Data Lifecycle

Data must be protected at all stage of its lifecycle, from its generation until its disposal.

This includes:

  • Generation: data creation (from another system or customer)
  • Processing
  • Storage
  • Retention: keep the data for a certain length of time
  • Disposition: orderly, planned process of handling data that may still have use
  • Disposal: destruction, removal, or transfer to another organization (archive etc)

Protection requirements for the data may change over its lifecycle: not everything needs to be protected at all time.

Country dependent. There may be legal requirements such as:

  • User consent
    • Collection
    • Marketing
  • Allowed uses of data (only collecting data that we need)
    • Sharing
    • Third-parties (terms)
  • Data accuracy: responsibility to keep data accurate and up to date as much as possible
  • Data retention: how long we keep the data, and why, and how to keep it safe
    • Right to be forgotten

Data Misuse and Abuse Risks

What are the ways that data could be misused?

  • Improper use by an employee
  • Hacker stealing it

A list of threats and risks must be created.

Other issues:

  • Data aggregation: data that were not sensible or personal in isolation becomes, in aggregation, sensible
  • Data inference: learning from watching some piece of data (marketing learns about people’s behaviors through when/how/what people buy, for example)
  • Unauthorized access
    • Ransomware
  • Improper changes: data can’t be trusted anymore because we are being provided wrong information (could be a liability in a financial report, for example)

Data Anonymization/De-Anonymization

  • (Pseudo-)Randomization: substitutes value for another so that it’s not easily identifiable (obfuscation)
  • Tokenization: identification numbers associated with a user that few people know the association of
  • Masking: data masked during input (password) or output (credit card numbers partially masked)
  • Encryption: for safe storage and transmission of data