the better. Historically, this kind of data collection hasn't been a significant problem in the United States. Most companies were able to focus data protection efforts such as encryption on SSNs and credit card numbers. However, in light of recent laws, including GDPR, LGPD and CCPA (along with a growing number of additional privacy and data security laws being enacted at the state level), you need to honestly answer some questions:· What data do you have? · How is the data being used? · Which partners do you share data with or sell data to?· How long are you retaining the data?· Do you have consent of the customer/consumer to retain the data? · If requested, could you identify, modify or delete specific customer/consumer data?The data landscape is becoming ever more complicated to navigate. Something that once seemed simple is growing to be the monster under the bed--and there's good reason for concern. Imagine sitting on the witness stand having to explain the reasons (or lack thereof) for having vast amounts of arbitrary data after a breach. Managing vast amounts of data, arbitrary or not, isn't easy, and it's remarkably tedious. If the job were easy, and the lines of engagement were clear, we wouldn't be subject to growing regulation.Software tools are available to aid in data discovery and classification of databases and data flow. But until you get to a point of solid data discovery and classification, consider taking the following manual steps to get started:1. Talk to your product owners/developers about what data exists, where it is stored, why and for how long.2. Review your application's input screen to verify that the type of information being requested is the minimum necessary. Effectively, don't collect IN MY OPINION
< Page 7 | Page 9 >