Data protection


17th May, 2022

Data Protection 101: An overview for decision makers

Data protection is all about making sure key information is held safe from potential loss – whether that’s as a result of natural or man-made disaster.

The idea of protecting data isn’t new. From when we first started storing important documents in physical safes, to the digital systems used today – guaranteeing key information is safe and secure has always been a cornerstone of business best practice.

While the phrase ‘data protection’ is getting thrown around a lot these days, it’s important to understand what it specifically relates to, along with the associated best practices for organisations to follow when it comes to protecting sensitive information.

What is data protection?

Data protection is the process by which a business’s data is kept safe from the possibility of loss. What that information specifically looks like, and how it’s protected differs between organisations.

For example, larger corporations may engage a qualified Data Protection Officer who determines what info is in need of protection, and then creates a set of policies to ensure that the data is held safely, and, in the case of any issues, understands how to recover it correctly.

In other cases, a business may outsource its data protection requirements as part of a general data security strategy.

Protection vs privacy vs security: What’s the difference?

The main difference between data protection as opposed to privacy and security is that protection is all about the steps a company takes to avoid losing any potentially important or sensitive information as a result of disaster, accident or other form of compromise.

This is quite different from data privacy and security, as detailed below.

Data privacy

Data privacy is a phrase that covers regulations around the pieces of data a company can share with third parties.

Privacy is generally achieved in two ways – the first is by allowing only the correct people to access sensitive data, and the second is the implementation of mechanisms that stop unauthorised persons being able to access this data.

Data security

Hand in hand with data privacy is data security. These are the defence systems that businesses put in place to avoid the access of sensitive information by internal and external, malicious, and accidental threats.

As a result, security usually focuses on the systems that protect a business from external attacks and cyber crimes.

Why data protection is important

According to a recent study by Ponemon Institute, Australian companies pay an average of $139 per compromised record; which can be disastrous if you lose a month’s or even a day’s worth of data. And that’s not even including the productivity loss, non-compliance penalties, and loss of customer trust.

To help avoid this, there are five commonly used data protection methods that will ensure most businesses keep their own data secure, as well as staying compliant with privacy laws surrounding data they hold on their clients as follows.

Data protection best practices

With the huge amount of data businesses collect each day, understanding what data is to protect is the first step.

Businesses must understand what data is considered essential or sensitive and then categorise that data into low risk and high risk before enacting a protection plan.

“There are two axes upon which your risk assessment should be based: the potential severity in case of a data breach and the probability of a breach. The higher the risk on each of these axes, the more sensitive the data is. These assessments will often require the assistance of a data protection officer (privacy officer) who will help you establish valid ground rules. Avoid doing it on your own unless you are absolutely certain you know what you are doing. Mischaracterized data, if lost, could prove disastrous.” – GDPRInformer

Once you’ve undertaken some kind of prioritisation of your data, next you’ll need to come up with a plan that encompasses the following five best practices for data protection.

1. Access control: Who can view and edit your data?

Access control is one of the easiest, yet most efficient risk reduction methods when it comes to the protection of data. Not only does limiting access to essential people only reduce the risk of data being leaked, but it also reduces the risk of data being lost or damaged due to user error.

The Entrust 2021 Australia Encryption Trends study, conducted by the Ponemon Institute found that almost two-thirds of Australian respondents believe that employee errors are the main threat to sensitive data.
Ensuring that access to sensitive data is regulated, and only given to employees with valid reasons to access it, lessens a company’s risk of data breach or loss.

2. Take backups to create redundancy

Regular backups are a great way to prevent data loss that happens due to user error or technical malfunction. Having a regular backup system is essential, and those backups should be stored in a safe place.

Empower IT solutions recommends using a 3-2-1 method, which means ‘for every file you create, you must have at least three copies. two copies should be stored locally, and one stored remotely. For example, you can have a setup where files are stored in an onsite server, USB drive, and the private cloud.’

3. Always encrypt data

As well as being backed up, high-risk data should always be encrypted. This includes encrypting it at every step of the data process including acquisition, processing, and the subsequent storage of that data.

At a glance, the Australia Cyber Security Centre (ACSC) ‘Cryptographic fundamentals’ page explains the purpose of cryptography as providing confidentiality, integrity, authentication, and non-repudiation (the idea that it’s indisputably valid) of data.

By following the ACSC’s encryption guidelines, businesses can make data unreadable to all but authorised entities, protect data from accidental or deliberate manipulation, provide authentication methods to ensure that a user is who they claim to be, and provide proof that a given user performed a particular action.

4. Develop data destruction protocols

While holding onto data is important, there are also going to be times where data will need to be destroyed. In fact, under many data privacy guidelines, there is a requirement for companies to regularly delete data that they no longer need. This relates to both physical and digital records.

The GDPRInformer notes that ‘hard disks are most often destroyed using degaussing, whereas paper documents, CDs and tape drives are shredded into tiny pieces. On-site data destruction is recommended for sensitive data. Encrypted data can easily be deleted simply by destroying the decryption keys, guaranteeing the data will be unreadable… for at least the next few decades, after which it will likely become obsolete anyway’.

5. Become familiar with ‘pseudonymisation’

The technique isn’t new, but the word pseudonymisation has gained traction since the introduction of it into the EU’s GDPR laws, many of which have also been adopted by many businesses in Australia who offer goods and services or monitor the behaviour of individuals in the EU.

Trust Hub explains that pseudonymisation is the umbrella term for procedures that strip identifying information (direct identifiers) from personal data.

Often data masking or hashing technologies are implemented to conduct the pseudonymisation process. In both cases, an algorithm is used to transform the identifiers into pseudonymised codes. A tool, such as a mapping table, would then be used to match data points between datasets and decipher items of meaningless code back into personal identifiers if and when necessary – for example, transforming ‘C5674’ into the name ‘Tom Jones’.

Data protection: A key hygiene factor for any digitised business

While most businesses automatically understand that safe working practices are encouraged in all aspects of businesses, from health and safety through to employee wellbeing, many forget that this same concept should apply to their data.

By managing, organising, and enforcing protocols when it comes to handling data, be that sensitive information or otherwise, you’ll build a company that automatically follows best practices when it comes to managing, storing and protecting its valuable information.

Your employee, customer and financial information is the backbone that makes up any modern, future-focused business and so should never be a second thought.

Ongoing investment in assurance practices ensures MYOB remains compliant with security standards and regulations. To learn more about compliance and privacy in MYOB products, head over to the Trust Centre.

Discover more tips and insights for mid-market decision makers by signing up to the Business Un-Ltd Newsletter today.