Protecting Data at Every Stage: Understanding the Three States of Data and Data Protection Imperatives

In the ever-evolving digital ecosystem, personal data is in constant motion—created, transmitted, stored, and processed by systems and people across various platforms. Whether it's an employee’s payroll record, a patient’s medical history, or a citizen’s biometric data, all this information exists in one of three fundamental states: data at rest, data in transit, and data in use. Each state presents its own set of privacy risks and regulatory implications under frameworks like Ghana’s Data Protection Act, 2012 (Act 843), the GDPR, and CCPA.

For Data Protection Officers (DPOs), understanding how data behaves in these states is essential to implementing targeted and effective safeguards. Let’s explore these three states and weave in the principles of data protection, the risks, and the appropriate countermeasures for each.

1. Data at Rest – The Dormant Risk

Definition: Data at rest refers to data that is stored or archived on a physical or virtual medium. This includes data stored in databases, file servers, backup drives, laptops, or cloud storage services.

Examples:

• Employee files saved on a company’s server

• Archived customer emails on a backup system

• Health records stored in a hospital’s local database

Risks at This Stage:

• Unauthorized access by internal staff or hackers

• Theft or loss of storage devices (e.g., external drives, laptops)

• Inadequate backup leading to data loss

• Poor retention practices resulting in over-storage of personal data

Protection Measures:

• Encryption of stored data to render it unreadable without proper credentials

• Access controls using role-based permissions

• Data retention and disposal policies to avoid unnecessary storage

• Physical security of storage devices and server rooms

• Audit trails and logging to track who accessed what and when

Data Protection Principle Link: This stage touches the heart of the storage limitation and integrity and confidentiality principles. Data should not be stored longer than necessary, and it must be protected from unauthorized access or corruption.

2. Data in Transit – The Moving Target

Definition: Data in transit (or data in motion) refers to data actively moving from one location to another—whether across a public network (e.g., the internet) or internal systems.

Examples:

• Emails sent from a government agency to a client

• Online application forms submitted to a university

• Files transferred via FTP or cloud-sharing platforms

Risks at This Stage:

• Interception by attackers during transmission (man-in-the-middle attacks)

• Data leakage through unsecured communication channels

• Accidental transmission to the wrong recipient

Protection Measures:

• Secure transmission protocols (e.g., TLS/SSL, VPNs, HTTPS)

• End-to-end encryption for sensitive emails and files

• Verification tools to confirm recipients’ identity before sending

• Awareness training to prevent social engineering and phishing attacks

Data Protection Principle Link: Here, the security (integrity and confidentiality) and accountability principles are critical. Data controllers must ensure personal data is transferred in a secure manner and protected against unlawful processing.

3. Data in Use – The Active Exposure

Definition: Data in use refers to data that is actively being accessed, processed, or modified by an application or person.

Examples:

• A bank clerk accessing a customer’s profile

• A doctor reviewing and updating patient records during consultation

• A marketing analyst pulling customer segmentation data

Risks at This Stage:

• Screens left unlocked, exposing sensitive data

• Unauthorized access by untrained staff

• Data exfiltration via screenshots, USB drives, or copy-paste

• Insider threats or misuse of privilege

Protection Measures:

• Strict authentication protocols and session timeouts

• Screen privacy filters and automatic workstation locks

• Data masking or pseudonymization in non-essential use

• Monitoring tools for real-time detection of abnormal activities

• Least privilege access and segregation of duties

Data Protection Principle Link: This stage emphasizes lawfulness, fairness, and purpose limitation. It ensures that data is only accessed by those who need it, for legitimate purposes, and within scope.

Integration of All Three: A Unified Approach

Many organizations focus their protection efforts heavily on just one state—often data at rest—while neglecting the others. But privacy breaches and non-compliance incidents can happen at any point along the data lifecycle.

A holistic data protection strategy must therefore:

• Classify data by sensitivity and state

• Apply state-specific safeguards based on risk

• Include policy enforcement, technical controls, and staff training

• Ensure compliance is measurable and auditable

Why It Matters for Compliance and Trust

The Ghana Data Protection Act and global standards demand that organizations ensure the confidentiality, integrity, and availability of personal data at all times. These legal requirements are not only about avoiding penalties—they are about upholding the dignity and trust of the people whose data is entrusted to us.

Failure to protect data in just one of these states can lead to reputational damage, loss of customer confidence, lawsuits, and regulatory sanctions.

Final Thoughts

In the world of data protection, context is everything. The same piece of information can be harmless when stored securely, dangerous when transmitted carelessly, and destructive when used unethically. As DPOs, IT leads, and business owners, our duty is not just to protect data—but to understand its behavior, anticipate its risks, and respect the people behind it.

By embracing the three states of data in our risk assessments, security designs, and compliance programs, we not only align with the law—we build better, more trustworthy systems for the future.