Do organisations really know what data they have? Where it is and who has access to it?

With increasing scrutiny on the security of personal data and severe financial and reputational implications for those firms experiencing breaches, it’s vital that businesses fully understand where personal data sits across their network - or face the consequences.

The ICO (Information Commissioner’s Office) recently said that companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, they will investigate and take action. Yet because personal data is often pervasive throughout an organisation, knowing exactly where it is and protecting it, in practice, is not easy. The vast amount of personal data typically handled by business services organisations means this is a real hot topic in the industry.

The benefits of using data discovery technology;

Despite the spotlight the General Data Protection Regulation (GDPR) has shone on this issue and the impacts it’s brought to the way personal data is held and processed, some firms are still not making the most of technology to help expedite the reduction of risk or the other benefits technology can bring.

The deployment of data discovery technology to understand where Personally Identifiable Information (PII) exists on both your unstructured network – including file servers, laptops and desktops, and email – and structured databases can help you quickly understand what PII you hold, where it is, and who has access to it. This is an important step towards reducing the risk of storing data that is non-compliant with a regulation such as GDPR and an organisation’s data retention policy.

However, deploying data discovery technology just to comply with GDPR means you could be missing a trick - it has the potential to deliver much more for the various stakeholders within the business.

As the size and complexity of electronic networks within an organisation have grown during decades of cheap electronic storage, employees have become accustomed to have a never-ending amount of space that they can use to undertake what they need to do. Most people will, at some point, have thought “I will keep that as I may need it in the future” and when employees leave an organisation, their legacy of data is left behind, in some cases forever, and without anyone knowing what it contains. Cleaning-up the electronic data that is no longer required is not something that has been the norm nor something that is part of employees day job - but it is something that data discovery technology can assist with.

So what are the risks to your organisation?
As a result, large volumes of data residing on file servers, within databases and other data repositories could be:
● Non-compliant with regulation such as GDPR;
● Inconsistent with the organisation’s data retention policy;
● Costly in relation to short term and long term storage;
● Unknown resulting in organisations are unable to leverage value from it because they are unaware that such data exists.

The last point is often referred to as “Dark Data”. Without unearthing it, an organisation cannot know if it the information it contains causes risk to the organisation or contains potential value.

What next?
Data will continue to grow and explode. In an era where data is likened to the new oil, understanding of what you have, where it is and who has access to it has never been more critical. The risk of not knowing what data you have, what PII and intellectual property it contains, or how old it is could be costly in the future. The ability to uncover and understand the data, and whether it is potentially harmful or helpful, will put organisations in a stronger position, not only increasing compliance with regulation, but also gaining value from data they were unaware of.

On a recent project, within our first month we helped a client discover in excess of 30 million personal data records that they were not aware of. We analysed, sample reviewed and categorised the data, then held workshops with their business unit data owners to enable them to make decisions on how to remediate the data found. During our time with the client we discovered over 1 billion records of personal data relating to both employees and customers which were held in a non-secure manner and in many cases were out of the organisation’s retention policy.

At PwC, we have a dedicated team focused on helping clients understand what data they have, reducing its risk and gaining value from it. We have worked with a number of clients to help them clean-up their data repositories, respond to regulators, as well as remove stale and out-of policy data from their electronic networks at speed through the deployment of both, technology and review and remediation techniques. We work closely with their data and compliance teams and ultimately aim to transition our work to a business as usual service, meaning their teams are upskilled and can continue to reap the benefits into the future.

For further details, contact: