Skip to main content

How I would do a data cleanup

Cleaning up sensitive data is a key task for any company. Naturally, data cleanup is just as important for us here at Safe Online as a basis of processing personal data. Keeping our sensitive data neat and tidy is one of the best ways to protect it. It’s also crucial for us to comply with data regulations and earn the trust of our customers.

Data cleanup is certainly an extensive task. However, it becomes much simpler when you break it down into steps. In this blog, I will show you how I would approach manual data cleanup as a risk and GDPR compliance specialist. Then, I’ll talk about which steps in the process present special challenges, and how to simplify them even further.

What is data cleanup and why do it?

Cleaning up sensitive data properly means first identifying, organising, securing (and possibly deleting or archiving) all the sensitive information you store in your data systems. Keeping your data tidy after an initial cleanup will then require implementing new security measures, training employees, and checking up on yourself regularly to reduce your GDPR risks. Regular data cleanups are key to keep data secure, comply with regulations and protect your business.

My 7-step clean up

If I was faced with the task of cleaning up our files with sensitive information manually, I would divide the process into 7 steps:

  • Map my IT
  • Analyse my data flow
  • Determine my risk level
  • Coordinate cleanup
  • Implement security measures
  • Plan my followup
  • Document everything

Of course, to be most effective, make sure you tailor each step for your company’s needs.

Need help cleaning up your sensitive information?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli. When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

1. Map my IT
To start with, I would make an inventory of the IT systems my company uses to handle personal data. At the same time, I make sure to take note of all software, platforms and tools each department uses. In this way, I begin to get an understanding of my company’s existing IT systems.

2. Analyse my data flow
Secondly, I talk to key employees from all departments to find out where they store personal data and how it moves through our systems. Then, I find out exactly which employees have access to which personal data.

3. Determine my risk level
Once I have an idea of who stores what data and where, I list potential risks associated with processing personal data for each of my IT systems. Then, I compare this analysis with my data flow analysis to create an overall risk assessment for my work processes.

4. Coordinate cleanup efforts
I will then start working with key employees from the departments to initiate a systematic cleanup of personal data. Firstly, it’s important to decide which areas I should prioritise. For example, I may start by focusing on storage locations that contain especially large quantities of high-risk data. I would also give special attention to specific employees who store the most sensitive data. Undoubtedly, having good communication with all departments in my company makes this easier.

5. Implement new security measures
At this point, I begin to implement new security measures. Given that I have just reviewed the systems I use and how the data flows, I will be in a good spot to choose appropriate measures. Generally speaking, security improvements might include drafting and enforcing encryption protocols, automating my data retention policies and introducing other relevant rules to strengthen our data protection. At this stage, collaboration with my  IT department is crucial, since as many of these measures will be part of the IT department’s workspace.

6. Plan my follow up
Once I’ve completed my initial cleanup and introduced new policies and protections for sensitive data, I would then schedule regular maintenance cleanups. How often I need to repeat my data cleanup will depend on what I discovered in my risk assessment, as well as the overall quantity and complexity of my company’s data storage. I also take note of the areas, departments and locations I will prioritise for future cleanups.

7. I document everything
I introduce simple but effective reporting tasks for all departments throughout the cleanup process. This ensures that, together with a few of my key employees, I can keep my finger on the GDPR pulse. In this way, I can easily check up on how the cleanup is progressing for each employee, and the changes and improvements we’ve made overall. Not only does reporting keep me informed, it also trains my employees to be more aware of sensitive data protection. Further, I can use my cleanup logs to demonstrate our compliance efforts to customers, partners or data authorities if requested to.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Here's the tough part

Certainly, following the steps above makes an overwhelming clean up job much more manageable. However, the reality is that for most companies, steps 1-3 will be extremely difficult to complete thoroughly and accurately without automated tools. Above all, items 1-3 on my list are about getting an overview of the sensitive data in your systems and knowing which IT systems and processes generate the most risk. Indeed, these are the most crucial parts of your cleanup. Once you complete those steps, it is easy to reduce your risk dramatically by deleting old data you no longer need and moving important data to protected locations. But these steps can eat up huge amounts of time and cause a lot of frustration. And unfortunately, this is where cleanup efforts often come to an early and screeching halt.

A shortcut to declutter your data

Of course, these seven steps can be performed manually. But there is another way to clean up that allows you breeze through the trickiest steps. Namely, using software that automatically identifies high-risk data in your IT systems. In fact, the right software can automate steps 1, 2 and 3 completely. Meanwhile, it makes steps 4, 5, 6 and 7 simple and easy.

Personally, I would always choose automation as it is both much faster and more thorough. That is why we developed DataMapper. DataMapper is a tool that uses artificial intelligence to quickly locate files, emails and images with sensitive content, such as information about people’s health, finances, race, sexuality, etc. In short, with DataMapper, you can skip your most time-consuming cleanup steps, get a more complete overview of your data with accurate statistics, track the progress of your cleanup, and more. Would you like to try it?

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit