|
Risk
Management - Building a Data Map:
Step
one…Conducting A Data Inventory
One of the biggest challenges
faced by privacy or compliance professionals is tracking information that comes
into the corporation, how is it used and for what purposes and who has access to
that information. Without it, no one can make sure the company is in compliance
with contracts, applicable law or their risk management plans.
To determine what information
is collected and stored by the company, a “data inventory” must be conducted.
The an audit of what you believe is the true data inventory is conducted. This
is called a "privacy or data audit." Once the information and access points and
use are determined, a flow chart is created mapping information flow. This is
generally called a Data Map and is crucial to compliance and strategic planning.
Once gathered, this data
inventory can be used to help conduct a data audit and ultimately, a data map
for the company.
At each of these three stages,
the compliance, security and legal departments should be consulted. The entire
process is very time-consuming and can take several months, at least. Holes and
potential risks that are spotted in the duration can be rectified when
identified, rather than having to wait months to be handled.
Note that these processes are
part of a preventive law audit, and may or may not be privileged if inquiries
are made at a later date about what the company knew and when. Your legal
counsel should be involved in the planning of any confidentiality or privilege
strategies. This may have to be conducted entirely under the auspices of your
outside counsel to qualify for privilege. And even the best laid plans for
covering the audits under attorney-client privilege may be frustrated by the way
certain laws are written. Environmental laws, for example, may protect audits
under privilege only if the company takes action to rectify the problem. So
think carefully and get good advice.
But privileged or not, without
a data audit the company may be doomed. So, work to protect the results of the
audit, but work harder to comply and fix any problems you discover.
Each privacy or compliance
professional thinks the grass is always greener at other companies. Smaller
organizations have fewer access points of data inflow, but fewer resources to
gather the requisite information. Larger corporations have more resources, but
vastly more access points and conduits for information flow. Surprisingly, they
also have less knowledge about how other units, divisions and companies within
their corporate structure can access and use the information. So, in this case
at least, the grass is always in need of watering, chemicals and care no matter
which sized company or entity you are working with. No one has an easy job when
data compliance and mapping is involved.
The initial questions are the
easy ones:
-
What kinds of data are you
collecting?
How is it being collected?
How is the data being inputted?
For which purpose(s) was it collected?
Where special conditions on its use established at any time?
How is it stored?
Where is it stored?
What software and hardware are used in its storage?
Are there backups?|
How and where are they stored?
How can the data be accessed?
What software and hardware is used in its access?
Who has access to it? (Compare not just authority but ability to access.)
For what purpose?
Answer the same questions about backups.
Who can make changes to it?
How?
For what purpose?
How is authority to access the data controlled, supervised or reviewed?Can
the data be transmitted?
Can it be transmitted in bulk or only on an individual basis?
How?
How is all of this logged or documented?
Where are the logs or documentation stored?
How are they accessed?
How are those logs flagged to show unusual transactions?
Who receives those flagged logs?
Where are those who have access to the data?
Do they work from a corporate location, on the road or from home or shared
offices?
If laptops are involved, what security measures are taken for their loss or
for theft of data?
Is any of this data available for PDA, palm-devices or handheld devices?
If so, what security measures are taken for their loss or for theft of data?
What firewalls, software and encryption systems are used?
Who has access to those?
Who receives reports of any intrusions or attempted intrusions to those
systems?
These questions, often unasked,
can be the most telling:
Think about your website data input options, such as site registrations,
e-commerce and newsletter signups. Are you logging discussion groups, message
boards or other communication methods at your site? Do you collect e-mail
addresses? What kinds of forms are used? Do they collect information in data
streams? Are cookies or data tracking technologies used? Any downloadables?
If you attend trade shows or
job fairs, do you collect business cards from conference attendees? Are you
employees asked to update databases and contact lists with new business card
information they collect on business trips or at meetings and conferences? Do
you use relationship programs to help pair needs with existing relationships for
networking purposes?
Do you have a customer service
helpline or product warranty service lines? What is collected and how is it
used? Contests, giveaways or sweepstakes? Sharing or cross-marketing deals with
magazines,
advertisers or affiliates? Do you use coupons? How are they processed and
redeemed? Rebates? Special consumer offers?
What information is collected
and stored by human resources and how is it accessed?
If monitoring of computer
networks and communications systems is used, how is the information accessed and
stored? What information is collected and stored on phone calls inbound or
outbound?
What information is paired with
customer, passenger and patient records? Is outside information gathered? How?
Is name and address or other personally identifiable information used to obtain
this outside information? (For example, sending to the data management company
the names and social security numbers of your customers to obtain any known
offline information and buying habits.)
Is data inputting, management
or storage outsourced? To whom? Where? Does the information cross national
borders?
What promises are made?
Confidentiality agreements or NDAs? Pre-merger or acquisition confidentiality
provisions? Regulatory or regulated industry requirements? Employment
applications and employee handbooks? On screen computer notices or voice
recordings for phone use? Website privacy policies and terms of use?
Subscription policies?
In gathering the information
for this inventory, make sure that everyone who may have knowledge about the
real facts is polled. While policy may require one thing, reality may disclose
something else altogether. And ask them for their response in writing,
separately. Parry Aftab has learned that often employees and consultants are
influenced by the others' response in a group inquiry. At the audit phase, any
inconsistencies will be investigated and settled.
Look for the next article in
this three part series soon. To sign up for site update notices, visit our
news page.
| 
Parry
Aftab, Esq., 
Marvel and
all character names and the distinctive likenesses thereof are trademarks of
Marvel Characters, Inc., and are used with permission. TM & © 2004 Marvel
Characters, Inc. All rights reserved. “Super Heroes” is a Co-owned registered
Trademark.