A data protection plan sets out what a business needs to do to keep its information safe and secure. Here we explain what a data protection plan is, the key elements required, and how it fits in with your international expansion goals.
Key Takeaways
1. Data might sound like an overused buzzword these days, but it is important not to underestimate its high value.
2. Many organizations now have people in C- or other executive-level positions whose entire role involves the management and protection of data to deliver business value.
3. Most countries now have data protection laws and international agreements—e.g., the EU General Data Protection Regulation (GDPR)—which carry significant financial (and potentially criminal) penalties for breaching them.
4. If you are considering an international expansion, building a data protection plan that is specific to the jurisdiction where you plan to operate is a must.
The Role of Data in the Modern Organization
As technologies continue to evolve and the world becomes more effective, the value of data, especially customer personal data, is becoming increasingly valuable. It is so valuable, in fact, that it was by The Economist in 2017 as the world’s most valuable commodity ahead of oil.
It should be seen as no coincidence then that more and more organizations are bringing in people at C-level to oversee the processing and protection of their data. Known as CIOs (Chief Information Officers), these people are under mounting pressure to see that not only is the organization compliant with its data processing and protection obligations but that it is effectively used to deliver business value, too.
However, to achieve this goal and deliver business value with data, it is important that organizations are thoroughly and compliantly managing and protecting it.
Developing a data protection plan, alongside other key documents such as Data Processing Agreements (DPAs) is a crucial part of compliance with data protection laws and regulations. Knowing how to convert Word to PDF for providing the file in the right format is one of the priorities as well. For businesses in the European Union, or doing business with customers based there this means complying with the General Data Protection Regulation (GDPR). But it is also a requirement in various other jurisdictions such as California (under the California Consumer Privacy Act or ‘CCPA’) and Brazil (where it is known as the ‘LGPD’). China’s PIPL also has similar requirements.
To read more about Brazil’s new data protection law and how it differs from the GDPR check out What is Brazil’s LGPD? Four Differences from the GDPR.
In this article, we are going to cover the basics of data and why it is important to have a plan in place to manage and protect it. This is especially true if you are considering taking your business overseas, for example into Europe, where there are specific legal frameworks for data protection (and serious penalties for organizations that breach them).
What is Data Management?
If you were to ask someone what data management means, you would probably be met with a blank stare. This is because there is a general lack of understanding about what it really is.
In short, data management is a set of disciplines—e.g., data collection, data processing, data analysis, data storage, data protection—that come together for operational and reporting uses.
While it is generally accepted that the biggest data-related issue facing organizations is that they don’t know how to use it properly or what they want to achieve with it, it’s (arguably) not the most important one: Data protection is.
Data protection is the process of safeguarding important information from theft, corruption, loss, or other compromises.
The importance of data protection and having a thorough data protection plan increases as the amount of data being generated, collected, and stored grows at unprecedented rates, and general tolerance for bad data management and protection—from both stakeholders and legislative authorities—continues to fall.
What Does a Data Protection Plan Cover?
Data protection is therefore not just a legal necessity but crucial to protecting your business and maintaining its reputation. Key pieces of information that are commonly collected and stored by businesses include:
- Dates of birth
- Addresses and email addresses
- Telephone numbers
- Payment details (i.e., credit card information, PayPal addresses)
- Information about partners or other family members
- Health information and history
- Social Security Numbers (U.S.) or equivalents in other countries such as National Insurance Numbers (UK).
This information can pertain to everyone from customers to your staff members, shareholders, and business clients. Protecting all this personally identifiable information (“PII”), in accordance with relevant data protection laws, requires businesses to take data protection seriously, adopt best practices, and adhere to specific principles.
Due to the way the legal situation varies between different countries and legal jurisdictions, it is impossible to create a one-size-fits-all guide for how to build your own data protection plan that is also catered to the individual needs of your organization.
What we can do, however, is talk about some of the important features and elements that go into a typical data protection plan. With this information, you can start to build an understanding of what might be required when it comes to working with an international PEO to build a plan for your own organization.
Important Elements of a Data Protection Plan
Here are five important elements of a data protection plan that you need to think about when you are building one for your organisation:
- 1. Understanding Your Company
- Before you start building a data protection plan, you need to understand your company. What risk appetite does it have? What systems and processes do you use? What helps to drive your growth?
- In addition to these more abstract questions, you also need to know:
- What personal data or information is being collected (e.g., names and payroll numbers).
- Where this data is being stored
- How your business uses this data
- How long you keep this data.
- How you acquire your legal basis for processing (i.e., express or implied user consent?)
- Agreements to Terms & Conditions for collecting and processing this personal data.
- Knowing information like this will help you build an informed data protection plan that is fit for purpose and doesn’t leave anything out.
- 2. Access to Data
- Once you know what type of data is collected and how it is stored, etcetera, the next step is to closely manage who has access to it. Data privacy experts often refer to something known as the “Triple-A” approach: Authentication, Authorisation, and Audit:
Authentication: Employees and other users need to be able to prove their identity before accessing systems that hold data. The classic example of authentication is a strong password. However, these can be compromised. It is common to see secondary authentication methods like two-factor authentication, token codes, access cards, or facial recognition also being used as a result.
Authorization: Although authentication can be used to prove identity, it cannot control what a user can do with a system. This is what authorization controls are for. Authorization involves individual user roles and what they can do on a system, such as view data, edit it, delete it, copy it, export it, and view historic changes. It seeks to ensure that users only have access to the data that they need to carry out their role and can only use or manipulate it to the extent that is necessary for this purpose.
Audit: Employees need to be held to account for their actions on systems that hold data, and that’s precisely what audits do. Most systems will automatically keep a record of every action an employee takes, and it is a good idea to ensure that these records are periodically reviewed to make sure that employees are not doing anything out of the ordinary. In many jurisdictions, data audits are a legally mandated (e.g., by the GDPR) requirement necessary for compliance with regulations.
3. Regular Backups
Regular data backups should form part of your data protection plan. How often these backups are carried out, however, is entirely down to the needs of your business.
A good way to figure this one out is to ask yourself this question: If the business lost one (hour/day/week/month) of data, how would this impact it? Clearly, if one hour of data loss would cause problems then you need to be carrying out backups at least once per hour, if not more often.
To make this job a little easier, backups should be automated using suitable tools and systems. These backups should then be stored in a secure location that is separate from the system where your data is primarily stored in real-time. Best practices say that you should keep hold of data backups for a defined period to account for any problems like corrupt or missing data, and for auditing. How long for, however, depends on the needs of your business and any relevant data regulations.
4. Updated & Secure Tools
With the constantly evolving and changing nature of online threats and the general attack surface, you also need to keep your tools, software, systems, and general IT infrastructure up to date.
The last thing you want is an attacker being able to penetrate your systems and steal your data because a piece of software on your network had an unpatched vulnerability that was fixed several weeks ago by the developer.
Remember that your IT infrastructure probably goes beyond the office desktop, too. Any technology used by your team for work purposes—laptops, phones, tablets, apps—should be treated in the same way as your core in-office IT network. This is especially important with the rise of remote working and the extra security headaches that this has created for organizations worldwide.
5. Employee Training
There is no point putting together a thorough data protection plan if nobody knows about it or what their responsibilities are under it.
It is vital that all employees are aware of their respective requirements not only under your organization’s data protection plan, but also under the law when they are working with personal data. Training must be delivered, and this must be thorough and accessible.
Training should also be appropriate to those receiving it and relevant to their roles. The data privacy requirements of a customer support representative, for example, will be different from that of a business analyst who has more routine access to it.
Is a Data Protection Policy the Same as a Data Protection Plan?
In many ways, yes. Data protection policy and data protection plan are largely synonymous and have the same meaning. Other terms commonly used include ‘data protection audit plan’ and ‘data protection implementation plan’.
That being said, some companies will have a separate data protection policy in addition to their data protection plan. If this is the case, the data protection plan will set out how the organization plans to protect its data while the data protection policy will essentially be the internal “rulebook” for how employees should behave when handling personal data.
How a Data Protection Plan Fits in With Your International Expansion
When you are considering an international expansion—as we have already mentioned—it’s important to make sure that you have a data protection plan in place for each jurisdiction you wish to expand to. This is because every legal jurisdiction has its own unique framework and set of regulations that govern everything to do with data, especially data protection.
The biggest example is the situation in Europe and the GDPR. To ensure compliance with the GDPR, organizations need to ask themselves questions like:
- Do we possess or process any personal data of EU residents?
- Do we offer goods or services to EU residents?
- Do we transfer data relating to EU residents outside of the EU?
- Are we passing on EU personal data to a third party?
Any business that is considering an international expansion, especially one into Europe, is encouraged to seek professional advice on how they can comply with relevant data protection regulations.
Conclusion
Data privacy and protection is an ultra-complex legal minefield. The situation varies wildly from country to country, with organizations in some nations—such as those where the GDPR applies—subject to extremely wide-ranging data protection laws.
Due to the severe penalties that can be imposed on organizations like yours for non-compliance, it is crucial to consider how the data that you collect is stored, controlled, manipulated, and protected and how different data laws might apply as a result.
Horizons is a global professional employer organization (PEO) that are specialist in corporate international expansions. Our specialists can advise on a wide range of issues, including those related to compliance with applicable privacy regulations and data protection legislation including the GDPR.
So, if the thought of data protection still has you scratching your head, feel free to reach out to us for a zero-obligation introductory chat and find out how we can help.
Frequently Asked Questions
A data protection plan is an internal document for an organization explaining what it intends to do to keep data safe and secure.
Data protection within an organization includes:
- Clear rules for accessing crucial and sensitive data
- An audit program to check that existing data protection policies are sufficient
- Regular backups of core data
- Employee training to ensure data protection best practices are followed.
