This post was originally posted on SMB CEO.

It seems like major corporate data breaches have become all too common. In fact, they’ve become so common that you might have become immune to such news.

If you own or run a small business, you might think protecting sensitive data is not something you have to worry about. But you’d be surprised by the amount of information you collect and need to protect. From credit card numbers and addresses to phone numbers and financial and medical information, it starts to add up pretty quickly.

That’s why you need to establish processes for handling sensitive information.

Of course, creating solid processes for handling data is common in the corporate world, but oftentimes, small business owners are so focused on the details of day-to-day operations that they don’t focus on creating data processes. From an information security standpoint, that can be disastrous. To mitigate risk and comply with the latest regulations, you need to follow the data.

Data Security Begins and Ends With Proper Workflows

Before you can build a process of best practices to improve data security, you have to first know what data you own and where it is. Then you can sort it out.

Keep in mind that not all information is created equal. Some is more sensitive and requires greater protection, so you need to categorize each data set as public, internal, confidential, etc. This kind of data classification will help you determine which processes to put in place for each type. After all, there’s no need to put a million-dollar fence around a thousand-dollar horse.

You’ll know how to establish a proper workflow once you know exactly how data circulates through your business. Even still, creating the right process might take some trial and error. If you’ve always taken a laissez-faire approach, then there might be some pushback from your employees and partners. But if you involve them in the process, you’ll have much better cooperation.

Here are five tips to help you get started:

1. Develop a responsibility assignment matrix

Include a RACI matrix for all key projects and – if applicable – the entire company. RACI is an acronym for Responsible, Accountable, Consult, and Inform. The matrix will define who’s responsible for what, who’s ultimately accountable for what, who to consult prior to the final decision, and who to keep in the loop. You can clear up a lot of confusion by using this tool.

2. Establish an information security committee

No matter the size of your company, establishing a security committee is critical. This group can help you run your security program by leading risk management activities and approving the selection of baseline controls.

However, it’s important to incorporate representatives from all departments. Doing so will ensure that everyone in the company is aware of the importance of data security. You want employees to know how they can help identify risks and how they can adopt best practices.

3. Assemble the tools that work for you

After you have all the people in place, it’s time to equip them with the necessary tools. Don’t try to build an internal system from scratch. There are already plenty of SaaS platforms to help your team stay on track, including JIRA, Asana, Trello, Team Foundation Server, and Workday. Test a few different programs, and then select the one that works best for your team.

4. Document your processes and procedures

It sounds simple, but very few companies remember to clearly document policies, procedures, and methodologies. However, without documentation, your workflow will quickly start to break down. Plans are great, but your execution should always begin with proper documentation.

It’s nearly impossible to disseminate proper security information to all your stakeholders or train new staff members without a written process. Once you have one, don’t bury the process in the bottom of your desk drawer. Instead, use collaboration tools, such as wikis and Google Docs, to keep your processes accessible for sharing and updating.

5. Craft a crisis or incident response plan

As security breaches become more common, you need to prepare appropriately. Have a process in place for how to take action, and understand your contractual and regulatory requirements for reporting a breach. This includes outlining your service agreement with your customers in the event that a breach compromises their data.

After an incident, identify the root cause. You might discover vulnerabilities in your system that left you open to attack. For example, an employee corrupted data, a hacker compromised a system, or you experienced a distributed denial-of-service attack.

Breaches typically are symptomatic of larger problems, so you should not focus on just putting out fires. Instead, establish a process review to prevent a reoccurrence.

Understanding and classifying your data will help you establish the right workflows for your company. And with everyone on the same page, you’ll be able to better protect not only your customers’ data, but also your own.