Data protection in a post-pandemic environment

Adam Strange, a Data Classification Specialist at Titus, identifies the key processes and technologies business must adopt in the wake of COVID-19

The rapid rise in remote working under COVID-19 delivered far-reaching changes in how we do business, with significant implications for CISOs, Compliance and Data Governance Officers. With accessibility, bandwidth, data volumes and usage demands surging under the pandemic, the challenge to keep data safe, whilst facilitating access and usability for multiple external user groups, became a core concern for data leaders. Now, as data from multiple and often external sources continues to grow in volume, issues around data management, control and protection are a priority concern for business.

The forward-thinking companies, with technology development strategies already in place, were able to quickly adapt under the pandemic and act on the clear business opportunity to "reinvent" data protection and flexible user access. But the organisations that maintained a fixed mindset on data protection are today finding it more difficult to recover and harder to provide their users with the tools required to do their jobs safely.

Supporting remote working
With the expectation that post-pandemic remote working will almost double from pre-pandemic levels, maintaining a centrally driven robust data governance strategy that prioritises data security and regulatory requirements whilst ensuring appropriate and safe access to information, whenever and wherever needed, is a must. Businesses must recognise the data protection lessons learnt and move beyond short-term security compromises to a future-proofed data governance protocol that is technology and user-centric. As a starting point, data protection must adapt to the new workplace environment. It is likely that in the post-pandemic environment, employees will split their working hours between home and office permanently. So organisations must look at the impact of high-volume remote working and what this means to their existing security controls.

A reinforcement of corporate policies around data creation and linked protection facilities, such as Data Loss Prevention (DLP) technology, will be critical to facilitate large remote workforces, to reduce accidental failings and to ensure that data transfer is confined to authorised recipients only. By identifying the true value and protection requirements of data, organisations will be able to make intelligent decisions on how to safely handle it. All data must be classified so it can be managed and handled appropriately, with robust classification facilities.

Automating data classification
Businesses that adapt best to the post-pandemic era will use automation, data-driven digital access technologies and cloud to effect improved operations and efficiencies. All organisations will need to focus on the results-driven benefits that new and extended working practices can provide and enabling safe user and data access must be at the heart of these strategies. Automation will help improve processing efficiency and reduce the burden on frontline security and data management staff. To drive integration and automation as quickly as possible, data classification tools will not only help organisations to protect their data by applying appropriate security labels but will also help educate users to understand how to treat different types of data with different levels of classification and sensitivity.

Establish a data security culture Businesses must apply and enforce PII data protection rules to safeguard personal data. Data leaders must be able to identify it, classify its sensitivity and level of threat were it to be lost in any way, apply acceptable usage policies and appropriate levels of protection. Establishing a PII culture must be gradual and based on buy-in and defined responsibilities that are recognised and accepted from the top down.

Given employees play such a vital role in ensuring that business maintains a strong data privacy posture, the ability to work with stakeholders and users to understand data protection requirements and policies is key. Security and data protection education must be conducted company-wide and must exist at a level that is workable and sustainable. Regular security awareness training and a company-wide inclusive security culture within the firm will ensure that data security becomes a part of everyday working practice, embedded into all actions and the very heart of the business.