How to find your company’s sensitive data

How to find your sensitive personal data

When you need to find your files, emails and pictures with personal information, you should follow these 3 steps:

1. Know what to look for
The number of different types of personal information is huge. Therefore, it is a good idea, before you start finding your personal data, to define exactly what information you are looking for. Here is a list.

2. List your storage locations
Where do you and your team store all the data you collect? Here are a few types of locations that must be checked for sensitive data: 

• Local drives 
• Network drives  
• Cloud storage  
• Email folders
• Online services

Most companies do not just use one type of cloud storage, and most employees (unfortunately) do not always use their work computer or email. Therefore, the list of individual locations you will need to check for sensitive data will quickly become much longer. 

3. Choose your method of finding data
Now you know what to search for, and where you might find it.  

However, this only shows what a big job you have in front of you. How can you be sure you identify every ID number, credit card number, medical condition, political opinion, etc., that has made its way into your storage locations? 

Here are three options for data discovery: 

• DIY. Assign someone from your own team to sort through files. This option is expensive because it is so time-consuming. It is also prone to errors and the process may expose you to breach in and of itself if it is not handled properly. 
• Hire a service. Hiring a data discovery service to find your sensitive high-risk files is another option, but it still does not eliminate the risk of human error, it exposes sensitive data to more eyes, and it is very expensive. 
• Get smart software. Using smart data discovery software to automatically find sensitive data in your systems is an easy, cost-effective way to perform regular data inventories and evaluate your risk exposure. 

Some companies may hesitate to perform a data inventory because they are afraid of the issues they might find. But in fact, just having the data inventory done will give you a huge advantage if you are audited by the authorities, as visibility and documentation are an important part of compliance. And if you are exposed to a cyber attack, a data inventory will help you hide the values - in this case sensitive personal data – out of the way.

Here are a few additional things you can do once you have your data inventory: 

• Make sure you have consent or another lawful basis to keep data you store 
• Delete sensitive data you no longer use or if you do not have a legal basis to store it 
• Restrict access to certain files to only those who need it 
• Protect sensitive data at rest and in transit
• Prepare an impact assessment (DPIA) for your data. Download a free template here.

Instead of spending hours each month finding your data, which contains personal data, you can solve the task much faster and more precise with a digital tool. In Safe Online, we have developed DataMapper, which is a browser-based data discovery tool that uses artificial intelligence to find files, emails and images that contain personal data across the company’s data systems.

Read more about DataMapper here