Why Data Assessment?
Data assessment should be the first step towards building or refining your data infrastructure. Some of the basic questions that need to be answered regarding the nature of the data that you intend to use for business are as follows:
- How many sources/versions are there?
- Can I trust the quality of the data?
- How much data is missing?
- How is it distributed? Structured, Unstructured?
- Does it have geospatial attributes?
- Can we extract a smaller sub-set to meet our needs?
The answers to these questions will lead to a broader understanding towards quantitative as well as qualitative nature of the data assets. A simple 3-step process will help you to handle your data – 1. Data Inventory 2. Data Classification 3. Periodic Data Reassessments
Step 1: Data Inventory
Determine the type of data you store.
- Personally Identifiable Information: Often referred to as PII, this information may include such things as first and last names, home or business addresses, email addresses, credit card, and bank account numbers, taxpayer identification numbers, medical records and Social Security numbers. It also may include gender, age, date of birth, city of birth or residence, driver’s license number, and phone numbers.
- Customer information: This may include payment information such as payment card numbers and verification codes, billing and shipping addresses, email addresses, phone numbers, and purchasing history, among other data.
- Intellectual property: This may include proprietary and sensitive business information such as financial records, product designs, human resource records, and internal correspondence and reports. It also can include the intellectual property of others with whom you have a business relationship, including customers and vendors.
Step 2: Data Classification
Classify the data and establish access privileges based on type and level of confidentiality.
- Restricted (highly sensitive): This classification applies to the most sensitive business information intended strictly for use within your company. Its unauthorized disclosure could harm your company, business partners, vendors and/or customers in the short and long term.
- Confidential (sensitive): This classification applies to information about or belonging to customers, employees, and information that your company is obligated to protect. This can also apply to information about your own company.
- Internal use only: This classification applies to sensitive information that is generally accessible by a wide internal audience and is intended for use only within your company. While its unauthorized disclosure to outsiders should be against policy and may be harmful to your company, the unlawful disclosure of the information is generally not expected to impact your company, employees, business partners, vendors and the like.
- Public (general): Information that is generally available or is intended for distribution outside your company.
Step 3: Periodic Data Reassessments
Periodically reassess the classification of the data and who has permission to access it. An information retention policy should include guidance on what types of information should be retained, how long it should be retained and procedures for disposing or destruction of unneeded data. Audit all data and information that you store to be sure it is classified properly, and to determine if unneeded data may be destroyed.