With the Data Privacy Law and GDPR in full swing, organizations are scrambling to find the best way to protect corporate data. To do this, one must be able to property identify the company’s most important data assets, classify them correctly and employ the right process of sharing and accessing this data. All these can be done with a proper information architecture.
Information architecture in its simplest definition is the art and science of organizing and labeling data in an effective and sustainable way, with the goal of making the data usable and findable. Effective information architecture helps increase employee efficiency and productivity while decreasing the likelihood of data leakage. It reduces the time spent looking for content, drives data-driven decision-making and helps ensure right data access.
There are a number of steps needed to put together the proper information architecture for your organization:
Step 1: Identify your stakeholders and map out your data flow process
What types of content do you have? Who owns it? Where is it stored? Who has access to it? The very first step to information architecture is to map out your current data flow process and identify the key stakeholders who would have an interest in it. This can include your HR lead who probably owns your employee database; the marketing team who owns your website and social media channels; your sales team who looks after your customer database; the finance team responsible for financial data; and even your IT admin who has access to sensitive information on your infrastructure. The process they employ to create, collect and share data should be part of your information architecture plan.
Step 2: Data Classification
The next step towards a robust information architecture is data classification. Companies usually classify data according to the risks it represents if a leak occurs. High risk data are those that the company is legally required to protect, based on law and regulations. The loss of confidentiality, integrity and availability of high-risk data can have an adverse impact on the organization. Such data include sensitive personal identifiable information or PII (credit card details, medical records, employee data), financial data and system data that contain passwords. Moderate risk data are those that are not high risk but are not generally available to the public. Data that are publicly available are considered low-risk.
Classifying data should start upon creation. Here are some questions that can help guide you during the classification process:
1. Is the data considered sensitive? Does it include any PII?
2. Who should have access to this data?
3. How should the data be handled?
Step 3: Tag and Label
Once you’ve identified the risk level of the data you have, then it’s time to label and tag your documents, contacts and other pieces of content to ensure that they are stored properly, accessible only by the right people and can be easily found. One way to do it is by using standardized meta tags or meta data. With these, your employees will find it easier to search for the content they need. Plus, it helps make it easier to automate the data tagging process.
Step 4: Protect your Data
There are various data protection solutions in the market today. Note though that to truly protect your data, you will need to employ several security layers covering people, device and infrastructure. On the people side, this includes training and effective password management policies which can include multi-factor authentication, as well as enforcing rights management. Adding encryption to sensitive data, limiting access and requiring authentication can also be part of your data protection policies. Implementing a good mobile device management with the ability to remote wipe data from a lost device is also a must. Regular penetration testing, scans and audits of your data protection processes are good practices that organizations should adopt.
Developing your company’s information architecture and data protection plan may seem like a gargantuan task. Contact NTT DATA for help on building your framework and plan.