Leaks, RGPD sanctions, cyber attacks... losing control of your data can turn into a nightmare. The aim: to know where your data is, who has access to it, how it circulates, and how to react if things go wrong. Here are 7 practical ways to protect your data.
1. Map your data
Goal : make the invisible visible (applications, shared folders, SaaS, workstations, clouds, Excel exports, etc.).
- To do
- List your sensitive data HR, customers, finance, R&D, contracts, health, etc.
- Identify where they live (servers, SharePoint/Drive, CRM, ERP, e-mail, business tools).
- Document who accesses it (in-house teams, service providers, admins) and why (purpose).
- Locate flows export, synchronization, API, e-mail, mobile access.
- Good deliverable
- A map + a where / who / why / duration“ register” (even simple at first).
- Tools (examples)
- DataGalaxy (governance), OpenAudit (inventory), and failing that a structured table.
2. Secure access
Goal : avoid “everyone having everything”, and reduce the impact of a compromised account.
- To do
- Activate the MFA/2FA everywhere (email, VPN, admin, cloud, CRM): Okta, Duo...
- Apply the least privilege Minimum rights, at the right time, for the right person.
- Put in place access reviews (monthly/quarterly): who has what? still useful?
- Separate accounts: user account ≠ admin account.
- What to look out for
- Shared accounts, “temporary” access that becomes permanent, former service providers.
3. Automate back-ups
Goal : be able to turn back the clock quickly (ransomware, mishandling, corruption, cloud failure).
- To do
- Automate the frequency (daily for the most part) with Veeam, Backblaze, Acronis...
- Encrypt back-ups and protect access (MFA, dedicated accounts).
- Apply the rule 3-2-1 3 copies, 2 media, 1 off-site / unchangeable if possible.
- Test the restoration (not just “backup OK”, but restore OK).
- Good deliverable
- A simple plan: what / when / where / how long retained / restoration test.
4. Train your teams and raise their awareness
Goal : reduce human error (phishing, weak passwords, uncontrolled sharing).
- To do
- Regular training, real-life cases, simple reflexes.
- Phishing simulations + educational feedback (without “name & shame”).
- Clear rules: file sharing, use of the cloud, personal data, USB, BYOD, etc.
- The minimum effective
- “3 reflexes” posted everywhere: check / do not click / report.
- Tip
- Appoint “referents” in each team (safety ambassadors).
5. Choose RGPD-friendly tools
Goal : avoid opaque solutions, uncontrolled transfers and unclear contracts.
- To do
- Check the key points: DPA, data storage, location, sub-contractors, retention period, logs, export, deletion.
- Choose tools that offer control, fine-tuning and traceability.
- Examples
- OVHcloud (hosting), Nextcloud (sharing), Matomo (analytics).
- Good reflex
- Before you buy: an RGPD & security mini-grid (10 questions) validated by IT/DPO.
6. Supervise the use of AI
Goal : avoid unintentional leaks via prompts, attachments, copy and paste, or free tools.
- To do
- Write a simple rule: no sensitive data in public AI (customers, HR, contracts, proprietary code, secrets, etc.).
- Define authorised uses (generic writing, rewording, ideas) and prohibited.
- Suggest an alternative: Enterprise AI (partitioned, with controls, logs, retention).
- Give concrete examples of “sensitive data” (otherwise the rule remains vague).
- Bonus
- Add a “delete / anonymise before copying” button/ritual.
7. Prepare for the crisis
Goal : don't improvise when it happens (and it does).
- To do
- Create an incident plan: who does what, who decides, who communicates, who contacts (service providers, insurance, CNIL if necessary).
- Define scenarios: ransomware, e-mail leakage, PC theft, compromised admin account.
- Tools: centralisation of logs/alerts (e.g. Wazuh) + incident management (e.g. TheHive).
- Do a “table-top” exercise once or twice a year (30-60 minutes).
- Good deliverable
- A 1-page sheet: contacts, immediate actions, priorities, evidence to keep.
