What can a data privacy scan tell you about your company?
Have you ever run a data mapping scan on your company’s data storage? How can you use your results to improve your data storage practices and protect people’s personal data?
This guide will show you how a good data mapping tool works + how to interpret your data privacy scan results and get the most out of them.
Review your privacy scan results
- Look at your risk level overall. Start by getting an idea of your overall risk. How much risk and high-risk data was found? Is it more than you expected?
- Review your high-risk categories. What types of files contain the most risk data? Think about which categories you really need to keep. Do you spot any that could be eliminated?
- Assess your data locations. Which storage location contained the most high-risk files found? Do you consider that storage location a safe place? Have you set up the proper controls to restrict access to it?
What if I don’t have very much risk data?
Start your clean-up
- Use filters to find specific files. Use filters to view lists of files by location, category, sensitive keyword, person, or risk level.
- Open high-risk files and see why they were flagged. A good data mapping tool lets you instantly pull up any file on the list and see why it was flagged as high-risk. Review each file and mark it as either OK or Critical.
- Delete inappropriate data. Checking the keywords that caused a file to be flagged will give you an idea of whether you should keep it. Consider whether you have a legitimate purpose for keeping sensitive information about someone’s race or beliefs, for example.
- Move data to designated folders and locations. Storing duplicates of the same high-risk file in multiple locations or inboxes is a red flag. Make sure data is where it should be, and delete unnecessary copies.
What if I have a lot of risk data and clean-up seems overwhelming?
The most labor-intensive part of data management, the data inventory, has been done for you. This has already put you ahead of the game, compliance-wise. Remember you are allowed to store sensitive data if you had a legitimate purpose for collecting it and you keep track of it.
Privacy laws like the GDPR do not specify exactly what must be done with the personal data you store or how much you can store, but they do require you to introduce “appropriate organizational and technical measures” to protect it.
A little check-up from time to time to make sure you know what you have goes a long way. And every little bit of data minimization helps. Don’t put off clean-up for fear of what you might find. Use the datamapping tool regularly, for just a few minutes, and look for a couple of files you can put in their proper place or delete.
Improve your privacy practices
- Lock shared folders when appropriate. Folders in OneDrive or Sharepoint that contain high-risk data can be locked to limit access to only those employees that need it.
- Be aware of synching. If synching is turned on in OneDrive, attachments people share with you by email will be automatically saved in your personal folder, even if you do not open or download them.
- Set up automatic deletion for your emails. of files in email. Often folders like “deleted” & “sent” can be good places to set up automatic deletion.
- Improve your privacy strategy. Can you keep sensitive data out of email folders altogether by using a safe data sharing add-in or private upload point? Could certain types of sensitive data be kept in one place and protected?
- Repeat the scan and all the above steps periodically. Your company collects more personal data every day. Keep up with it by periodically repeating your datamapping scan.