Do you really know where your sensitive data (PII) resides?

Last month we ‘celebrated’ the anniversary of GDPR legislation becoming legally enforceable. 2 years on, a lot has happened. Some of which, as our guest blogger Tim Dunn explains below, may have distracted some organisations from gaining real visibility over their sensitive data and PII.

As you’ve probably heard before, GDPR compliance is a journey not a destination. There is no magic button that can be clicked to make your organisation 100% compliant. However, as Tim discusses below, going on that journey and taking the steps he outlines in the GDPR compliance maturity model, can deliver significant benefits over and above compliance.

Read on to find out more about these benefits and the steps to take to gain visibility of PII and your organisation’s sensitive data.

The General Data Protection Regulation (GDPR) came into force in May 2018. In the subsequent 2 years UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions. 

It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 25th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where Personally Identifiable Information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Furthermore, a majority of companies still struggle to track and protect PII on an on-going basis. 

Common barriers to gaining visibility of PII

One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.   

Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT. Whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a Data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.  

GDPR compliance: 4 steps to maturity

Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability. 

GDPR compliance majurity model

Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance. 

  • It greatly reduces costs associated with managing data protection and management. 
  • It saves time and limits the resource required to gain visibility and control over data. 
  • It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services. 
  • Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy. 

If you would like support understanding where your business’s sensitive data resides, please get in touch with our team.   

About Tim Dunn   

tim dunnTim has been in the software industry for the past 30 years, with the last 20 years spent specialising in the Cyber Security and Data Protection arena. He is a trusted advisor for many global organisations on Data Privacy and Cyber Security technologies.  

As well as managing a number of successful start-ups, Tim also managed the UK for Baltimore Technologies a major Security Software Vendor, CA Technologies and BMC Software’s Security Businesses across EMEA.   

In 2017, Tim co-founded eSpyder with Thomas Zell and Jason Coleman to support Data Processing Officers (DPOs) in their role of ensuring company compliance with the GDPR and regional data protection legislation.   

eSpyder has been designed from the ground up providing DPOs with the tools to respond to Data Subject Access Requests (DSARs) quickly and easily. It also allows users to track progress in terms of DSARs processing and corporate data storage and retention. Designed to be invisible and seamless for users, but fully configurable for administrators and GDPR consultants. eSpyder is able to rapidly identify Personal Identifiable Information across a customers’ estate no matter if on servers, clients, visible or hidden, remote or on premise.  

The Cloud Business’s GDPR Compliance Platform is based on the industry leading eSpyder Enterprise PII identification engine. 

Cloud Business logo white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

2023 © Cloud Business Limited
Registered Company in England and Wales 06798438