Now that GDPR is live, how confident are you that you really have a handle on where all of your data is stored? Understanding what data you have, and where it is stored is vital to maintain compliance. This will also help you manage an evolving, balanced and detailed information management policy for your business.
Assess what you have
If you haven’t already done so, you need to understand what data assets your organisation has stored. This will enable you to keep a detailed view on the types of data being created within your business. Most organisations have a variety of applications and solutions in place. These systems can be varied as organisations adopt cloud solutions in addition to or in place of traditional on-premise solutions.
To keep things simple, create a list of the applications in use within your organisation and note whether these are on-premise or cloud hosted. Don’t forget to include legacy applications, as some businesses lose track of these. This list will be the start of a more detailed view of the data assets you hold.
Where is it your data stored and who has access to it?
Identifying your business applications and solutions is just the starting point. Don’t forget to document where the data generated is stored: You can’t control it if you don’t have a handle on where it is.
Is it held locally? Find out its exact location and who has access to it. The importance of knowing your data is often overlooked; businesses often don’t realise they have information duplicated many times over and can lose control of who has access.
Does your business use cloud-hosted services? If so, where is the data generated stored? Understanding your cloud services is an essential part of your information management process. Cloud services and the way data is stored and accessed can vary depending on your provider. For example, many hosted desktop providers outsource their systems and storage to third-party businesses, often without the consent and understanding of the customer. If you do not know where your data ultimately resides, how can you make sure you are compliant? This data could be held outside of your geographical region, meaning you fall foul of your compliance responsibilities. It is therefore important to understand where this data is and who has access.
Manage your data
Once you have a detailed overview of your data assets, an ongoing process of information management is required to keep track of systems and services.
If data is moved or changed, or a new application is adopted, it is important to update your internal documentation to reflect these changes. Any data that is taken offsite and stored on local devices should always (where feasible) be encrypted. This will help protect the organisation in case of loss or theft and is best practice.
For cloud-based solutions, ask your service provider about the measures they have in place to secure your data and assets. If your cloud service provider offers service failover or disaster recovery, check where your data will be housed. You may be exposed if the failover is located in a region where compliance would be compromised. Most core Office 365 services store customer data at rest across 3 sites in the UK if this is your location. It is important to know that some cloud services store data in different locations such as the US.
No matter if you have local or cloud-based solutions, the same principles should apply. Standardise processes to remove old data? Check your backup process? Update, test and continually update business continuity and disaster recovery plans: You never know when you may need it…
Information management is an important aspect of your overall data and information security strategy. Knowing your systems and data can help protect it from being lost or stolen. Good policies and processes are key, but having a reliable IT service partner to help manage this process is also crucial. For more information regarding Orca’s strategic IT services or hosted desktop solutions can help please contact us