Data protection fundamentals that organizations need to get right

Person holding out hands around digital icons with security lock above
(Image credit: Wright Studio / Shutterstock)

More than 2.5 quintillion bytes of data are generated every single day. It may not be tangible in the conventional sense, but its sheer volume and sensitivity makes it one of the most crucial assets of our time – an asset that needs safeguarding like any other.

It is becoming increasingly important for companies to ensure that the data generated and held by their organization is protected. Not only does a failure to adequately do so come with significant reputational risk and associated costs, but it also contravenes one of the basic human rights to privacy.

About the author

Lesley Holmes is Data Protection Officer at MHR.

So, how do organizations go about implementing clear, robust and effective data protection strategies? At MHR, we believe there are three points, or ‘pillars’, of data protection that must be covered. While two aspects – privacy and security – commonly form part of any organization's approach to data protection, there is also a third component – information governance – which underpins both of these and should form the foundation of any effective data protection strategy


The Human right to a private life is enshrined in the Human Rights Act, a sentiment that has been reiterated in European and UK law. This means that organisations are both morally and legally obligated to make privacy a priority when it comes to protecting individuals’ data. From a legal perspective, personal data or that which relates to any individual needs to be used for the purpose collected and processed on a lawful basis that they know about and understand.

Your data and data created about you can develop a profile that can be used for a variety of purposes not all of which you would necessarily agree to. The collection or development of data about you therefore needs to be carefully considered as to its proportionality for the purposes it is being processed for. An example would be a request for your inside leg measurement. If a tailor making trousers for you asks you, then it is perfectly reasonable. If it is a hotel receptionist, then most would query its relevance.


It is impossible to guarantee data privacy, and to ensure data is being used in the correct way, if there is not the security in place to prevent any unwanted third-parties gaining access to it. Particularly in a work environment where hybrid working is common, and people are increasingly working in a digital environment, it is essential that appropriate security measures are in place to protect the data being shared.

Measures can vary in complexity and scope, from a simple password protected document to a full-blown data center with secure access controls, robust firewalls and activity and intrusion monitoring. Even with all the right intentions, data protection can’t be assured without the physical mechanisms in place to make sure access to the organization's information is restricted.

Wherever possible, organizations should introduce mechanics such as multi-factor authentication and user behavior analytics to provide an added layer of security over its data.

Information governance

The structure and process of managing information, data and documents: information governance. Given the volume of data any particular organization will be dealing with at any point in time, the need for a structured approach to the management of information is critical.

The ‘ownership’ of information categories ensures that someone determines the level of sensitivity, the retention period, where it is stored and how it can be shared. However, having an owner for your information categories is not enough. Once you have an owner you need a way to let everyone know what needs to be done to manage that information or data – aligning company processes and promoting a synchronized approach to data protection across the whole organization.

This third, and fundamental, pillar of information governance should be at the heart of data protection in any organization. If businesses neglect this third pillar, and don’t implement a structured and streamlined approach to the management of information throughout their organization, the other two pillars can easily fail or at the very least, become very costly to manage.

One of these pillars alone is not enough, it is only when all three are in place that data protection can be properly upheld. With an effective strategy and all of these measures considered businesses can confidently leverage their data to enhance their operations, and boost growth.

We've featured the best endpoint protection software.

Lesley Holmes is Data Protection Officer at MHR.