cancel
Showing results for 
Search instead for 
Did you mean: 

Culture of Data Protection: What Your Customers Expect

Level 12

IMG_9868.JPG

We've talked about building a culture, why it applies to all data environments, and some specific types of data protection features you should be considering.  Today, we'll be considering the culture of protection the actual owners of the data (customers, employees, vendors, financial partners, etc.) expect from your stewardship of their data.

Data owners expect you will:

  • Know what data you collect
  • Know the purpose for which you collected it
  • Tell them the purposes for which you collected the data
  • Be appropriately transparent about data uses and protection
  • Use skilled data professionals to architect and design data protection features
  • Document those purposes so that future users can understand
  • Honor the purposes for which you collected it and not exceed those reasons
  • Categorize the data for its sensitivity and compliance requirements
  • Document those categorizations
  • Track data changes
  • Audit data changes
  • Version reference data
  • Use strong data governance practices throughout
  • Protect non-production environments just as well as production environments
  • Prioritize data defect fixes
  • Make the metadata that describes the data easily available to all users of the data
  • Know the sources and provenance of data used to enhance their data
  • Secure the data as close as possible to the data at rest so that all access, via any means, provides the most security
  • Mask the data where needed so that unintentionally disclosure is mitigated
  • Back up the data so that it's there for the customer's use
  • Secure your backups so that it's not there for bad actors to use
  • Limit access to data to just those who have a need to know, know it
  • Immediately remove access to their data when staff leaves
  • Do background checks, where allowed, on staff accessing data
  • Test users of data regularly on good data hygiene practices
  • Ensure data quality so that processes provide the right outcomes
  • Ensure applications and other transformations are done correctly
  • Ensure applications and other transformation do not unintentionally apply biases to outcomes of using their data
  • Provide data owners access to review their data
  • Provide data owners the ability to request corrections to their data
  • Provide data owners the ability to have their data removed from your systems
  • Monitor third-party data processors for compliance with your data security requirements
  • Secure the data throughout the processing stream
  • Secure the data even when it is printed or published
  • Secure data even on mobile devices
  • Use strong authentication methods and tools
  • Monitor export and transfer of data outside its normal storage locations
  • Train IT and business users on security and privacy methods and tools
  • Protect user systems from bad actors
  • Monitor uses of sensitive data
  • Monitor systems for exploits, intrusion attempts, and other security risks
  • Securely dispose of storage hardware so that data is protected
  • Securely remove data when its lifecycle comes to an end
  • Accurately report data mis-uses and breaches
  • Treat their data as well as you'd protect your own

And after all that:

  • Actively steward the data, metadata, and data governance processes as business and compliance requirements change

Sound overwhelming? It should. We need to think of data as its own product. With a product manager, data models, metadata repository, a business user portal about the data products, and all the process that we put in place to protect code. Reread the list, changing the word data to code. We do most of this already for applications and other code. We should, at the very least, provide the same sort of process for data.

Your customer might not know they need all those things, but they sure expect them. I'd love to hear other expectations based on your own experiences.

11 Comments
smttysmth02gt
Level 13

I think this list was overwhelming, only in the sense of how long it was.  I read the list and believe it can be summed up as common sense practices for working in IT.  Documentation and security are very important in this industry.

ecklerwr1
Level 19

A very good list which we follow mostly to a tee... it's hard work really securing data and it's a constant ongoing process... you are never finished.

david.botfield
Level 13

Good Article.

rschroeder
Level 21

Customers expect "EVERYTHING", along with expecting it to be 100% secure, 100% available to ALL devices (including personal devices off-network), and available EVERYWHERE and AT ALL TIMES.

And they expect it to be free or very affordable.

And compatible with every system in the world so they can easily move from site-to-site, and collaborate with anyone around the world.

And it should always have a Dark Theme to choose when in dimmed lighting.    ;^)

Of course!  Anything else would be an inconvenience.

bobmarley
Level 15

Regardless of expectations your data is shared over and over again and eventually is exposed. Take for example, purchasing a home or vehicle. If you are not right on top of the 'opt out' policies (which no one ever is) the next thing you know you are getting

mail from all of the companies 'affiliates'. In todays world companies are mostly all subsidies of other companies so you data gets shared across the entire planet before you ever get a chance to 'opt out'.

Now you have to wonder about the security of every data center out there... and the statistics are not in your favor.

datachick
Level 12

That was the intent of making it a list.  And it's likely I could add 10x more security and privacy items to it.  What did I miss?

datachick
Level 12

That's good to hear.  I work mainly on troubled projects, so I rarely see any of these things done.  And great point about never being "finished".

datachick
Level 12

I don't hear about data centre breaches as often as I hear about plain old unsecured data.  For the ones I've visited, the physical security is intense. 

vinay.by
Level 16

Nice article

jkump
Level 15

Excellent listing. 

bobmarley
Level 15

I agree, usually the data center is physically hard to get into.

About the Author
Data Evangelist Sr. Project Manager and Architect at InfoAdvisors. I'm a consultant, frequent speaker, trainer, blogger. I love all things data. I'm an Microsoft MVP. I work with all kinds of databases in the relational and post-relational world. I'm a NASA 2016 Datanaut! I want you to love your data, too.