While the CIPT training here at the Data Protection Congress in Brussels, Belgium, covered a lot of ground, it was interesting to see the attendees band together over what is perhaps one of the thorniest operational issues in privacy: data classification.
As soon as that term hit the screen, hands shot up, and instant empathy ensued:
“I’ve had so many long meetings arguing with our IT staff about that!” said one attendee.
“Ugh. It’s impossible!” lamented another.
What’s the problem? If you’re a privacy professional, you probably know the discussion by heart.
Of course, all of the IT professionals out there want to abide by ISO 27001 and general best practices and inventory their data, classifying that data that is most important to the organization or most sensitive and working to protect that data first.
So, they come to the privacy pro, looking for a simple explanation of which data is personal data so they can fill out their matrix.
“I tell them, it depends on how it’s being used,” said one voice from the audience. “It depends on the context.”
How does a privacy pro explain to an IT pro that data’s sensitivity needs to be determined on a case-by-case basis? Sometimes occupation and postal code in combination will not be sensitive. Sometimes that person will be the only gastroenterologist in town and be easily identifiable.
“You have to explain that we need to always be reevaluating the existing assets and the existing threats,” said Ernst-Oliver Wilhelm, CIPP/E, CIPM, CPO at GFT Technologies AG, who co-led the training with KPMG Senior Manager Mark Thompson, CIPP/E, CIPM, CIPT. “And, at the same time, constantly be reevaluating what is considered the most valuable or the vulnerable data.”
That’s a tough answer for many organizations to operationalize. Who has time for that? Further, noted Thompson, “many organizations have data in many places because of acquisitions, mergers or any number of other factors. For most companies, just finding all the data is really hard, let alone classifying it.”
That can be a frightening prospect with a looming data protection regulation that would require companies to produce a full data inventory.
For now, Thompson said it’s possible to look to jurisdictions like Spain and Switzerland, where data inventory requirements exist.
“Have lack of filings been enforced? Yes they have,” said Thompson. “But I’m not personally aware of any regulators taking action because of lack of inventory … If you’ve done your filings, they’ll have transparency.”
That may be comforting for now, but it’s clear this is a looming problem for many organizations. Best to be working now with the IT team to get your data classification house in order.
Or at least tidy things up a bit.
If you want to comment on this post, you need to login.