Trace Id is missing
Skip to main content
Microsoft Security

What is data protection?

Learn how to protect your data wherever it lives and manage sensitive and business critical data across your environment.

Data protection defined

Data protection refers to security strategies and processes that help secure sensitive data against corruption, compromise, and loss. Threats to sensitive data include data breaches and data loss incidents.

A data breach is the result of unauthorized access to your organization’s information, network, or devices from sources like a cyberattack, insider threats, or human error. In addition to lost data, your organization may incur fines for compliance violations, face legal action for exposed personal information, and suffer long-term damage to your brand reputation.

A data loss incident is an intentional or accidental interruption to your normal organizational operations—for example, a laptop is lost or stolen, software is corrupted, or a computer virus infiltrates your network. Having a security policy in place and training your employees to recognize threats and how to respond—or not respond—is critical to your data protection strategy.

Key principles of data protection

The two key principles of data protection are data availability and data management.

Data availability enables employees to access the data they need for day-to-day operations. Maintaining data availability contributes to your organization’s business continuity and disaster recovery plan, which is an important element of your data protection plan that relies on backup copies stored in a separate location. Having access to these copies minimizes downtime for your employees and keeps their work on track.

Data management encompasses data lifecycle management and information lifecycle management.

  • Data lifecycle management covers data creation, storage, usage and analysis, and archival or disposal. This lifecycle helps to ensure that your organization is complying with relevant regulations and that you’re not storing data unnecessarily.
  • Information lifecycle management is a strategy for cataloging and storing the information derived from your organization’s datasets. Its purpose is to determine how relevant and accurate the information is.

Why is data protection important?

Data protection is important for keeping your organization safe from data theft, leaks, and loss. It involves using privacy policies that meet compliance regulations and preventing damage to your organization’s reputation.

A data protection strategy includes monitoring and protecting data within your environment and maintaining continuous control over data visibility and access.

Developing a data protection policy enables your organization to determine its risk tolerance for every category of data and to comply with applicable regulations. This policy also helps you establish authentication and authorization—determining who should have access to what information and why.

Types of data protection solutions

Data protection solutions help you monitor internal and external activity, flag suspicious or risky data-sharing behavior, and control access to sensitive data.

  • Data loss prevention

    Data loss prevention is a security solution that helps your organization prevent the sharing, transfer, or use of sensitive data through actions like monitoring sensitive information across your data estate. It also helps to ensure your compliance with regulatory requirements—for example, the Health Insurance Portability and Accountability Act (HIPAA) and European Union (EU) General Data Protection Regulation (GDPR).

  • Replication

    Replication continually copies data from one location to another to create and store an up-to-date copy of your data. It allows failover to this data in the event your primary system goes down. In addition to protecting you from data loss, replication makes data available from the nearest server so that authorized users can access it faster. Having a complete copy of your organization’s data also gives your teams the option to perform analytics without interfering with day-to-day data needs.

  • Storage with built-in protection

    A storage solution should provide data protection, but also enable you to recover data that was deleted or modified. For example, multiple levels of redundancy aid in protecting your data from things like service outages, hardware problems, and natural disasters. Versioning preserves previous states of your data when an overwrite operation creates a new version. Configure a lock—for example, read only or cannot delete—on your storage accounts to help protect them from accidental or malicious deletion.

  • Firewalls

    A firewall helps to ensure that only authorized users have access to your organization’s data. It works by monitoring and filtering network traffic according to your security rules and helps block threats like viruses and ransomware attempts. Firewall settings typically include options to create inbound and outbound rules, specify connection security rules, view monitoring logs, and receive notifications when the firewall blocked something.

  • Data discovery

    Data discovery is the process of finding what data sets exist in your organization within data centers, laptops and desktop computers, various mobile devices, and on cloud platforms. The next step is to categorize your data (for example, mark it as restricted, private, or public) and verify that it meets regulatory compliance.

  • Authentication and authorization

    Authentication and authorization controls verify user credentials and confirm that access privileges are assigned and applied correctly. Role-based access control is one example of providing access to only the people who need it to do their jobs. It can be used in conjunction with identity and access management to help control what employees can and can’t access in order to keep your organization’s resources—like apps, files, and data—more secure.

  • Backup

    Backups fall into the category of data management. They can be as frequent as you need them to be (for example, full backups every night and incremental backups throughout the day) and they enable you to restore lost or corrupted data quickly to minimize downtime. A typical backup strategy includes saving several copies of your data and storing a full copy set on a separate server and another in an off-site location. Your backup strategy will align with your disaster recovery plan.

  • Encryption

    Encryption helps maintain the security, confidentiality, and integrity of your data. It is used on data that is at rest or in motion to prevent unauthorized users from viewing file content even if they gain access to its location. Plaintext is transformed into unreadable cipher-text (in other words, data is converted into code) that requires a decryption key to read or process it.

  • Disaster recovery

    Disaster recovery is an element of information security (InfoSec) that focuses on how organizations use backups to restore data and return to normal operating conditions following a disaster (for example, a natural disaster, large-scale equipment failure, or a cyberattack). It’s a proactive approach that helps your organization reduce the impact of unpredictable events and respond more quickly to planned or unplanned interruptions.

  • Endpoint protection

    Endpoints are physical devices that connect to a network—such as mobile devices, desktop computers, virtual machines, embedded devices, and servers. Endpoint protection helps your organization monitor these devices and safeguard against threat actors who seek out vulnerabilities or human error and take advantage of security weaknesses.

  • Snapshots

    A snapshot is a view of your file system at a particular point in time; it preserves that view and tracks any changes made after that point. This data protection solution references storage arrays that use a collection of drives instead of servers. Arrays typically create a catalog that points to the location of data. A snapshot copies an array and sets the data to read only. New entries are created in the catalog while old catalogs are preserved. Snapshots also include system configurations to recover servers.

  • Data erasure

    Erasure is deleting stored data that your organization no longer needs. This process is also known as data wiping or data deletion and is often a regulatory requirement. In relation to GDPR, individuals have the right to have their personal data erased upon request. This right to erasure is also called “the right to be forgotten.”

Protection, security, and privacy

They may seem like interchangeable terms, but data protection, data security, and data privacy each have a different purpose. Data protection encompasses the strategies and processes your organization uses to help secure sensitive data against corruption, compromise, and loss. Data security is concerned with the integrity of your data and works to protect it from corruption by unauthorized users or insider threats. Data privacy controls who has access to your data and determines what can be shared with third parties.

Data protection best practices

Data protection best practices consist of plans, policies, and strategies to help you control access to your data, monitor network and usage activity, and respond to internal and external threats.

  • Stay on top of requirements

    A comprehensive governance plan identifies regulatory requirements and how they apply to your organization’s data. Verify that you have visibility across all of your data and classify it properly. Be sure that you are in compliance with your industry’s privacy regulations.

  • Limit access

    Access control employs authentication to verify that users are who they say they are, and authorization to determine what information they are allowed to see and use. In the event of a data breach, access control is one of the first policies to be scrutinized to determine whether it was implemented and maintained properly.

  • Create a cybersecurity policy

    A cybersecurity policy defines and directs IT activities within your organization. It makes employees aware of common threats to your data and helps them be more vigilant about safety and security. It can also clarify your data protection strategies and promote a culture of responsible data use.

  • Monitor activity

    Ongoing monitoring and testing help you identify areas of potential risk. Use AI and automate your data monitoring tasks to quickly and effectively spot threats. This early warning system alerts you to potential data and security issues before they can cause damage.

  • Develop an incident response plan

    Having an incident response plan in place before a data breach occurs will prepare you to take action. It will aid the response team (for example, your head of IT, InfoSec, and head of communications) in maintaining the integrity of your systems and getting your organization back to work as quickly as possible.

  • Identify risks

    Employees, vendors, contractors, and partners have information about your data, computer systems, and security practices. To identify unauthorized access to data and help protect it from misuse, know what data you have and how it’s used across your digital estate.

  • Improve data storage security

    Data storage security uses methods like access control, encryption, and endpoint security to maintain the integrity and confidentiality of your stored data. It also mitigates the risk of intentional or unintentional damage and allows continuous availability of your data.

  • Train your employees

    Whether intentional or not, insider risks are a leading cause of data breaches. Clearly communicate your data prevention policies at all levels to help employees comply. Frequently repeat the training with refresher sessions and guidance when specific issues arise.

Data protection compliance and laws

Every organization must comply with relevant data protection standards, laws, and regulations. Legal obligations include, but are not limited to, collecting only the information you need from customers or employees, keeping it safe, and disposing of it properly. The following are examples of privacy laws.

GDPR is the strictest data privacy and security law. It was drafted and passed by the EU, but organizations worldwide are obligated to comply if they target or collect personal data from EU citizens or residents or offer goods and services to them.

The California Consumer Privacy Act (CCPA) helps to secure privacy rights for California consumers, including the right to know about the personal information a business collects and how it is used and shared, the right to delete personal information collected from them, and the right to opt out of the sale of their personal information.

HIPAA helps to protect patient health information from being disclosed without the patient’s knowledge or consent. The HIPAA Privacy Rule safeguards personal health information and was issued to implement HIPAA requirements. The HIPAA Security Rule helps to protect identifiable health information that a healthcare provider creates, receives, maintains, or transmits electronically.

The Gramm-Leach-Bliley Act (GLBA)—also known as the Financial Services Modernization Act of 1999—requires financial institutions to explain their information sharing practices to customers and to safeguard sensitive data.

The Federal Trade Commission is the primary consumer protection body in the United States. The Federal Trade Commission Act declares unlawful any unfair methods of competition and unfair or deceptive acts or practices affecting commerce.

As strategies and processes evolve, there are some data protection trends for your organization to be aware of. They include regulatory compliance, risk management, and data portability.

  • More data protection regulations

    GDPR has become the benchmark for how other countries collect, disclose, and save personal data. Since its introduction, the CCPA in the United States (California) and the General Personal Data Protection Law in Brazil have come into play to keep up with the proliferation of online consumerism and personalized products and services.

  • Mobile data protection

    Preventing unauthorized users from accessing your network includes protecting sensitive data stored on portable devices like laptops, tablets, and smartphones. Security software uses identity verification to help prevent devices from being compromised.

  • Less access for third parties

    Data breaches can often be traced to third parties (such as suppliers, partners, and service providers) that have too much access to an organization’s network and data. Third-party risk management is finding its way into compliance regulations to limit how third parties access and use data.

  • Copy data management

    Copy data management detects duplicate data, compares similar data, and allows your organization to delete unused copies of your data. This solution minimizes inconsistencies caused by duplicate data, reduces storage costs, and helps to maintain security and compliance.

  • Data portability

    In the early days of cloud computing, data portability and migrating large datasets to other environments was difficult. Today, cloud technology makes data more portable, enabling organizations to move it between environments; for example, from on-premises data centers to public clouds, or between cloud providers.

  • Disaster recovery as a service

    Disaster recovery as a service helps organizations of any size to use cost-effective cloud services to replicate their systems and restore operations after a catastrophic event. It offers the flexibility and scalability of cloud-based technology and is seen as an effective solution for avoiding service outages.

Data discovery and classification

Data discovery and data classification are separate processes that work together to provide visibility into your organization’s data. A data discovery tool scans your entire digital estate to discover where structured and unstructured data resides, which is critical to your data protection strategy. Data classification organizes data from the data discovery process based on file type, content, and other metadata; helps eliminate duplicate data; and makes it easy to locate and retrieve data.

Unprotected data is vulnerable data. Knowing what data you have and where it lives helps you to protect it while adhering to regulatory compliance requirements related to data processes and controls.

Data protection solutions

Data protection solutions help to guard against data loss and include security, data backup, and recovery, which directly support your organization’s disaster recovery plan.

Simplify how your organization understands its sensitive data. Get visibility into all your data; get more powerful protection across apps, clouds, and devices; and manage regulatory requirements with Microsoft Security solutions.

Learn more about Microsoft Security

Microsoft Purview

Explore governance, protection, and compliance solutions for your organization’s data.

Learn more

Help prevent data loss

Identify inappropriate sharing, transfer, or use of sensitive data on endpoints, apps, and services.

Learn more

Information protection

Help protect and govern your data with built-in, intelligent, unified, and extensible solutions.

Learn more

Communication compliance

Use machine learning to detect communication violations.

Learn more

Frequently asked questions

  • Examples of data protection include guarding against malicious or accidental damage, having a disaster recovery strategy, and limiting access only to those who need the data.

  • The purpose of data protection is to safeguard your organization’s data against compromise, harm, and loss.

  • GDPR states that individuals have fundamental rights and freedoms when it comes to the protection of their personal data. Every organization that collects personal data must gain explicit consent from individuals and is required to be transparent about how that data will be used.

  • Data protection tools include data discovery and inventory, encryption, data erasure, access management, and endpoint security.

  • To help protect data, businesses may start by establishing a security policy that defines things like approved use and incident reporting. Backing up critical data, keeping software up to date, and educating employees on data protection are other important actions to take.

Follow Microsoft 365