Why ‘discovering’ your data is an essential step in GDPR compliance
GDPR is coming, and undoubtedly the hottest topic around compliance has been IT security and data protection.
Once the new regulations come into place, non-compliance could see businesses fined £17.5m or 4% of global company turnover – whichever figure is higher.
Naturally, the focus has been around preventing data breaches; NCC Group analysis shows that ICO data breach fines handed out to businesses last year would be an eye-watering 79 times higher under GDPR.
But securing your data isn’t the only element you should be looking at. In fact, how can you secure your data when you don’t know where it is?
No matter what your business does, you’ll hold Personally Identifiable information (PII) in some form; very likely on customers and definitely on employees.
But it’s not problem solved. Chances are your PII won’t just be in your core systems; it could be in any number of systems you use, and most businesses have PII scattered around in structured or unstructured documents. This could include spreadsheets with lots of customer data, letters, invoices…the list goes on.
This data could be held both on premise and in the cloud, on ageing servers and even on non-approved systems thanks to the proliferation of shadow IT (where technologies are purchased without the consent or knowledge of the IT department.)
How can you protect your data without knowing where it is?
It’s clear that identifying all of your data is an unavoidable task in order to start your journey towards GDPR compliance. You could assign this to a set of employees within your business, but there are significant risks and downsides to this.
Not only would this be mind-numbingly time-consuming and sap your employees’ productivity, there’s a lot of room for human error. Your people could search every corner of your IT infrastructure, but there’s a very high chance they’ll miss some data. You’d have to comb through every document, every CRM or ERP file, and then record it. You also can't predict where your employees might move your data to; it would be a guessing game.
Wouldn’t it be great if there was a technology that could remove the need for this incredibly laborious – and close to impossible – task?
Working with intelligent metadata solutions provider TermSet and next-gen business intelligence platform Qlik, we’ve put together a PII Discovery package that can automate the process of discovering your PII. This tool not only removes the manual requirement but also the very likely possibility of human error. What's more, we're offering a FREE trial of this tool – register your interest in our free trial.
TermSet’s ScanR technology inspects documents for 21 different types of Personally Identifiable Information and can work with SharePoint, Office 365 files and documents stored in file shares. You can also create your own bespoke taxonomies for your business’ specific requirements; for example, universities will assign student numbers.
When combined with Qlik Sense, this technology gives you an actionable report with details on what PII you have stored in your documents and folders, where it’s held and who has access to it. From there you can begin to protect this data (you can read more about how to do that in our concurrent GDPR security blog series). You can also implement acceptable usage policies for your employees, which we’ll cover in an upcoming blog.
GDPR is something no business can afford to ignore. But this doesn’t mean compliance should come at the expense of employee productivity. Before you can protect and secure your data, you need to identify where it sits, who has access to it and the risks associated with it before you can secure or report on it; remember, from May 2018 you’ll be obligated to provide a customer, employee or ex-employee with all of the information you have on them should they request it.
Digital transformation is all about automating processes to increase productivity, which in turn can increase profitability. Costs associated with GDPR are unavoidable; make sure you are investing in technologies that will automate time-consuming, mistake-prone processes that allow your colleagues to focus on adding value.
We’re detailing the discovery element of GDPR in our upcoming GDPR: Discover webinar; if you missed the last one there’s still time to sign up. We’re also hosting an element on the final stage in GDPR compliance that can be actioned from your PII Discovery report – management and reporting, which you can sign up to. If you’re looking for end-to-end coverage of GDPR compliance supported by technology, there’s still spaces available on our GDPR and Technology events in Newcastle, Manchester and London.