Skip to main content

What can a data privacy scan tell you about your company?

Have you ever run a data mapping scan on your company’s data storage? How can you use your results to improve your data storage practices and protect people’s personal data?

This guide will show you how a good data mapping tool works + how to interpret your data privacy scan results and get the most out of them.

Review your privacy scan results

  1. Look at your risk level overall. Start by getting an idea of your overall risk. How much risk and high-risk data was found? Is it more than you expected?
  2. Review your high-risk categories.  What types of files contain the most risk data? Think about which categories you really need to keep. Do you spot any that could be eliminated?
  3. Assess your data locations. Which storage location contained the most high-risk files found? Do you consider that storage location a safe place? Have you set up the proper controls to restrict access to it?
  4. Make a correction plan for your company. Who should clean up the shared drives? How long should files be kept according to your privacy policy? Are there certain locations you do not want risk data to be stored? Are there certain types of sensitive data you want to avoid storing altogether?
Find and monitor sensitive data
What if I don’t have very much risk data?

Awesome! Now that you know your company does not store a lot of sensitive data, keep it that way, and feel free to brag about it. Use your privacy policy to tell people that you perform regular privacy scans with data mapping software to minimise privacy risks.

Start your clean-up

  1. Use filters to find specific files. Use filters to view lists of files by location, category, sensitive keyword, person, or risk level.
  2. Open high-risk files and see why they were flagged. A good data mapping tool lets you instantly pull up any file on the list and see why it was flagged as high-risk. Review each file and mark it as either OK or Critical.
  3. Delete old files. The GDPR does not specify a time limit for keeping data, but it does require you to set a data retention limit, justify it in your privacy policy and stick to it. Keeping personal data longer than your privacy policy promises is considered a violation of regulations.
  4. Delete inappropriate data. Checking the keywords that caused a file to be flagged will give you an idea of whether you should keep it. Consider whether you have a legitimate purpose for keeping sensitive information about someone’s race or beliefs, for example.
  5. Move data to designated folders and locations. Storing duplicates of the same high-risk file in multiple locations or inboxes is a red flag. Make sure data is where it should be, and delete unnecessary copies.
Risk documents tab
What if I have a lot of risk data and clean-up seems overwhelming?

The most labor-intensive part of data management, the data inventory, has been done for you. This has already put you ahead of the game, compliance-wise. Remember you are allowed to store sensitive data if you had a legitimate purpose for collecting it and you keep track of it.

Privacy laws like the GDPR do not specify exactly what must be done with the personal data you store or how much you can store, but they do require you to introduce “appropriate organizational and technical measures” to protect it.

A little check-up from time to time to make sure you know what you have goes a long way. And every little bit of data minimization helps. Don’t put off clean-up for fear of what you might find. Use the datamapping tool regularly, for just a few minutes, and look for a couple of files you can put in their proper place or delete.

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Improve your privacy practices

    1. Lock shared folders when appropriate. Folders in OneDrive or Sharepoint that contain high-risk data can be locked to limit access to only those employees that need it.
    2. Be aware of synching. If synching is turned on in OneDrive, attachments people share with you by email will be automatically saved in your personal folder, even if you do not open or download them.
    3. Set up automatic deletion for your emails. of files in email. Often folders like “deleted” & “sent” can be good places to set up automatic deletion.
    4. Improve your privacy strategy. Can you keep sensitive data out of email folders altogether by using a safe data sharing add-in or private upload point?  Could certain types of sensitive data be kept in one place and protected?
    5. Repeat the scan and all the above steps periodically. Your company collects more personal data every day. Keep up with it by periodically repeating your datamapping scan.
    Team discusses privacy first culture and data mapping results

    Want to test out a data mapping tool?

    If you are interested in a data mapping scan at your company, please check out our free trial of DataMapper here

    Sebastian Allerelli

    Governance, risk, and compliance specialist