Martin McGregor

How to build a strong foundation for privacy protection

There is no denying public discussion around data breaches and privacy violations are becoming more commonplace. 

And, in the face of these breaches and violations, consumers are growing increasingly concerned about their privacy and the protection of their personal data.  

What's clear is that organisations not only need to have a comprehensive privacy protection framework, but they also need to gain consumer trust. 

Privacy Awareness Week reminded us about getting back to basics, but before getting back to the basics, organisations first need to ensure they have a strong foundation for privacy protection.  

From limiting the amount of data your business collects to having a clear monitoring and alerting system, taking the right steps from the beginning can make all the difference when it comes to protecting your customers. 

In this article, I share the key fundamental steps organisations should take to build a strong foundation for privacy protection. 

1. Broaden the definition of what is considered Personally Identifiable Information (PII)

Businesses need to broaden their definition of what constitutes personally identifiable information (PII) and enforce this standard throughout their organisation.  

Only considering usernames, email addresses, or identification documents as PII is a narrow-minded way of looking at privacy and the data that needs protecting. Businesses often collect more data than they need, but often only focus on protecting what is strictly defined as PII, which puts their customers at risk.  

To mitigate this risk, businesses need to be specific about the data they collect, understand why they are collecting the data and consider the sensitivity of the information and what impact it would have on the individual if the information were accessed by the wrong people.  

For instance, consider the Red Cross Blood Service data breach that occurred in 2016. The cybercriminals accessed names and addresses, but also responses to the blood donation questionnaire, which included information about people's health, lifestyle, sexual history, alcohol consumption, and more. This information is far more sensitive than a phone number or email address and therefore needs greater protection.  

As a community and as businesses, we need to reconsider and redevelop how we think about privacy. It's not just about the raw definitions of PII, but all the information gathered on customers and what it would mean if the wrong person accessed that data with malicious intent.  

Along with broadening the net on what falls under the umbrella of sensitive data, it's time to limit the amount of data collected. 

2. Know everywhere in your environment where sensitive data is stored 

A fundamental principle of managing sensitive data is knowing where it is. Without knowing and understanding everywhere in your environment where it exists, you cannot effectively manage privacy or access to it.  

Sure, this sounds straightforward, but there are many instances of breaches occurring because criminals gained access to data from unexpected resources including backups.  

I have seen many businesses make this mistake and not understand where customer data is stored, backed up or moved around their organisation. It is not only vital to consider everywhere this data could be stored, but also who has access to it. For example, does the information exist in a testing or development environment, does sales or marketing have access to it? Does the business intelligence (BI) function in your company have its own data repository where this information is pulled from?  

Too often, I observe businesses making the mistake of solely focusing on protecting the main production database. While this level of protection is why we don't frequently witness breaches in these systems, protecting the main database alone will not suffice. Neglecting other servers and systems leaves your organisation vulnerable.

You cannot establish policies or structures for managing your customer's privacy and meeting your legal obligations until you first understand everywhere this data exists. You also cannot remove or update customer data effectively if you don't know where it is.  

You do not want to be in a situation where the business assumes an individual's data is removed because it was taken out of the main database. The same applies to updating information.  

Companies need to broaden their thinking about the storage of sensitive information and have a map of where it is stored.  

Once you establish everywhere in your environment customer data is stored, you can manage and protect it properly.  

Importantly, if you don't know every location where this data exists, how can you monitor access, particularly unauthorised access to it? 

3. Categorise PII 

Only once your business identifies where the sensitive data is stored can you establish and enforce the right policies to protect it.  

And because we don’t have unlimited resources, the pragmatic approach starts with categorising.  

Proper classification allows everyone in the business to identify what type of protection is needed for the distinct types of data. This will also help define who needs access to the information, based on their role and what they need to achieve. 

Along with identifying which employees need access to the different types of data, businesses must create a process to ensure access is regularly reviewed.  

A business should have a classification system that includes at least four categories: confidential, restricted, standard, and public:  


Confidential data, which includes credit card details and biometrics, is highly sensitive and should only be accessed by authorised individuals. If this data is accessed by the wrong people, there are typically legal or regulatory implications and severe consequences for the customer.  

This sensitive information should be off limits and never transferred outside the organisation unless required by law. It's also important to limit retention and remove data when it is no longer needed.   

It’s important to review why you even need this data in the first place and try to find ways of operating without it entirely or keeping it offline completely (and by offline, I don’t mean online but behind a firewall). 


Restricted data includes classic PII details. While businesses will still need to establish an audit trail and restrict access, they can have a more flexible policy with this information, knowing it is separated from the most sensitive data.  

As for confidential data, it's important to ensure only authorized users have access to this information, the data is stored safely, and never retained for longer than necessary.  


Standard data refers to internal business documents that need to be available to employees but not the public. For example, business plans and other intellectual property that might require an NDA. 


This is any information that can be shared outside the business without any risk. This may include company policies, your mission statement, protection and service details, funding, or marketing material —anything that is not deemed sensitive about your business or customers.  

Based on the classification, your business can implement mechanisms to protect data effectively. Confidential data requires in-depth security and audit processes, making it more expensive to protect. Restricted data has a lower impact on customers, and you can enforce slightly less stringent policies that are more cost-effective. Protecting internal data requires allows for more flexibility and cost-savings, and public data is generally openly available and requires no effort or expenditure to protect access to it.  

4. Don't be blind, have eyes on sensitive data 

A responsible organisation is an organisation that monitors its data to manage the impact of unauthorised access.  

Without monitoring, you do not have control over who is accessing your customer's data or what they’re doing with it. You never want to be in a situation where a customer gets blackmailed or suffers harm due to a data breach, they alert the authorities and then the authorities contact you and you have no knowledge of the breach.  

Likewise, the worst way to find out about a data breach is through criminals telling an organisation they have stolen data and are holding it for ransom.  

Both of these situations mean the company is on the back foot and demonstrates having no visibility on data being accessed by unauthorised parties. This leaves customers in the most vulnerable situation and means the company could not minimise the harm to them or the impact on their lives.  

It is critical to be on the front foot and monitor access to sensitive data. A key element of establishing monitoring systems and an audit trail of activity is knowing what normal operations look like and how often restricted information is accessed. This information is critical because monitoring systems can then raise an alarm if the amount of data accessed doubles or triples or if something else unusual happens. These alarms can help detect and minimise the impact of unauthorised access.  

If your system detects unauthorised access, you can immediately alert authorities and work with them to manage and minimise the impact on customers. This gives your business time to understand what is happening and gives you time to prepare how you will communicate with your customers and the media.  

It gives you time to be in control of the situation.  

Detecting and minimising the impact of unauthorised access requires being on the front foot, having visibility, and knowing what normal operations look like. Alarms are what give your security team the ability to act. 

In my opinion, if your business is accessible from the Internet and you hold sensitive data, it is irresponsible not to monitor that access. If you don't have the capacity to monitor access, ensure you follow my other advice in this article and work towards adopting such a capability as soon as feasible to do so. 

5. Third-party does not mean outsourced responsibility 

In today's threat landscape, many companies turn to third-party providers to handle sensitive data in an effort to simplify compliance processes.  

The benefit of a third-party handling your sensitive data is they can focus on securing it to a greater degree than is practical or feasible for your business. Their entire business model may indeed be based on that concept. 

While this is acceptable, what is not acceptable is the misconception businesses can shift the responsibility entirely to these third parties and absolve themselves of compliance and customer obligations.  

One significant indicator of this misconception is public perception. When customers engage with a company and provide personal or sensitive data, they perceive the organisation as ultimately responsible for safeguarding that information. Even if the fine print of contracts or user agreements specifies third parties are involved in data storage, customers hold the primary organisation accountable. This perception becomes apparent when a breach occurs and the company tries to deflect blame onto the third-party provider, which only results in customer dissatisfaction and potential legal consequences.  

Regulatory bodies also refuse to accept the notion businesses can evade responsibility by relying on third parties. Numerous cases have seen organisations face penalties around the world despite outsourcing data storage to third-party entities. This reinforces the need for businesses to take proactive measures to mitigate risks associated with third-party relationships.  

To start, the business must ensure the third party's security standards and processes for managing and protecting data align with their own and industry standards. Businesses must have a comprehensive understanding of how external partners handle and protect sensitive information.  

It is also essential to ensure the security protocols implemented internally can be upheld by the third-party provider.  

Regardless of claims made by the third-party provider about their security measures, the business must recognise the significance of actively managing the relationship as an integral part of their overall data storage strategy. These providers should be clearly identified on the companies' sensitive data map, along with internal systems. 

By acknowledging the importance of maintaining accountability and proactively managing third-party relationships, businesses can strengthen data security, build trust with customers, and mitigate the potential risks associated with outsourcing data storage.  

There are also some key steps businesses should take to avoid potential breaches. Selective sharing of data, such as allowing only non-confidential information to be transmitted to certain partners, can help minimise risk. However, if restricted data must be shared, companies should establish means of monitoring and receiving alerts regarding its handling.  

Monitoring also becomes crucial in ensuring any security incidents or data leaks are promptly detected. Companies should establish mechanisms to receive alerts if a third-party experiences a breach, enabling them to respond effectively and minimise the impact. 

Get your organisation's privacy policy right from the start 

By prioritising privacy protection from the outset, your organisation can build trust, comply with regulations, and minimise the risks associated with data breaches.  

Building a strong foundation for privacy protection requires a holistic approach that encompasses comprehensive knowledge of data storage and the above-mentioned steps. 

By prioritising these fundamental steps, you can enhance data security, regain consumer trust, and effectively navigate the evolving landscape of privacy and data protection.  

Importantly, establishing a strong foundation for privacy protection sets the stage for responsible data management and safeguards both your customers and the reputation of your business.  

Throughout my profession, I spent years and countless conversations trying to convince businesses, particularly those who generate revenue from online services, that taking data security and privacy seriously will give them a competitive advantage—especially when I observed consumer confidence diminish when posting or transacting online. 

However, I believe the tide is changing, and the businesses that fail to prioritise data security and privacy simply will not be able to compete with those that do. 

Sign up to receive the Devicie Newsletter