Chief Commercial Officer
With the General Data Protection Regulation (GDPR) now in force, organisations have a legal responsibility to apply appropriate protection to any personal data they hold on EU citizens. No doubt you’re already aware of this, and have taken steps to update your data protection policies and processes.
But given the need for rapid response in the event of a data breach, or in the event of a private individual asking you to edit or delete the data you hold on them, how sure are you that you can react within the prescribed timescales?
Perhaps you’ve verified that you can meet deadlines for reporting breaches to the regulator, and perhaps you’ve set and validated internal SLAs for finding and amending customer data. However, to quote Donald Rumsfeld, you may only be addressing the known knowns.
How about the known unknowns—the personal data you know you’ve collected but is lurking outside of the control of IT? Or, worse still, the unknown unknowns—the personal data that you’ve accumulated as an organisation and either never knew about or have forgotten about?
When one of Northdoor’s clients wanted to validate their preparations for the GDPR, we asked if they’d considered the unknown unknowns. And to give them an idea of what might be hiding on their corporate network, we ran a demonstration of the latest data discovery and classification technology for them.
To keep things fast and simple, we built a virtual server complete with database on the cloud and installed a test instance of a data discovery solution. We then selected a few target end-points—file servers and PCs—on the client’s network, and installed lightweight agents on them. Next, we created policies defining the data we were looking for, including the formats of dates of birth, phone numbers, passport numbers, National Insurance (NI) numbers, and so on. And then we let the tool go to work.
Bearing in mind that this client felt they were well prepared for the GDPR, and that they had followed best-practice approaches, you may be as surprised as they were to learn that the resulting
Closer inspection of the report revealed that a large amount of the hidden personal data was in employee records inherited during a corporate acquisition made more than ten years previously. The old payroll data included items that would still be current, such as NI numbers and dates of birth. To find this data, the software had searched inside databases, spreadsheets and Word documents—even within zipped folders—and used optical character recognition to parse personal data in PDFs of scanned documents.
Under the GDPR, the onus is on every organisation to know what personal data they hold and to apply the appropriate protection. There are potentially costly liabilities in mismanaging data, in holding data when you are no longer entitled to do so, and in failing to respond fast enough to events such as breaches or data-subject requests. Achieving all of this for well-defined stores of data is hard enough, but when you throw into the mix all the data that may be hiding on network drives, cloud shares, email servers, desktops and laptops, the challenge can seem overwhelming.