The SITCAR Model: Privacy in Content
Taking control of Enterprise Data Privacy for Documents, Records and Emails
One of the most critical repositories of PII (Personally Identifiable Information) at your organization are your content servers, email servers, and line of business systems. However, these systems are often ignored by privacy professionals in exchange for data-specific systems like a Sales CRM, Marketing Database, or Cellphone App. This doesn’t give the whole picture.
These systems absolutely contain private information, and lots of it. Information like Name, Phone Number, Email address, Location, and more. That information is GDPR and CCPA relevant and constitutes risk to your organization.
However, compared with your Content Repositories, that risk is small. In our experience, the highest risk PII for most organization reside in Documents, Email, and other forms of Content. It resides in unstructured data.
Consider, for example, the documents that your company stores in your HR document repository. That repository contains very private health information, employment status, background investigation results, income, Social Security numbers, HR issues, citizenship status, Life insurance information, performance status, and more.
And your HR system is not unique in this respect. Consider the private information stored in your contracts system. Consider the Intellectual Property and other forms of private information passed between your employees and clients by email.
It’s essential to take a quality, not quantity, approach when developing a Privacy Strategy at your organization. In our experience, when it comes to sensitivity for most organizations, content reigns supreme.
Secure, Identify, Tag, Control, Audit, Remove
When dealing with PII in Content, the strategy required is slightly different from dealing with PII in Data.
Feith Systems developed The SITCAR Model for privacy control and compliance projects. The model defines the six major steps and concerns when dealing with privacy in content systems, and clarifies how Feith Systems uses our software to help clients solve the privacy in content problem.
Security should always come first. Other steps in privacy control mean very little absent adequate security. This means the steps we’ve come to know, like Encryption in Motion and at Rest, and using Alerts to notify of unusual downloading or viewing behavior.
It also means steps that not all organizations have adopted, like ensuring that your Content Repositories vendors undergo adequate code review, threat modeling, and can ensure Data Integrity.
PII that you don’t know that you have, that you have not identified, can constitute a major risk. If you don’t know that you have it, it will be hard to control. Taking inventory of your systems and the PII therein is key.
Data Discovery technologies, like Feith’s, can help you determine where to focus your energy, and can help you with Data minimization / ROT reduction before you begin tagging that data.
Feith uses our Auto-Categorizer engine for this step, helping us identify basic structured information like Phone Numbers, SSNs, as well as more complicated unstructured PII by identifying records by type (e.g. Background Investigations, Income Documents).
After you’ve identified the relevant content, the next step is to Tag it. Tagging the PII with Metadata values allows us to deal with it programmatically. Without tags, all PII would need to be dealt with manually. Those tags can include the sensitivity level of the information, the nationality of the data subject, or the category of information.
Having tagged the content makes it possible to control and secure it. Feith builds roles with access to only certain tags. A kind of Security Keyword profile. So, for example, you may want to limit documents tagged EU Data Subject to employees in the EU — by building a profile with access to that keyword, you can control that PII.
Auditing is made up of a few different parts:
- Provable data integrity and data accuracy
- Tracking employee access and actions
- The ability to respond to data requests
- The ability to document compliance
Last but not least is the ability to remove the PII. For Feith, this means being able to handle Data Retention and Records Management. It also means being able to Securely and Automatically Redact information, which makes it possible to keep up with Data Subject Right to Forget requests.
Much of the information that you collect about your clients, partners and employees constitute PII. Not only are there laws and regulations that define how you control and manage that information, but that PII can also constitute a legal risk to you. PII, or Private Identifiable Information, that is leaked in a breach or inappropriately maintained can come with large fines or damage to your brand.
Feith’s SITCAR model can help you take control of PII in your content. If you’re interested in learning more about how Feith Systems has helped organizations like yours deal with Privacy in their Content, reach out today.