This is the third in a series of posts in honor of National Cybersecurity Awareness Month.  Each day this week, we’re sharing a practical cybersecurity tip for small businesses.

Modern data privacy laws recognize that individuals have certain
rights in data that organizations collect from them.  Compliance with such laws often requires the
ability to respond quickly to requests to exercise privacy rights like the
right to access and correct personal information, the right to have personal
information deleted, and the right to limit usage of personal information.  Yesterday, we saw how data mapping facilitates
regulatory compliance.  Today, we look at
a related best practice: centralizing and organizing your data.

Data can live in many places within an organization.  Structuring your information systems –specifically,
your data storage systems – to fit your business and compliance needs will help
you exert control over your data.  The amount
of control you have over your data affects your ability to handle the data to meet
specific objectives.

Consider this scenario.  You’re a startup and you realize that encrypting personal data of customers would be a good idea (maybe you read our post about the value of encryption).  However, customer data is stored haphazardly throughout your organization.  Customer data mainly sits on your main server and your CRM vendor’s cloud server, but it’s also stored on local backup storage media and on laptops and mobile devices owned by your executives and a few key employees.  Customer data is also stored in different formats, including in your CRM vendor’s proprietary database and in spreadsheets.  Wouldn’t the encryption program be easier to implement if the customer data lived in only one or two databases?  Having an organized and streamlined data structure lays the foundation for executing information governance policies.

Here’s another hypothetical scenario.  A customer submits a request to access the
personal data  your business has
collected about him because he wants to verify that your records accurately
capture his middle initial.  The difficulty
of responding to this request depends on the organization and complexity of
your database and storage systems. 

Certain privacy laws set deadlines on responding to requests
to exercise privacy rights.  For example,
the CCPA generally gives organizations 45 days to respond to privacy requests,
with one 45-day extension allowed under certain conditions.  Organizing and centralizing data enhances your
ability to respond to customer privacy requests within regulatory deadlines.

Below are a few considerations for exercising control over
your data:

  • Be intentional in designing the architecture of your database and storage systems.  Take into account physical considerations (e.g., proximity and accessibility of storage/database sites, ability to physical restrict access) and non-physical considerations (e.g., speed of internet connection for cloud databases, interoperability of databases with software).
  • Give thought to the hierarchy of your databases.  Will you need to look in multiple folders to find certain categories of information, or is information stored in folders or subfolders organized by category or some other methodology?
  • Consider whether your organizational structure lends itself to segregation of certain data sets from others. For example, if your business has two operating units, is the data pertaining to one unit segregated from data for the second unit? Segregation makes it easier to impose limitations on access should you need to do so.
  • Minimize the number of places where you store data except as necessary to build redundancy for backup purposes.   
  • Make your data easily searchable.  There are various ways to do this, ranging in sophistication from adopting file-naming conventions to deploying document processing software with artificial intelligence technology.
  • Develop and enforce information governance policies such as restrictions on off-site data storage.

The post Cybersecurity For Small Businesses Tip #3 – Sort It Out (Organize & Centralize) appeared first on LegalTXTS – A Luminate Law Blog.