NIST Privacy Framework : Our Essential Data Protection Guide

Close

Do Your DLM and ILM Practices Meet New Data Privacy Laws?

Data lifecycle management (DLM) and information lifecycle management (ILM) are common IT practices within today’s enterprises. Organizations implement them for a variety of reasons, including to handle data with increased efficiency and security, and to uphold compliance with data privacy laws. As laws evolve and new, stricter ones emerge, both lifecycle management practices must be updated to remain compliant.

In this blog, we’ll discuss why and how a purposeful processing solution can help you achieve just that.

What is data lifecycle management?

Data lifecycle management is a comprehensive approach to managing organizational data from creation through deletion. This umbrella term covers all business processes, organizational policies, and workflows used across all applications, storage locations, and business systems. With a proper DLM strategy, your organization can improve data processing efficiency as well as organizational security.

As data storage prices have decreased over time, the need for well-defined DLM policies has increased significantly in importance. Where data was once deleted out of necessity to make additional space, information can now be held “just in case.” At the same time, the amount of data being created every year continues to increase exponentially, with global data creation projected to grow to more than 180 zettabytes by 2025.

While this data represents a significant business opportunity when properly harnessed, it can also present a significant risk if left unmanaged in the form of data breaches or noncompliance with government regulations.

What is information lifecycle management?

Information lifecycle management is similar to data lifecycle management, so much so that the two terms are often used interchangeably. However, these two terms are more accurately used to describe two separate ideas. Where DLM focuses only on general information such as file type and file size, ILM is more granular and covers very specific details within the data, such as personally identifiable information (PII).

While DLM and ILM share a symbiotic relationship, the reality is that these two ideas are separate data management systems, and both must be given consideration to ensure a full picture of a given selection of data. The goal of ILM is to keep records updated with the most recent and accurate information available, whereas DLM focuses on the existence of the records themselves.

Data lifecycle management versus information lifecycle management

It’s important to know that DLM and ILM are separate processes, but you can’t have one without the other.

  • DLM moderates the flow of data as it moves through the stages of creation, storage, use, sharing, archiving and destruction to ultimately determine its useful lifespan.
  • ILM goes a bit deeper within the data to ensure that, for the duration of its useful life, every piece is accurate, relevant, and provides value to a business’s daily operations.

The distinction between the two is becoming clearer as stricter data privacy regulations come into play. For example, the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, guarantees data subjects the right to be forgotten. Customers can request that a company erase their information and provide proof. DLM alone would not be enough to cover this request, as only general information about a file would be available. The need for a more in-depth understanding of a file’s contents is required. ILM is used to complete this process, if the right tools are in place that allow individual customer’s personal data to be located across an enterprise.

Modernize data and information lifecycle management with purposeful processing

Purposeful processing tools can enhance each of the data lifecycle’s six stages by consistently searching for, classifying, and reporting data as it flows and rests within your organization. Processing provides clear visibility into the different types of data you possess so you know which policies must be implemented to keep it private and secure, and which privacy regulations must be complied with.

Stage 1: Data creation

There are several ways that personally identifiable information (PII) can be created within your organization and even more ways it can exist. You can gather it internally, acquire it from third parties or collect it as it streams from apps. It can exist in Word documents, Excel spreadsheets, PDFs, emails, texts, images, and much more. Regardless of how it’s created or exists within your organization, you need to know PII is there, as your DLM and ILM practices are responsible for keeping it organized and protected as it’s used in business operations.

Purposeful Processing Solution: Sensitive data discovery

To ensure your DLM and ILM practices can achieve this, turn to sensitive data discovery. This tool will automatically and accurately locate any data anywhere across your enterprise — from emails to endpoints — to reduce your data footprint and maintain tighter security controls.

Stage 2: Data storage

Departments across organizations access data for a variety of purposes, and as a result, the same data ends up residing in multiple locations across the enterprise, some of which may not be as secure as they should be. This enhances the risks of data exposure and compounds the challenge of complying with privacy regulations.

Purposeful Processing Solution: Persistent data classification

To keep up with increased data privacy laws, organizations can enhance their DLM and ILM systems to include automated data classification. This technology will persistently tag incoming data according to the compliance regulations it’s subject to. For example, once credit card information has been identified, it will be tagged to meet all PCI DSS compliance rules. This ensures that each piece of data is properly processed in the next stages of the data lifecycle.

Stage 3: Data use

A common way organizations use existing consumer data beyond the initial transaction is to conduct buying-behavior analysis. This gives companies insight that fuels their marketing campaigns. However, while this was a common process in the past, today’s data privacy laws give consumers more control over how their data is used, and they often don’t want that use to be for marketing purposes.

Purposeful Processing Solution: Locate consumer’s data

Under compliance regulations like the CCPA and GDPR, consumers can request that companies delete their personal information entirely. To ensure DLM and ILM systems support this new compliance rule, organizations must set up a sensitive data discovery process that can rapidly locate an individual consumer’s personal data across the enterprise, so it can be deleted or otherwise handled upon request.

Stage 4: Data sharing

Along with widespread sharing internally, personal data can also be made available to people outside of an organization’s system, such as an invoice that uses customer data as a matter of record. The more people who share data via unofficial methods, the higher the risks of noncompliance with data privacy governance and potential data breaches.

Purposeful Processing Solution: Execute differential privacy

Because customer data is so valuable for marketing, many companies are reluctant to stop using it. As a fix, they’ve created a new practice called “differential privacy” to make personal data anonymous, so they can retain the business value of data without increasing their privacy risks. The practice involves removing all identifiable personal data, like names, addresses, social security numbers and credit card information. To successfully execute differential privacy, companies must ensure that they find all customers’ personal data in their possession so identifying characteristics can be removed before the data is shared. Thus, DRM and IRM systems must be updated to include an automated data discovery tool that accurately locates all PII across an enterprise.

Stage 5: Data archiving

After a customer’s data is used in a transaction, it often has to be retained for a period of time for a variety of reasons, such as legal, fiscal, research or historical value. Most companies maintain data archives where data can only be accessed by assigned parties.

Purposeful Processing Solution: Maintain access controls

DLM and ILM systems require organizations to install strict access controls defining who can access sensitive data based on its classified tag(s), under what circumstances, and when. This restricts unauthorized access, thereby supporting data security and upholding compliance.

Stage 6: Data destruction

Along with managing the first five stages of the data lifecycle, organizations must be in compliance with data remediation rules. When an individual requests to have his or her data removed, all of their PII must be permanently destroyed. In addition, when data no longer fulfills a purpose within a company, it should be destroyed.

Purposeful Processing Solution: Discover all PII

To ensure this critical data remediation step is executed within DLM and ILM systems, organizations first must be aware of every instance of an individual’s PII within their digital infrastructures. An advanced automated data discovery application ensures this step is completed with utmost accuracy.

Let Spirion bolster your lifecycle management processes

No business exists solely to process personal data. They process personal data to be in business and power other operations. With today’s more rigorous data privacy laws, organizations also need to be in the business of protecting that data. This means rethinking their traditional DLM and ILM processes to bring them in sync with modern regulations. Using purposeful processing practices, like sensitive data discovery and data classification, to implement differential privacy and strict access controls meets these objectives.

Spirion’s Sensitive Data Platform automates sensitive data discovery and classification to ensure your DLM and ILM practices comply with data privacy laws, even as they become increasingly more strict. To see our platform in action, watch a free demo here.