Data Discovery: to Tool or not to Tool?
GDPR poses several new challenges for businesses, the most important being the following:
1. Where are sensitive data stored throughout the IT infrastructure?
2. How can sensitive data be identified in structured, semi-structured and unstructured forms?
3. How can a single view be created to easily locate all data belonging to any particular person?
4. How can compliance be maintained after 25th of May 2018 and systems meet the new rights of data subjects?
Basic processes in a GDPR project are data discovery, data mapping & data flow identifications. But how can they be worked out without full knowledge of exactly where resides what (so to answer why)?
I am of the opinion that the above questions can not be answered in simple interviews because there is a very serious risk that data mapping will not be done properly, either because of ignorance or even consciously, since no one will “confess” that he keeps copies locally of what’s going on in front of him, or he just can not know exactly what’s on his pc, since it could have been owned by another coworker and have forgotten copies of documents, stored e-mail attachments, etc. Another problem is finding scanned pages, which contain sensitive personal data and are not common files. Lack of these findings creates the risk of a lack of information being transferred to the end of the project, leaving the vulnerability assessment and risk assessment literally “on the air”, since they will be developed without the precise knowledge of the information held and their locations.
A data discovery tool with additional classification capabilities can also help significantly in creating records of processing activities and maintaining compliance if combined with a DLP.
Finally, in the urgent case of a security breach, the data discovery can provide important information about the personal data at risk and help to report to the Data Protection Authority as well as the decision to inform individuals.