As a business leader, safeguarding your data is crucial, regardless of your company’s size. It’s up to you, not your security expert, to identify sensitive information and take necessary precautions. Keep in mind that not all data has the same data sensitivity level, so understanding this topic is vital. Your goal is to shield crucial data from unauthorized access or inadvertently destroyed while maintaining a balance between solid protection and operational flexibility.
In this easy-to-understand article, I’ll explore with you who determines sensitive data, various data sensitivity levels, and relevant data protection laws. Additionally, I’ll provide examples of sensitive information (PII, confidential data, etc.). So get ready to become a more well-informed and proactive leader in today’s digital world!
Business Leaders Decide What Data Is Sensitive And What Is Not.
If you own or store data as part of your business, you are the ultimate decision-maker on how sensitive this data is. Unquestionably, the business leader needs to decide what sensitive data is. And here is a simple definition for sensitive data:
“information that must be protected against unauthorized disclosure”.
Also as part of determining data sensitivity, you need to take into consideration applicable laws and security expert’s advice. Even so, this is not something that can be delegated to a security consultant because you are the owner of the data.
Need For A Risk Assessment To Determine Data Sensitivity Levels.
Every business needs to know the risks if their data is either leaked or destroyed. Consequently to know your risks, every business and organization needs to conduct a data risk assessment. Specifically, a risk assessment will help you classify the sensitivity level of your data. Also, by doing this assessment you will be able to determine your risk mitigation actions. Below is an example of data sensitivity levels that an organization could establish to classify their data.
Data Sensitivity Levels
- High Sensitivity Data. In this case, you would classify data at this level if you determine that if this data was leaked or destroyed it would have a catastrophic impact on the organization or individuals. For example, this may include financial records, intellectual property, authentication data.
- Medium Sensitivity Data. In this case, you would classify this data at this level if it is intended for internal use only. For instance, if this data was destroyed or leaked, it does not have a catastrophic impact. As an example, this may include emails and documents with no confidential data.
- Low Sensitivity Data. In this case, you determine that this data is intended for public use. For example, public website content.
What Applicable Laws Govern The Classification of Data Sensitivity.
The amount of data in the world is exploding. Therefore, businesses as well as organizations are grappling with how they store data or transfer it over the internet. Another wrinkle with you determining data sensitivity, is you have to pay attention to applicable laws. Subsequently, there is now an increasing body of laws that define the sensitivity of data and how data owners have to protect their data.
Depending on your type of business and where it is located, will determine which data protection laws are applicable. Also, there are data protection laws and guidelines that you or your customer may elect to follow. For example, some large businesses and industry groups have higher levels of data protection standards. Therefore, they in turn require their vendors and suppliers to comply or they will sever the business relationship. To list, below are a few of the most influential data protection laws:
Key Data Protection Laws
- Gramm–Leach–Bliley Act (GLBA). In brief, U.S. financial institutions must disclose how they share and protect their customers’ private information.
- Health Insurance Portability and Accountability Act (HIPAA). Here U.S. health providers must take adequate steps to protect patients’ Personal Health Information (PHI).
- Family Educational Rights and Privacy Act (FERPA). In brief, U.S. educational institutions must have the consent of students over 18 years old to release records such as schedules, transcripts, and disciplinary information.
- General Data Protection Regulation (GDPR). Certainly, this European Union (EU) data protection standard is a very comprehensive regulation to protect personal data. As a result, many businesses and organizations elect to follow this standard even outside the EU..
- Payment Card Industry Data Security Standard (PCI DSS): In brief, this is an information security standard that tells organization’s how to handle data associated with credit cards.
Examples of Sensitive Data.
As data protection laws and standards have evolved, most of these standards and regulations group data under four categories. To list, below are 4 data protection categories you could use with examples of types of data for each category.
1. Personal Identifiable Information (PII).
This type of information can be used to confirm an individual’s identity. This includes:
- A name and surname
- A home address
- An email address
- An identification card number
- Location data
- An Internet Protocol (IP) address
- The advertising identifier of your phone
2. Sensitive Information.
The EU’s GDPR data protection standard classifies sensitive information as follows:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Data related to a person’s sex life or sexual orientation
- Biometric data (where processed to uniquely identify someone).
This is data that businesses, organizations, and governments use and do not want to expose to other entities. To list, this includes
- Any document that is classified as restricted, or can be considered a breach of confidentiality.
- Accounting data
- Trade secrets
- Financial statements or accounts
- Sensitive information in business plans.
Lastly, there is general data that does not belong to any other categories.
See Microsoft’s Classifying Data Sensitivity Fields, ITGovernance’s GDPR: Personal Data Vs Sensitive Data, and Spirion’s How To Determine the Sensitivity of Information for more information on examples of sensitive data.
For more information from Supply Chain Tech Insights, see articles on Information Technology
Greetings! As an independent supply chain tech expert with 30+ years of hands-on experience, I take great pleasure in providing actionable insights to logistics leaders. My background includes implementing 100s of innovative solutions using emerging technologies and a data-centric development approach. I have also provided business intelligence (BI) solutions for 1,000s of shippers. For more about me, click here.