World Privacy Day, observed annually on January 28th, serves as a reminder of the importance of protecting personal data in today’s digital age. As technology advances and more personal information is shared online, individuals and organizations must take steps to safeguard their data.

New regulations, such as DORA (Digital Operational Resiliency ACT), mandate that organizations create plans for risk management, incident reporting, and resilience testing. These regulations outline policies for data management, including encryption, data locality, and data lifecycles. Gartner projects, “by 2023, 65% of the world’s population will have its personal data covered under various privacy regulations, and companies need flexible solutions that can adapt to the multitude of legislation.” Navigating this complex environment can be challenging for both individuals and companies.

Data Privacy is protecting personal information and giving individuals control over how their data is collected, used, and stored.  On the other hand, data protection refers to the technical and organizational measures put in place to protect data (including personal data) from unauthorized access, use, alteration, or destruction. Data protection encompasses Data Privacy and other areas, including backup & recovery, disaster recovery, data security, and a host of other areas.

To help address that complexity, let’s spend some time reviewing the Top 10 topics to consider when managing Data Privacy and Data Protection.


1. Data Protection Strategy
2. Encryption
3. Multi-Person Authentication
4. Immutable Storage
5. Data Sovereignty
6. Data Governance & Discovery
7. Classification of data
8. Data Retention
9. Resilience plan testing & incident response
10. Risk Assessment

1. Data Protection Strategy

Organizations should start by creating or updating a Data Privacy, Backup & Recovery, and Disaster Recovery plan as part of an overall data protection strategy. There are many facets to a reliable data protection plan and how it specifically relates to protecting the private data your customers have shared with your organization.

2. Encryption

Encryption is a crucial feature of data protection and protecting private data. Allowing for data encryption at rest and in transit helps prevent unauthorized access to personal information. This is especially important for organizations that handle large amounts of private data, such as healthcare providers and financial institutions. Data no longer resides just in our corporate data centers, as most organizations have one or multiple public clouds with workloads and data stored in them. Securing, with encryption, for the life of the data helps mitigate potential attackers.

3. Multi-person authentication

Beyond protecting data with encryption, organizations must safeguard their systems from malicious attacks. Leveraging multi-person authentication (MPA) for your data protection systems ensures critical tasks require multiple approvals from pre-approved users. Often overlooked, this is one of the simplest ways to prevent tasks like data exfiltration or deletion.

4. Immutable Storage

Immutable storage allows for data, private or otherwise, to be written and unable to be further modified or deleted. Data that cannot be tampered with or altered ensures data integrity is maintained. Immutable storage requirements are quickly becoming a standard part of data governance regulations like GDPR, HIPAA, and others. When paired with MPA, you can create highly secure data storage tiers that are a perfect fit for storing confidential and private data.

5. Data Sovereignty

Organizations should consider regulations surrounding private data storage when developing a data protection strategy. This includes the location of data storage and compliance with regulations regarding data sovereignty. For example, a cloud-based workload on GCP in Europe or containing EU citizens’ data must comply with EU regulations. Anywhere that private data may reside, even if temporary, may be required to be in a specific region under regulatory requirements. Commvault helps to address this concern in its latest release, allowing customers to select which specific region they will leverage for snapshot & data protection storage vs. multiple regions that cost more and may have different regulatory requirements.

6. Data Governance & Discovery

In a recent survey, 57% of CISOs admit they don’t know where some or all their data is or how it is protected! As this amount of private data continues to grow, the sheer number of regulations expands exponentially, and we are confused about what and how we should protect our data.  As a result, organizations need to understand their data, where it is, and what is at risk.  Being able to prioritize data based on your organization’s policies, priorities, and applicable regulations is critical to protecting the data. You cannot protect what you don’t know about!

7. Classification of data

Knowing what data exists and where it resides is only part of the solution. Organizations must consider what data is private customer data, business-critical, etc., in terms of its importance to your business and your customers. Protecting only on-prem data may miss some critical customer data living in your SaaS-based CRM solution. Speaking of which, you must rely on something other than your SaaS vendor or even your IaaS cloud providers to provide data protection for your data. They may provide some SLAs and a level of redundancy, but that is not a replacement for a solid data protection plan. Managing data classification is no point in time operation, with data growing each year exponentially.

8. Retention

It is paramount to know what data exists and how important it is, but how long does it stay relevant? This is a hard question to answer for most organizations and one that can be seen every year when buying ever-increasing storage systems to house corporate data. The ability to assign an expected lifespan to data can significantly impact your organization’s bottom line AND protect your customers’ private data. Having systems in place to automatically find, classify, and set retention will reduce the likelihood of data sprawl, reduce the amount of time to recover unused data, and reduce costs. If you are looking for a great place to start efficiently managing your governance, risk, and compliance, read through Commvault’s unique approach to Unified Data Management.

9. Resilience plan testing & incident response

Resilience plan testing often referred to as a runbook, is an often-overlooked area of a data protection strategy. Creating or updating an outdated plan can take time and effort. Partnering with solution providers or strategic data protection companies with experience in creating a plan can significantly reduce the time it takes to get current. While it may be trivial to think runbooks are passe, I’ve found that when an actual DR event or ransomware attack hits, they are the GO-TO asset you want in your arsenal of tools. A regular cadence of updates creates an organizational posture that is ready to face data security threats head-on.

10.  Risk Assessment

As mentioned with runbook, consider working with strategic vendors to perform a risk assessment semi-annually or annually. Scheduled reviews can help build the muscle memory for a solid data protection and data privacy mindset. The benefit of working with well establish data protection & data privacy vendors is they are up to date on the latest security threats and mitigation strategies.

By implementing this list of considerations and routinely refreshing your resilience plan, you can be confident that personal information is secure and compliant with the latest privacy regulations. If you aren’t sure where to start but need help from a company that can answer all these questions.

Commvault is here to help! We continually add new capabilities, including our latest enhancements to regional data sovereignty for backup snapshots, industry certifications, immutable storage capabilities, and more.

Head over to our community to learn more or take a test drive today https://www.commvault.com/request-demo