Sensitive Data must be safeguarded from unauthorized access to protect the security or privacy of an organization or individual. This is what data protection policies are set for. There are three types of sensitive data: personal information, business information, and classified information.
- Personal information includes biometric data, unique identifiers such as passport, financial information or any information that a person would prefer remained private.
- Business information includes anything that exposes a business to a risk when discovered by the general public or competitor. Such information includes customer information, trade secrets, financial data and supplier, among other possibilities.
- Classified information relates to governmental organization and is limited according to sensitivity level ( for example top-secret, secret, confidential and restricted).
Failing to apply data protection policies to sensitive data can be embarrassing, costly and result in regulatory fines and bad business reputations.
Depending on the country where you are carrying your business, you must consider data protection policies to avoid getting on the wrong side of the law. In the UK, the most important law that companies and individuals must worry about is the Data Protection Act. Organizations that fail to apply data protection policies to sensitive data in the UK are fined by the information commissioner (ICO). For instance, in 2006, Nationwide Building Society put at risk the personal information of over 11 million savers. Consequently, the Financial Services Authority (FSA) fined the company £980,000. In another case, Sony’s disastrous breach saw hackers access the customer’s records of over 77 million individuals relating to its PlayStation Network in 2011. Eventually, Britain’s ICO fined the company £250,000 fine after finding the firm had not taken sufficient steps to protect the loss of a large amount of personal data.
In the US, many companies have been fined for violating Data Protection Rules. For instance, Anthem, which disclosed last year that the records of over 80 million of its customers had been breached, was asked to pay $1.7 million for a 2010 computer breach.
Businesses must protect their reputation because an increasing importance is being placed on governance and ethics of business. Furthermore, investors, shareholders, employees and consumers are holding companies accountable for their actions. A favourable business reputation is an intangible, yet valuable asset. It plays an important role in attracting the suppliers, investment and best talent.
A sensitive data breach can cause considerable reputation damage. Once a company is associated with violation of data protection policy, the blows start to pour in. According to a study carried out by Semafone, of 2,000 survey participants almost 86 % would not do business with a firm that had previously faced a data breach that involves debit or credit card information.
In conclusion, as individuals and organizations from various industries continue to benefit from the analysis of massive volumes of data from a vast variety of sources, there is a need to keep reminding everyone of the importance of applying data protection policies to sensitive data to protect their reputation and to avoid data breach fines.
