Best Practices for Data Hygiene

Data hygiene consists of actions that organizations can, and should, take as a matter of following not only compliance requirements, but also as part of basic risk management program practices. Consistent, risk-specific data hygiene practices supports not only a very wide range and number of data protection compliance requirements, but performing data hygiene activities also demonstrably improves an organization’s data security effectiveness without significantly increasing IT or information security costs. Most of these actions involve people performing activities that all personnel within an enterprise can take. No specialized tools are typically needed—just some training and ongoing awareness reminders, or periodic use of data management tools.

These actions serve to:

• limit the amount of data collected to only that which is necessary to support the purposes of the data collection
• keep data from being modified in unauthorized ways, or accidentally
• destroy/delete data when it is no longer needed to support the purpose(s) for which it was collected and to meet legal retention requirements
• prevent access to data to only those entities (devices, individuals, accounts, etc.) that have a business/validated need to access the data
• not share data with others unless necessary and with the consent of those about whom the data applies, as applicable
• keep your own personal and business data from being used and posted in ways for which you did not consent or is not necessary to support the purposes for which you originally allowed the data to be collected or derived
• keep unauthorized entities from accessing data

For example, for enterprises, this could include taking time to establish automated ways to delete data that has not been used for a specified period of time, such as six years, in accordance with applicable legal requirements for data retention. Removing data no longer needed to support business purposes, and in accordance with legal requirements, removes the amount of data that the organization needs to safeguard. The less data to safeguard, and the fewer the data storage locations, the less the risks. This good data hygiene practice lessens the risks to data within an organization.  

As another example, from an individual’s point of view, deleting all the apps off your mobile computing device (smartphone, laptop, tablet, IoT device) that you do not need, or have not used in a long while (for me, that is typically those I’ve not used within the past three months), will remove these hidden digital data gatherers and eavesdroppers that too many people forget they even have. These apps, even those you don’t use, often are still exfiltrating data (your contact lists, photos, videos, credentials, etc.) from your phone, putting files on your phone, and creating pathways that could allow outside unauthorized malicious entities to get not only to your own Wi-Fi home network through that mobile device connection that you allowed to be created (whether you realized it or not), but even to your corporate network when your mobile device is connected to that network. This good data hygiene practice removes pathways to your, and your business’s, networks that could allow digital intruders,  prevent unauthorized access to your data, and remove data exfiltration paths from your mobile computing device. All reduce risks to personal information as well as to an organization’s systems.

What are some data hygiene best practices?
There are so many practices that can, and should, be used. I’ve actually written an entire book about this! But I’ll provide you with a few more very powerful, risk-reducing actions to add to the previous two examples I provided. These generally apply to organizations as well as to individuals.

• Implement continuously scanning anti-malware tools and keep them updated.
• Remove data from public information sites, such as Spokeo, Radaris, and other similar types of sites. They each have options to do this, however, you sometimes need to look a while to find them.
• Set a search alert on your name, address, etc. (put them within quotation marks), then investigate instances where the information should be removed from the sites.
• Disable, detach or cover webcam viewers when not in use.
• Use digital tracking blockers.
• Use a non-tracking search engine like DuckDuckGo.com.
• Modify browser settings to block cookies, web gifs and other trackers.
• Change social media settings to disallow sharing of data.
• Irreversibly remove data from all computing and storage devices prior to selling or disposing of them.
• Don’t click on links from emails that could be phishing messages.
• Don’t click pop-ups.
• Don’t use unverified data, or data that is at high risk of being modified in unauthorized ways, to make important business decisions, or to take actions that could bring some type of harms (monetary, reputational, physical safety, etc.) to individuals or businesses.
• Don’t use newly obtained IoT gadgets (Amazon Echo and Echo Dot, smart dolls, etc.) before changing the default settings, and setting the privacy and security settings.
• Don’t give personal information to unsolicited callers, texters, or others asking you through some other means.
• Follow identity verification procedures before giving callers access to accounts, or providing information over the phone.
• Generally more specific to individuals:
  • Opt out of allowing the credit report agencies (CRAs) to sell your personal information to marketers.
  • NEVER send risqué photos or videos through the Internet.
  • Report sextortion attempts to the FBI and/or police.
  • Use reputation management services to remove as much of the content that as possible that you don’t want online.
  • Don’t like, follow, etc., online posts or social media groups any more than necessary.
  • Don’t take all those online and social media quizzes! When you do, you provide data that will then be used for tracking your online activities.
  • Don’t comment on posts with information that includes information about your personal life, or the lives of others.

Ultimately, good data hygiene practices can help to ensure the minimum amount of accurate data is used to support business activities, as well as in people’s personal lives. This minimum necessary data also limits the amount of data shared with others, along with limiting the amount of data that individuals and businesses need to safeguard, which in turn lowers the risks for security incidents and privacy breaches by effectively reducing the data attack surface area.

Editor’s note: For more data privacy insights from ISACA, view our Privacy in Practice 2021 report.