Compliance reality check: do we really know where sensitive data sits?

Knowing where data sits. It’s probably the biggest challenge of all businesses. In order to fully leverage the business asset which data is, you need to know where it sits. If you want your knowledge workers to waste less time looking for information, it’s important that they know where the data and information which they need sits.

Most organizations don’t know where all personal data, let alone all data and information, sits

In the latter case it’s even better that the systems containing the data they need are designed and connected to enable them to retrieve needed information fast with their tasks in mind. Yet, this too starts with knowing where data sits.

In a context of compliance and data protection, the big cybersecurity driver and a key topic for many organizations nowadays, it’s essential to know where specific categories of data sit in the universe of big data, small data, unstructured data and whatever sorts of data and carriers/channels/repositories/systems.

In fact, one of the main strategic steps in becoming GDPR compliant is essentially knowing where personal data sits. As mentioned on our GDPR overview page it’s part of any strategy (typically the assessment and awareness stages).  

Compliance reality check

Locating personal/sensitive data: an easy task – or so it seems

And then there is sensitive personal data, which matters in so many compliance perspectives, beyond GDPR, as well. Take healthcare data: highly sensitive personal data.

In order to prevent that sensitive and/or (sensitive) personal data gets stolen or lost, with serious potential consequences as a result, the capability of locating it is obviously key. But that is much harder than we tend to think. Moreover, locating isn’t enough, nor is compliance.

To quote from the research we tackled in the context of personal/sensitive data, digiti(al)zation and cybersecurity in healthcare: “organizations need to be more capable with regards to the location of sensitive data, also among others for cloud, Big Data, containers and the Internet of Things (IoT)”, whatever you use.

Maybe you don’t leverage the IoT yet (there are specific aspects regarding IoT and compliance if you do). And maybe knowing where personal data sits for your business is a bit easier if there is no ‘true’ big data, containers and perhaps even significant cloud usage.

In that case, knowing where personal data sits might seem easy enough. Look in your various information repositories, your databases, your information processes, your communication channels, the systems of HR, your customer data, marketing platforms, intranet, accounting system, file sync and share applications, those that your mobile workers use…

OK. It did sound easy enough until we started summing up some platforms and places where data resides. Reality is that most organizations don’t know where all personal data, let alone all data and information, sits at all; it’s one of the main reasons why they aren’t able to fully leverage it indeed.

File sync and share: where does data sit in the fragmented enterprise brain?

The issue is not just one of silos and disconnected systems. For instance, think about the file sync and share applications your mobile workers use.

In the fragmented enterprise brain of file sync and share and ubiquitous storage, sensitive and personal data resides in the most hidden places

Are you sure you know what they use? As a matter of fact, do they remember themselves? Maybe they simply use Google Drive today as a document storage and retrieval platform today because it’s cheap, handy and easy to access document to work when on a trip. Maybe they also still have an old Box Starter account, a Dropbox, Microsoft OneDrive and so forth.

The challenge of these platforms isn’t new and related with the GDPR or other rules and regulations alone. Back in 2013, Huddle reported on the fragmentation of the enterprise brain, finding that 38 percent of US office workers and 43 percent of UK office workers stored work documents on their private cloud apps. And you bet there is quite some sensitive data and personal data in there too.

The GDPR does provide a margin of manoeuvre for individual states to specify its rules, among others with regards to sensitive data but it clearly is very sensitive about sensitive data.

The challenge of ubiquitous storage

And there is more. How many mails with attached work-related documents and possibly personal data of whomever sit in web-based solutions such as Gmail?

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms (GDPR)

Are you sure your staff hasn’t sent an exported Excel containing customer data to themselves or anyone else via Gmail, even with no bad intentions at all?

And what about all sorts of external media such as USB sticks or hard drives? Mobile phones? Older mobile phones that linger around? Laptops? Older laptops? Storage is ubiquitous and so is data. People do use multiple platforms and devices for work which can be stolen or aren’t remembered as mentioned.

The point is that, certainly – but not exclusively – in somewhat larger firms in reality no one knows where ALL the information, let alone all personal data and/or sensitive data sits.

Of course that isn’t a reason to not do everything you possible can do to become GDPR compliant. After the Regulation is a fact, jurisprudence will tell and exceptions are and will be foreseen.

No one can make miracles happen and if you have some former employees with sensitive data on one or the other platform or device, you might never be able to know. Still, there is no reason whatsoever to not make sure you know where all data sits and what happens with it.

Compliance and culture: the dangerous things we do with data

It’s not just about systems, policies, training and so forth. It’s not even just about location but also about what we do with it, which equally is a matter of culture, among others with regards to how we carry data around and don’t consider its value. Or with regards to how we print data without thinking too much.

Despite ample efforts and years of creating awareness about the paperless office, we still print a lot and when we print we have paper. Depending on what’s on that paper, more compliance issues, which we tend to overlook, surface.

The paperless dream is a dream: we massively print data and information which is ‘born digitally’. Awareness and cultural changes are needed in and beyond a paper and compliance perspective.

It could be a printed test lab result of a patient. It could also be a list with all patients over a period of time. Or that exported customer file which someone wants to take in a meeting. What happens to it afterwards? De facto that really depends on whomever printed the information for any purpose whatsoever (on top of a meeting it could be to take it back home and read it in the evening, you can imagine the many scenarios).

Knowing where data sits. And what is done with it. Not an easy task at all. Yet, more than time to begin and really looking at people, our worker, us and our mindsets. And really asking the right questions about all those places crucial data might sit and all those dangerous things we do with it without thinking about the consequences.

 

Top image: Shutterstock – Copyright: Gustavo Frazao – All other images are the property of their respective mentioned owners.