In the work of an analyst as well as an analytical company, ensuring the security of entrusted data is fundamental. This is a key aspect of cooperation, especially if we, as an analytical company, have access to:
- Raw data describing key processes in the company, such as: revenue, profit, costs, employment, etc.
- CRM, ERP systems or databases from which data can be retrieved
- Conclusions that we formulate in the form of reports, presentations or other materials provided to the partner, which indicate potential problems, weaknesses and strengths of the company, recommendations for business development.
Knowledge of this kind is strategic for any business and should therefore be given special protection. The text will tell you which areas need attention in the context of data protection and which good practices you can apply. I will also describe what the data security process should look like.
Data Security Between Employers And Employees
The employer is the main party responsible for the stored data, both the data provided by the customer and internal data, regarding the company’s own activities and the employees. The protection of this data is one of the most important duties, not only for the sake of the company, but also for breach of contracts or GDPR.
Data protection can have several aspects directly related to a specific risk type. This is about:
- The general scope – regarding the company and its infrastructure. Determines to what extent the company’s infrastructure, policies and procedures guarantee security for customer data.
- Individual aspect – an aspect regarding a specific person (employee = analyst) who works with the data every day and in this way looks after it.
Both of them are closely linked and the shortcomings in one affect the other.
Data Security On the Part of the Employer
The basic role of the company in the data protection process is to create an organizational culture that emphasizes respect for customer data. When we respect someone, we automatically care about their ‘well-being’, so in this case we will care as much as possible about the protection of their data. The organization shall create physical conditions that guarantee their safety.
Physical conditions are quite obvious and well defined in many articles and guidelines describing the principles of secure data storage. Office access procedures, alarm, external security, computer updating policy – these are obvious factors that guarantee data security in a physical sense.
I believe that the more important role of the employer is not to create an armored data box, but to create a proper organizational culture. One in which caring for data as well as the data itself is treated not as an obligation, but as an obligation or expression of our gratitude to the customer. Gratitude resulting from the fact that the partner trusted us and entrusted one of the most valuable resources of their company.
Data Security And the Employee
This brings us to the most important link in the data protection chain – the employee. It’s often easier to break a man than a password. A man would rather make a mistake than a system would. This, then, becomes the key link in the entire data security puzzle.
Today, training an employee and providing them with appropriate working conditions is not enough. Taking care of them, creating a safe and friendly atmosphere for them, talking to them, providing support and space for development are equally important. Therefore, these are the basics of Employer Branding, the application of which will pay off in the long run. Employees who feel comfortable in their organization do not harm it. Therefore, they feel obliged to the company, are more attentive and accurate in their work, which contributes to the prevention of any data leakage or other violation.
Data Security Aspects
Data security is based on the 2 aspects I mentioned at the beginning. In addition, we have a number of areas that need to be addressed in order to ensure full data protection.
Physical Data Protection
The physical aspect is related to the office and its infrastructure. This is an area that is already widely recognized and it is difficult to imagine that any safety deficiencies exist. Above all, its basic components are:
- Office with access control.
- Office equipped with alarm systems.
- Designing office space and setting desks in such a way that data processors are provided with privacy. For example, a person performing customer analysis and having access to their cards with their first and last name should have a properly secured workstation, so that the monitor is not visible when passing through a corridor or looking through a window.
- The requirement to protect all company equipment with a password – both laptops and business phones, which often “go out” from the office with us on business trips, conferences or meetings with customers.
Law And Data Security
Legal protections should protect us and our data. This is particularly important when concluding new contracts. It is important to remember that “the ignorance of the law does not exempt us from complying with it”. In other words, the law always applies to us, regardless of our interpretation. That is why it must be respected by us.
The introduction of appropriate procedures related to e.g. GDPR, defining the rules of marketing data provided to us, is crucial in every organization. It is essential to protect the interests of the customer in the contract, so that the provisions guarantee the integrity of their data and its integrity in the context of third parties. Therefore, the legal aspect may require cooperation with a law firm, especially if we have partners from other countries where we have different laws and local jurisdictions. Consequently, this is also important when choosing the entity with which we want to work in the field of data.
Technological Data Protection
When working with data, we must ensure that our technical infrastructure is properly secured. That is to say, the most important activities in this area include:
- Individual computers and workstations – the latest stable versions of operating systems with the appropriate security software, which is still supported by manufacturers.
- Protection of the corporate network, especially wi-fi. Full control of network access, separation of the network for guests and protection of key network devices (e.g. routers) in restricted areas are the basis of data protection in an organization.
- Password management policy, periodic change of passwords, forcing strong passwords and using dedicated software to hold and assign passwords (e.g. https://keepass.info/) in an organization is a must-have. In addition, it is worth reducing the amount of access data belonging to all employees.
Here we can list several principles that are worth applying in an organization:
- Clean desk policy
- Guideline for printing and shredding key documents
- Rules for sharing passwords with co-workers
- Rules on whistleblowing and reporting of data breaches
- Regulation for deleting unused accounts – e.g. After former employees or shared services that we no longer use.
Culture In the Context of Data Protection
In addition, it is worth paying attention to the work culture in a given organization and develop actions based on the principles of mutual respect and trust. This will make the work more efficient and pleasant. Consequently, every company should take care of:
- Developed culture of respect for customer data in the organization
- Developed culture of work on data, i.e. requiring only the data that is needed and nothing else (not collecting data that we do not need at a given moment).
Data Securing Process
Ensuring data security is a process that is built from different aspects regarding data.
When starting cooperation with the customer, we should determine exactly what data and accesses we will need and require only those accesses. We should also identify the scenarios and the people who need the data. This is also in line with GDPR best practice.
Therefore, we should take care of the legal layer of our cooperation, which will be guaranteed by:
- Properly signed cooperation agreement
- Principles of processing entrusted personal data
- Confidentiality agreement (NDA).
We should prepare the appropriate infrastructure for data processing, e.g. a secure database system with access control.
Then, we should define precise scenarios for working with data and the persons responsible for ensuring data security in each scenario.
Consequently, we should monitor the scope of data used and the situations in which it takes place on an ongoing basis. In this way, we will be able to identify and eliminate potential threats related to data breaches.
Trust Is the Basis for Cooperation in Analytics
As we can see, ensuring data security is not easy and covers many different aspects. However, for the sake of any cooperation, it is important that we take care to protect any data we share or work with. Having confidence in each other, we enable each other to work together in a fruitful and respectful way. Let us remember this, because in the event of any infringement, we may not only lose a business partner, a good reputation on the market or a close relationship. But we may also be penalized on the basis of existing agreements or GDPR provisions.