What can a data privacy scan tell you about your company?
A datamapping tool is a piece of software that helps organizations build a visual representation of their data. It provides a clear picture of the data in the organization. Certain datamapping tools can also be used to find personal information in files, emails and images.
The guide must give an insight into what the process of working with a datamapping tool is like and what the tool can do in relation to locating personal information.
Start by reviewing your scan results
The first thing you do in a datamapping tool after you finish setting it up is to do a scan. Here you select data locations where you archive data. These will typically be local disks, cloud solutions, mail client etc. Once you have done a scan, you should start with these 4 steps:
- Look at your risk level overall. Start by getting an idea of your overall risk. How much risk and high-risk data was found? Is it more than you expected?
- Review your high-risk categories. What types of files contain the most risk data? Think about which categories you really need to keep. Do you spot any that could be eliminated?
- Assess your data locations. Which storage location contained the most high-risk files found? Do you consider that storage location a safe place? Have you set up the proper controls to restrict access to it?
- Make a correction plan for your company. Who should clean up the shared drives? How long should files be kept according to your privacy policy? Are there certain locations you do not want risk data to be stored? Are there certain types of sensitive data you want to avoid storing altogether?
Now that you know your company does not store a lot of sensitive data, keep it that way, and feel free to brag about it. Use your privacy policy to tell people that you perform regular privacy scans with data mapping software to minimise privacy risks.
Next step: The cleanup of sensitive data
After you have performed your scan, you must start the actual cleanup.
1. Use filters to find specific files.
Make use of the various filters to facilitate the cleanup of the scanned data. Use filters such as location, category, person or risk level. Depending on whether the scanned files are in a location to which you have access, you must otherwise ask the person who is the “owner” to delete the found document. Remember that once you have found the document, there is a good chance that there are more duplicates – so the result of your first scan may seem larger.
2. Open high-risk files and see why they were flagged.
A good data mapping tool lets you instantly pull up any file on the list and see why it was flagged as high-risk. Review each file and mark it as either OK or Critical.
3. Delete old files
The rules of the GDPR do not specify a specific time frame for how long you may store data, but you should set an upper limit for how long you store data on others. Get it written into your privacy policies – and stick to them. Storing personal data for longer than what your privacy policy prescribes is generally a bad idea and is in breach of GDPR legislation in general. When you have emptied your trash on your computer, the files are finally deleted – and when you initiate a scan of your local drives, there should therefore be no results from this.
4. Move data to designated folders and locations.
Keeping duplicates of the same files in multiple locations or inboxes will cause the red lights to flash. Be sure that the data you have left after going through it in a Datamapping tool is stored in correct locations and unnecessary copies have been completely deleted. Then cleaning up in the future will also be much easier!
The cleanup can seem unmanageable if there are really many files. This often happens if all locations are scanned at the same time. The most important thing is that you have decided to clean up your data – and consider how much you collect on your contacts – and how you will keep track of it in the future so that it is not an equally big task every time.
Privacy laws like the GDPR do not specify exactly what must be done with the personal data you store or how much you can store, but they do require you to introduce “appropriate organizational and technical measures” to protect it. A little check-up from time to time to make sure you know what you have goes a long way. And every little bit of data minimization helps.
Get ShareSimple FREE for one user today!
Improve your privacy practices
A datamapping scan can and should provide fertile ground for a different and smarter way of handling personal data. Here are 5 steps you should use going forward:
1. Lock shared folders where it makes sense.
Many folders in OneDrive or SharePoint typically contain sensitive data which can advantageously be locked and access to these folders can be distributed to individual employees who actually need access to them.
2. Pay attention to synchronization.
If synchronization is switched on in e.g. OneDrive, attachments that people share with you via email will automatically be saved in your personal folder – even if you don’t download or open them. It can therefore be an advantage to switch off automatically, or that you make it a “thing” to browse attachments at regular intervals, so that what should be there is there – and what should not be – is not.
3. Set up automatic deletion of emails.
In many cases, it can be a good idea for e-mails with attached files in them. Folders where it is most often set up are in “deleted e-mails” or “sent” – and if you don’t have it set up, you can do it yourself it and adjust how often the deletion should occur.
4. Improve your privacy strategy.
Can you keep sensitive data from email folders together using a secure data sharing add-in or a private upload drive that only you can access? Are there certain types of sensitive data that could be stored in one place?
5. Repeat the scan and the previous steps at regular intervals.
Your company collects sensitive & personal data almost every day – even without directly asking for it. In order to always be at the forefront of what you yourself (and possibly in your team of employees) have, make it a habit to use the Datamapping tool at regular intervals – then the clean-up will also be more manageable in the end.
Want to test out if a datamapping tool is right for you?
I hope this enlightened you on how a datamapping tool works. At Safe Online, we have created the data mapping tool DataMapper.
Sebastian Allerelli
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →
