As a business leader, you’re ultimately accountable for safeguarding your organization’s data – a responsibility that can’t be delegated entirely to your IT department or data security experts. While experts can guide you on the best security methods, it’s your call to determine what’s sensitive and what precautions are necessary. Indeed, not all data is created equal; some data is more sensitive than others. As a business leader, your primary goal is to protect essential data from unauthorized access or accidental loss while maintaining operational flexibility.
In this article, I’ll examine who exactly determines which data is sensitive, levels of data sensitivity, and relevant data protection laws. Additionally, I’ll provide examples of sensitive information (PII, confidential data, etc.). So get ready to become a more well-informed and proactive leader in today’s digital world!
Business Leaders Decide What Data Is Sensitive And What Is Not.
If you own or store data as part of your business, you are the ultimate decision-maker on how sensitive this data is. Unquestionably, the business leader needs to decide what sensitive data is. So, what is sensitive data? Here is a simple definition:
“information that must be protected against unauthorized disclosure”.
Also when deciding what data is sensitive, you need to take into consideration applicable laws and security expert’s advice. Even so, this is not something that you can totally delegate to a security consultant. This is because you are the owner of the data, ultimately responsible for protecting sensitive data.
Need For A Risk Assessment To Determine Data Sensitivity Levels.
Every business needs to know the risks if their data is either leaked or destroyed. Consequently to know your risks, every business and organization needs to conduct a data risk assessment. Specifically, a risk assessment will help you classify the sensitivity level of your data. Also, by doing this assessment you will be able to determine your risk mitigation actions. Below is an example of data sensitivity levels that an organization could establish to classify their data.
Data Sensitivity Levels
- High Sensitivity Data. In this case, you would classify data at this level if you determine that if this data was leaked or destroyed it would have a catastrophic impact on the organization or individuals. For example, this may include financial records, intellectual property, authentication data.
- Medium Sensitivity Data. For this type of data, you would classify it at this level if it is intended for internal use only. For instance, if this data was destroyed or leaked, it does not have a catastrophic impact. As an example, this may include emails and documents with no confidential data.
- Low Sensitivity Data. Here, you determine that this data is intended for public use. For example, public website content.
… Every business needs to know the risks if their data is either leaked or destroyed.”
See Imperva’s Data Classification for more on classifying data. Also, for more information on risk assessments, see my article, Risk Mitigation For Supply Chains: How To Best Identify, Make Assessment, Overcome.
What Applicable Laws Govern The Classification of Data Sensitivity.
The amount of data in the world is exploding. Therefore, businesses as well as organizations are grappling with how they store data or transfer it over the internet. Another wrinkle with you determining data sensitivity, is you have to pay attention to applicable laws. Subsequently, there is now an increasing body of laws that define the sensitivity of data and how data owners have to protect their data.
Depending on your type of business and where it is located, will determine which data protection laws are applicable. Also, there are data protection laws and guidelines that you or your customer may elect to follow. For example, some large businesses and industry groups have higher levels of data protection standards. Therefore, they in turn require their vendors and suppliers to comply or they will sever the business relationship. To list, below are a few of the most influential data protection laws:
Key Data Protection Laws
- Gramm–Leach–Bliley Act (GLBA). In brief, U.S. financial institutions must disclose how they share and protect their customers’ private information.
- Health Insurance Portability and Accountability Act (HIPAA). Here U.S. health providers must take adequate steps to protect patients’ Personal Health Information (PHI).
- Family Educational Rights and Privacy Act (FERPA). In brief, U.S. educational institutions must have the consent of students over 18 years old to release records such as schedules, transcripts, and disciplinary information.
- General Data Protection Regulation (GDPR). Certainly, this European Union (EU) data protection standard is a very comprehensive regulation to protect personal data. As a result, many businesses and organizations elect to follow this standard even outside the EU..
- Payment Card Industry Data Security Standard (PCI DSS): In brief, this is an information security standard that tells organization’s how to handle data associated with credit cards.
“Depending on your type of business and where it is located, will determine which data protection laws are applicable.”
See UpGuard’s What Is Sensitive Data? for more details on laws and regulations governing sensitive data
Examples of Sensitive Data.
As data protection laws and standards have evolved, most of these standards and regulations classify data under four categories. To list, below are four data protection categories to include examples of types of data.
1. Personal Identifiable Info (PII).
This type of information can be used to confirm an individual’s identity. This includes:
- A name and surname
- A home address
- An email address
- An identification card number
- Location data
- An Internet Protocol (IP) address
- The advertising identifier of your phone
2. Sensitive Information.
The EU’s GDPR data protection standard classifies sensitive information as follows:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Data related to a person’s sex life or sexual orientation
- Biometric data (where processed to uniquely identify someone).
3. Confidential.
This is data that businesses, organizations, and governments use and do not want to expose to other entities. To list, this includes
- Sensitive information in business plans.
- Any document that is classified as restricted, or can be considered a breach of confidentiality.
- Accounting data
- Trade secrets
- Financial statements or accounts
4. Normal.
Lastly, there is general data that does not belong to any other categories.
More References.
- Microsoft’s Classifying Data Sensitivity Fields
- ITGovernance’s GDPR: Personal Data Vs Sensitive Data
- Spirion’s How To Determine the Sensitivity of Information for more information on examples of sensitive data.
- Also, see my write-up on the tips to enterprise data management security, Enterprise Data Management Challenged to Secure Data When It is Fragmented, In Many Silos, Duplicated, and Ambiguous.
- Lastly, for protecting sensitive data using digital identity systems, see my article, Digital Identity In Logistics And What To Know – The Best Security, Scary Risks.
Need help with an innovative supply chain solution that leverages emerging information technologies? I’m Randy McClure, and I’ve spent many years helping logistics organizations to make the most of new information technologies. As a supply chain tech advisor, I’ve implemented hundreds of successful projects across all transportation modes, working with the data of thousands of shippers, carriers, and 3rd party logistics (3PL) providers. I specialize in new strategies, proof-of-concepts and operational pilot projects using emerging technologies and methodologies. If you’re ready to supercharge your supply chain or if you are a solution provider, let’s talk. To reach me, click here to access my contact form or you can find me on LinkedIn.
For more information from Supply Chain Tech Insights, see articles on Information Technology
Greetings! As a supply chain tech advisor with 30+ years of hands-on experience, I take great pleasure in providing actionable insights and solutions to industry leaders. My focus is on supply chains leveraging emerging LogTech. I zero in on tech opportunities and those critical issues that are solvable, but not well addressed, offering industry executives clear paths to resolution. I have a wide range of experience to include successfully leading the development of 100s of innovative software solutions across supply chains and delivering business intelligence (BI) solutions to 1,000s of shippers. Click here for more info.