One of the biggest issues for IT security and business operations is keeping their data safe and secure. 
There is a massive amount of material available about data backup, building redundancy for continued operations and how to teach people to be careful in providing access to company data. In spite of all of the effort and expense that is put into this field there are still too many data breaches.
The consequences of inappropriate access to data held in company IT systems can easily be seen as highly costly both in dollars and in reputation. The challenge however is deciding how to build your systems so you hold the information about your customers and others you deal with that is needed to carry out your work but without putting you at risk of disclosing important personal or corporate data.
Unfortunately there is no easy answer to this dilemma. You need the information to carry out your business dealings but by acquiring the it and storing it you create the potential liability associated with a breach.
In the end it is all about due diligence and taking the best precautions you are able while storing the minimum amount of data that you need to carry out your work.
That's right I am suggesting you hold only the minimum data needed.
This seems completely contrary to what is the current trend as more and more information is captured and stored about every contact a business makes.
The challenge that is created by just storing more and more data is that in many instances what is stored is just never used. If no analysis is done to see if there is useful trend data within your filed information then why have all that information in the first place.
Of course key contact information for customers is important and needs to be kept. There are legislated requirements you must meet for information that the government requires about transactions etc. There is information you need from suppliers so you can properly configure and price your output. There is information need to properly provide customer service and do so promptly by contacting the right people. All of these involve the collection of personal and company data. All of them involve storing that data in a way that makes it accessible to the people within your organization that need it for response.
What is not needed is the collection of whole loads of additional information which has no bearing upon your transactions or your customers support needs What is also not needed is to make all of the collected information available to just anyone within your organization who just wants to take a look.
Health care as an example
Public hospitals and other health care organizations struggle with this kind of information challenge all the time. A patient's information is by definition private and should only be accessed by those providing direct care and who are authorized in support of that patient.
Unfortunately what has happened in some cases is a well meaning person who knows the patient and is interested in knowing about their welfare makes a 'casual inquiry through the system and finds out about patient private health information. This is deemed a breach of confidential use of private information by health care institutions and is actually illegal under privacy legislation in most of Canada. Organizations have to police this kind of access all of the time and it is tough.
Similar instances occur with many other types of personal and business data and it is hard to ensure only appropriate use is made of all that is stored. Training helps but human interest also gets in the way and people do access info they should not.
In the end, not having the data if it is not mission critical is sometimes the best protection against inappropriate use. Just don't keep it if you do get it and it is not really needed, or try to avoid getting it in the first place. Breaches cannot occur of data you no longer have, never collected or just did not store if it inadvertently came your way.
Too much data is sometimes the trend
Since we all have become familiar with the many ways that information about us and others is collected through social media, credit card purchasing and other forms of interaction, at times we just become immune to the data explosion.
To some extent we have just come to expect that there will be tons of information out there about everything and everyone and nothing can be done about it. To an extent this is true but not every organization has to subscribe to this formula.
In the end it is safer, less costly and probably more efficient to only accumulate the data you need, within a fairly short time frame and let other material go. Focus on the transactions and material which supports your current business and the support of your customers and suppliers. Avoid the temptation to collect information 'just in case'.
Lee K
