Survey: Many execs don’t know what data is sensitive

IT pros often fault users and company management for failing to protect sensitive data. But one reason that’s such a problem could be that those folks don’t know what data they’re supposed to protect. 

Companies are collecting a lot more data than ever before. One unfortunate side effect of that: Many businesses are struggling with properly classifying that information, according to a recent survey from consulting firm Protiviti.

Much of the new data that’s being accumulated is information about customers and clients, including personally identifiable information — and Protiviti found that many organizations are keeping more information than they need and are hanging onto it for longer than is necessary.

One problem: Many organizations fail to distinguish between different types of data and change their retention plans accordingly. While 81% of businesses have a record retention and destruction plan in place, just 29% said they have a “detailed” classification system to define data and create varying retention policies, according to the survey of 100 IT leaders. Another 34% have a “basic” classification system, and nearly 30% keep all data for the same amount of time.

In addition, business leaders outside of IT don’t always understand what data should be considered sensitive — 23% of respondents said their company’s management has “little or no understanding” of the difference between sensitive information and other data. Conversely, just 26% said management has an “excellent” understanding of the difference.

That can cause problems when other departments are left to make decisions about what data to keep — for example, employees in the marketing department may keep copies of databases with customer information, not knowing what data in there should be considered sensitive.

IT managers can help by educating other department leaders about how different types of data should be classified. Also, data retention policies can be created by working with those managers to find out what information they need and for how long they need to keep it.