With all of the sensitive data that can be taking in even through routine business procedures, such as processing payment or onboarding a new employee, it is imperative that businesses have a plan in place to manage how that data is stored and which members of the organization have access to those files. The best way to do this is to create a policy for who should have access to this information, who is responsible for updating it, and of course creating a backup policy so that files are not lost. An auditing system should be in place as well to ensure that employees are adhering to these company rules, and in many cases regulations that may be in place as well.
Like many vital business prerogatives, it all starts with creating the plan and assigning responsibilities. You may want to have the head of IT managing data, but she will also need to consult with other business leaders such as the CEO, the Director of Sales, and Human Resources - there may be more or fewer leaders in the organization to work with depending on the size of the company, but a good rule of thumb is to have the person in charge of any group that collects any data that needs to be regulated. Once everyone agrees who should be responsible for what, it is important to see where any opportunities for improvement exist - sensitive data that is located on public drives should be moved to private storage immediately, for example.
Once you have identified who manages what, and what the plan will be moving forward, the risk that data can be lost, stolen, or comprised needs to be reviewed. It is never desirable when data is lost or destroyed, but by understanding how often it happens you can predict future data losses and breaches as well as understand what policies need to be altered. For example, let’s say that the Sales team loses 1 out of every 50 contracts. These contracts have the signature of the End Customer and some pricing information. Depending on the organization, this can either be a nuisance (just ask the customer to sign it again) or catastrophic (A Real Estate Agent that just lost a customer’s Social Security Number, Banking information, and more), and penalties should be adjusted accordingly for failing to keep data in check. You can also identify why the data gets lost - the Real Estate Agent above might have no issues with data loss if they could transmit everything electronically, for example - and make improvements from there. The purposes of these tasks isn't to forgive negligence (if the employee just isn't paying attention to things disciplinary action needs to be part of the conversation), but if you can remove the risk from the equation then things are all the better for everyone involved.
The final stage, of course, is to let your plan run and engage in course correction as needed. Just like any other key element to the business, it is paramount that the company remains agile in maintaining the core standards regarding data governance, and keeping the data of clients, employees, and anyone else who winds up in a database protected to prevent the PR nightmare that would be a breach along the lines of the Target breach in Winter 2013. To properly course correct, the person in charge of monitoring the complete data governance policy should review any instances that occur, and utilize any monitoring tools that exist to ensure that breaches and data losses are minimized to prevent damage to the organization. Of course, if it is possible have a second set of eyes monitoring these tools, if for no other reason than to avoid having a single point of failure.
Alejandro
