How to find personal data with a data mapping tool

This guide should provide an insight into the process of working with a data mapping tool and how it can be used to locate personal information. Our guide is based on our own data mapping tool, DataMapper.

When cleaning up with a data mapping tool, the task should be divided into two; there is the first part of the cleanup, which is about preparing the clean-up. This part is handled by an administrator. Next, there is the actual clean-up work, which is carried out by the individual employee. We recommend these 4 steps when cleaning up a data mapping tool:

1. Select data systems (admin)
2. Company scan (admin)
3. Limiting the cleanup (admin)
4. Cleanup (user)

Start by selecting the data systems where you suspect that you store sensitive data. These will typically be local disks, cloud solutions, mail client etc. Once the data systems have been selected, the admin initiates a scan of the entire company’s data.

After the initial company scan, the administrator should focus on getting an overview of the company’s sensitive data. Here we recommend that you follow these 4 steps:

1. Files: Get an overview of your files with sensitive content; how many files with risk and how many with high risk have been found? Are there more or fewer than expected? Is there sensitive data stored in multiple locations? What types of files contain the most risky data? Are there any terms and categories that should be omitted or added?
2. Data systems: In which computer system are most files found? Rate if this system is safe. Should you restrict access to this system to reduce risks?
3. Employees: Which employees and departments have the largest amounts of sensitive data? Are there any work processes that should be changed?
4. Cleanup plan: A clean-up plan should be drawn up, which should be aligned with your privacy policy. Determine, among other things, how long files are stored, where sensitive data must be stored, etc. Appoint the employee or employees who will be responsible for cleaning up the shared folders in your data systems. Also prepare a plan for how users will clean up; do they have to do the whole cleanup at once or do they have to do it in bits and pieces?

When you have gained certainty about the amount of personal data you have lying around, try to use this as a benchmark going forward and work your way down continuously.

The next step for the administrator is to organise the clean-up in relation to the insight the business scan has provided. We often see that when a user scans their data, a lot of files with sensitive content come up. It can seem like an overwhelming task. Therefore, we recommend that you content yourself with a sample of all the data you have. This can be done in 3 ways:

1. Terms: Decide which sensitive terms to search for and which to leave out. This can be particularly useful if there are many “false positives” in the results. A false positive is a file that has been scanned and contains sensitive content, but does not actually have sensitive content. It could, for example, be an email that says “No stress”. If there are other terms that are not normally considered sensitive, include them in the scan.
2. Categories: Specify which sensitive categories to search for and which to exclude. This is useful if you only want to scan for politically sensitive information or do not want to scan for trade union information, for example.
3. Filters: Implement filters for users. It may be that you want to start with all data in a specific data system, that you only want to focus on high-risk files, or that you only want to concentrate on files that are over 5 years old, etc.

After the administrator has gained an overview, the users must start cleaning up their data. The administrator sends the employees, who need to clean up their data, an invitation to DataMapper. Once the individual employee has registered and scanned his data, the employee can start the cleanup.

After the scan, the user gets a list of files in DataMapper that contain a GDPR risk. This risk can be either (normal) “Risk” or “High risk”. The user should review all scanned files. For each file, the user has 3 options; you can delete, move or approve the file.

1. Keep: If you want to keep the file, you must mark it as “resolved”. You should approve the file if either:
   – You understand and accept the risk
   – The file is where it should be
   – You still have a good reason to keep it
2. Move: If, on the other hand, you want to move the file, you must click on “go to document” to move, edit or delete it
3. Delete: If you simply want to delete the file, you can also do this directly from within the data mapping tool.

We recommend proceeding like this:

1. Start with high-risk files; See what sensitive content they have
2. Delete old files
3. Delete duplicates
4. Move data into correct folders and data systems
5. Approve all files that do not actually contain sensitive content

After you have reviewed your results, start your cleanup.

• The rules of the GDPR do not specify a specific time frame for how long you may store data, but you should set an upper limit for how long you store data on others. Get it written into your privacy policies – and stick to them. Storing personal data for longer than what your privacy policy prescribes is generally a bad idea and is in breach of GDPR legislation in general.
• When you have emptied your trash on your computer, the files are finally deleted – and when you initiate a scan of your local drives, there should therefore be no results from this. If you are in doubt about how to set up automatic deletion, you can (in Outlook) use this guide: set up automatic deletion in Outlook.
• Keeping duplicates of the same files in multiple locations or inboxes will cause the red lights to flash. Be sure that the data you have left after going through it in a datamapping tool is stored in correct locations and unnecessary copies have been completely deleted. Then cleaning up in the future will also be much easier.

Using data mapping tools can show you a different and smarter way of handling personal data. Here are the top 5 improvements/changes we see companies make after using a data mapping tool:

1. Employees have access to data only if they need it to do their jobs
2. They disable mail synchronisation to prevent email attachments landing in personal folders
3. They set up automatic email deletion, especially for emails with attachments
4. They choose better data-sharing tools, as well as centralised data storage.
5. From time to time, they check up on themselves with a new scan to make sure data stays neat, organised and protected.

I hope this enlightened you on how a data mapping tool works. If you need to clean up your data, you should take a closer look at our data mapping tool DataMapper.