GDPR & Data Discovery – Just like eating an elephant, where do you start?

Data Discovery

The Art of Knowing

The required compliance date for the EU GDPR is officially less than two months away. And although we’ve heard the warnings about the importance of this regulation, not to mention the heavy hand that’s going to accompany it, many organizations remain extremely unprepared.

As part of the Regulation, organizations must know exactly what personal data they have and where it resides. They must know how that data is being processed and how it’s being shared; and they must be able to identify that data. Yet the ability for organizations to get their arms around their data remains one of the biggest challenges they face.

What is Personal Data under the Scope of GDPR

By definition, is any Information, Objective (works as a banker); Subjective (opinion); or Sensitive (pregnant woman).  Relating to an individual, about a particular person, or impacts a specific person.  Identified or Identifiable directly or indirectly.  You know me by name (direct), you know me as a person writing this blog, indirect.  Applicable only to a living human being, although national laws may differ on deceased persons.  Includes data provided from the electronic devices we use, such as cookies, IP address, location services and others.  It provides the ability, when combined with unique identifiers and other information, to create a profile and identify a person.

Data Discovery

The key to an effective data discovery strategy starts with understanding where personal and sensitive data is being held. Personal data resides everywhere – and is both structured and unstructured in nature. It’s hiding in legacy systems and file shares; it’s living on desktops and in emails. The inability to discover and protect that data will leave organizations extremely exposed and subject to some very real repercussions. By leveraging the appropriate technologies and employing a sound process, you can start to effectively control and manage the personal data that resides within your organization.

Equally important is the ability to identify and catalogue that data. Once discovered, this exercise will provide some much-needed visibility, enabling an organization to determine what types of data are being held and where they’re residing. Given not all data is created equally, it’s not all going to be subject to the same scrutiny or data protection requirements. It will be important for organizations to fully understand their data in order to implement the appropriate controls and make the correct decisions with respect to what needs to be protected, and how to protect it.

Are you ready?

Although it’s a stretch to think that all organizations will be fully compliant by May 2018, it will be critical that they’re able to demonstrate that a best effort is being made and that they’re implementing the appropriate strategies and controls to become compliant. So now ask yourself – do you know where all your organization’s personal data resides? If the answer is no, you’ve got some work to do.

For More Information