Cybersecurity For Small Businesses Tip #3 – Sort It Out (Organize & Centralize)

Sort It Out (Organize & Centralize)

This is the third in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws recognize that individuals have certain rights in data that organizations collect from them.  Compliance with such laws often requires the ability to respond quickly to requests to exercise privacy rights like the right to access and correct personal information, the right to have personal information deleted, and the right to limit usage of personal information.  Yesterday, we saw how data mapping facilitates regulatory compliance.  Today, we look at a related best practice: centralizing and organizing your data.

Data can live in many places within an organization.  Structuring your information systems –specifically, your data storage systems – to fit your business and compliance needs will help you exert control over your data.  The amount of control you have over your data affects your ability to handle the data to meet specific objectives.

Consider this scenario.  You’re a startup and you realize that encrypting personal data of customers would be a good idea (maybe you read our post about the value of encryption).  However, customer data is stored haphazardly throughout your organization.  Customer data mainly sits on your main server and your CRM vendor’s cloud server, but it’s also stored on local backup storage media and on laptops and mobile devices owned by your executives and a few key employees.  Customer data is also stored in different formats, including in your CRM vendor’s proprietary database and in spreadsheets.  Wouldn’t the encryption program be easier to implement if the customer data lived in only one or two databases?  Having an organized and streamlined data structure lays the foundation for executing information governance policies.

Here’s another hypothetical scenario.  A customer submits a request to access the personal data  your business has collected about him because he wants to verify that your records accurately capture his middle initial.  The difficulty of responding to this request depends on the organization and complexity of your database and storage systems. 

Certain privacy laws set deadlines on responding to requests to exercise privacy rights.  For example, the CCPA generally gives organizations 45 days to respond to privacy requests, with one 45-day extension allowed under certain conditions.  Organizing and centralizing data enhances your ability to respond to customer privacy requests within regulatory deadlines.

Below are a few considerations for exercising control over your data:

  • Be intentional in designing the architecture of your database and storage systems.  Take into account physical considerations (e.g., proximity and accessibility of storage/database sites, ability to physical restrict access) and non-physical considerations (e.g., speed of internet connection for cloud databases, interoperability of databases with software).
  • Give thought to the hierarchy of your databases.  Will you need to look in multiple folders to find certain categories of information, or is information stored in folders or subfolders organized by category or some other methodology?
  • Consider whether your organizational structure lends itself to segregation of certain data sets from others. For example, if your business has two operating units, is the data pertaining to one unit segregated from data for the second unit? Segregation makes it easier to impose limitations on access should you need to do so.
  • Minimize the number of places where you store data except as necessary to build redundancy for backup purposes.   
  • Make your data easily searchable.  There are various ways to do this, ranging in sophistication from adopting file-naming conventions to deploying document processing software with artificial intelligence technology.
  • Develop and enforce information governance policies such as restrictions on off-site data storage.