What data is sensitive depends on your viewpoint. It is becoming increasingly important to define, identify, locate and protect such data due to the volume and since it is often in the wrong place.
Text: Barbara Biesuz, Image: Unsplash,
The term “sensitive data” is defined by legislation (e.g. the EU General Data Protection Regulation, GDPR) as well as by regulators (e.g. the Swiss Financial Market Supervisory Authority, FINMA) and, of course, by the company itself. It is therefore difficult to give a simple and unambiguous statement of what constitutes sensitive data. In principle, every company can hone the legal framework for its own purposes and thus adapt it to its own “temperament”.
Yes and no. Laws and regulation clearly stipulate what is sensitive. There is no room for manoeuvre in this respect. However, if you consider bank customers, for example, their data at the bank is subject to banking secrecy and must be protected accordingly by the bank. We can all agree on that. But if you provide your data (name, address and account number) on a payment slip, it's a slightly different matter. It is always a question of viewpoint and position: Is it your own data or data that we store about third parties within the framework of our professional duties? In addition to the plausible banking example mentioned above, there are also less obvious cases.
Imagine that you’re invited to a golf tournament as a VIP guest. On the invitation you are asked if you want to eat kosher or halal, gluten-free or lactose-free food. Depending on what you tick or don’t tick, I can draw conclusions about your religious affiliation and current health. In accordance with the GDPR, a file containing this data must be defined and classified as sensitive and the handling thereof regulated accordingly.
«Our service: Define, search, find, protect.»
The “security value chain” follows a clearly defined process. The first step consists of advice from our security consultants within the framework of the data-protection and health checks. This step is about defining the company’s “crown jewels.” This sensitive – and therefore protectable – data is listed and classified on the basis of legally and individually defined rules. The second step involves the Swisscom sensitive data service. Here the aim is to find the previously defined crown jewels: Where within the company is this data to be found? It is where it should be, or do we find it in places where it has no business being? The third step is then to protect the data. This is done by means of organisational as well as technical measures.
Firstly, this data must be protected (e.g. using Audit Guard or DLP) in order to comply with the relevant legislation, regulatory requirements and internal company guidelines. Secondly, there are various additional options: You can move, (re-)classify, protect, anonymise or even, under certain circumstances, delete the data. The latter especially applies if data is somewhere where it doesn’t belong. As part of a continuous improvement process, employees must continuously be trained and made aware about the handling of data. By extension, violations could even be punishable. Our value chain also includes consulting on how sensitive data can be protected in an organisationally and technically efficient and effective manner. We recommend repeating this process at regular intervals because the architecture and business processes are constantly changing.
Recognising sensitive data is becoming increasingly important. Not only because of the enormous volume, but also because the sensitive data service often finds data in places where it shouldn’t be. Take this example of an application: My CV – a sensitive document – is sent to the recruiter via an online tool. Because the client is currently on the road and cannot access the system, the recruiter forwards it to the client by e-mail. So that the team leader also has access, the client also stores the CV on the collaboration platform. For the second interview, the head of department is called in and receives a printed CV. My CV leaves traces on Exchange servers, in e-mails from various PCs, in the printer queue, etc. We call these places “contaminated.” The task of SDS is to uncover these “contaminated places.”
Not primarily IT, as you might assume. Our main contacts are business unit managers as well as compliance and audit officers. They have an interest in ensuring that data is handled in accordance with the law, regulations and company policies in order to prevent damage to our reputation as well as financial losses. We have also received an order directly from the CEO of a large company.
All organisations that generate sensitive data: hospitals, medical centres, local and municipal authorities, tax consultants, patent departments, etc. In fact, any organisation that wants to know where its data is located and wants to protect it. The list is endless. The new data protection act from 2022 will in future force everyone to ask “Do I know where my data is?” Most companies, regardless of their industry, do not currently know this conclusively. So there’s still lots for us to do.
More on the topic