5 Questions Organizations Should Ask Themselves Before Collecting Data

Today’s organizations collect an astonishing amount of data. They collect personal data, such as names, IP addresses, demographic information, and even Social Security numbers. They collect financial data, such as credit card information, bank account numbers, or digital wallet IDs. They collect usage and behavioral data, such as browsing habits, purchase history, and how long visitors linger on certain pages. Depending on the industry, some may track health and medical data, too. All this data has value — not just to the organizations themselves, but to the cybercriminals constantly seeking to acquire it.

Both the frequency and the severity of data breaches have increased significantly in recent years as attackers seek to get their hands on any data they can. The more data an organization collects, the bigger the target on their back. Of course, some level of data collection is unavoidable — it’s essential for organizations to do business today — but it’s important to approach it in an intentional and carefully considered way. Organizations should ask themselves a series of questions to better gauge whether the data they plan to collect is worth the risk.

Question #1: What data are we collecting?

This may seem simple, but you might be surprised how many organizations fail to ask themselves this question. Organizational leaders need to know what data is being collected –not just for logistical reasons, but for compliance-related reasons as well. Certain types of data have specific rules and regulations regarding how it must be handled, and if IT, compliance, and leadership personnel aren’t aware that data is being collected, the organization could be at risk of significant fines or other penalties. At the very least, most businesses collect some degree of personal data and payment information, but it’s important to know for sure.

Question #2: Is this data necessary for us to collect?

The rise of APIs means systems and applications are more connected than ever. To keep those APIs up and running, most businesses are collecting as much information as possible and analyzing it after the fact. That might work from an operational standpoint, but it leaves the organization in a precarious position from a data security perspective. If data isn’t being used for a specific purpose, it is effectively an albatross for the organization: protecting it requires energy and resources for little or no tangible gain. Rather than collect unnecessary information that will only serve to entice attackers, organizations should analyze the minimum amount of data they need to keep their essential services functional.

Question #3: Where is this data going?

Knowing where data is being stored—and who has access to it—is critical. Is it stored locally or in the cloud? Are there any third parties that have access to it, such as vendors or SaaS partners? If so, have their security capabilities been vetted? A recent study showed that more than half of organizations have suffered a breach caused by a third-party vendor within the previous 12 months, underscoring the importance of understanding where the data is going. And depending on where data is stored, different standards — such as SOC 2 — likely apply.

Question #4: Do we need consent from the subjects to collect this data?

As data privacy regulations gain traction across the globe, understanding when and where consent applies is critical. Organizations that fail to acquire the proper consent may find themselves staring down the barrel of costly GDPR or CCPA violations. If an organization is going to collect data, it needs to first understand the regulations that govern how it is collected — and adhere to them.

Question #5: How long should we retain this data for?

Certain industries have data retention requirements that govern how long or short the storage duration needs to be. A healthcare organization, for example, might be required to store and protect medical information for a long time. On the other hand, some industries have data deletion requirements, with certain data that needs to be disposed of after a certain period. Failure to adhere to these requirements doesn’t just expose organizations to attacker actions, but may make them subject to regulatory penalties, as well.

Approach Data Collection with a Plan

For most organizations today, collecting data is just part of doing business. But there are a wide range of considerations to be take into account when doing so, including how that data will be stored, how it will be protected, and whether you have the right to collect it in the first place. Rather than scrambling to address problems as they arise, organizations should analyze their specific data collection needs and approach the process with a carefully considered plan. If you can’t answer the five questions above before you start collecting data, it might be time to take a step back and consider them more closely.