The General Data Protection Regulation (GDPR), requires UK organisations to protect any data that could be used to identify an EU citizen.
The penalties for non-compliance are potentially severe, so it’s vital to understand where this sensitive data is held and who has access to it. At first, this may look easy: most organisations will have some kind of master store of data on customers or citizens, with access restricted on a need-to-use basis. Of course, once you do more than just scratch the surface, you will tend to find dozens or even hundreds of other systems that use elements of this data – and that’s before you even consider data on employees and business partners.
Keep digging, and you soon find further complexity: data marts and warehouses, archival data, test and development environments, outsourced mailing lists and customer apps, and countless spreadsheets on laptops, NAS drives, USB keys and online file sharing systems. What’s more, the GDPR even covers data such as IP addresses captured from visitors to your website, pseudonymised data used for reporting, and manual paper filing systems.
While most organisations have robust IT security and access management around their core systems and data, everything that lives on the periphery represents an enormous threat to GDPR compliance, and an even greater administrative headache.
The first step towards achieving (and maintaining) compliance is to identify the relevant data and determine who has access to it. Once you have taken this step, you can review your current practices, rationalise the storage arrangements, and set up the appropriate access controls and governance.
Finding the data is an organisational challenge as well as a technical challenge, and it will certainly be necessary to understand the processes and classifications behind personal data. You can then take advantage of automated data discovery, exploration and analysis tools to find and classify both structured and unstructured forms of personal data – based on actual values in the data rather than just metadata. Once you’ve discovered the locations of sensitive data stores and documents, the relationships between structured databases, and the access rights and security arrangements that govern them, you can take steps to protect the data from inappropriate use or access. You can also set up data maps and dashboards to increase visibility of the protected assets throughout the organisation.