Securing and managing personal data is something that many companies have difficulty controlling. While companies try to keep data safe from external theft by hackers, many are failing at managing internal data leakage by employees. So far this year, GDPR fines have reached $100 million.
Consider the amount of data that we access on a daily basis while at work. Studies show that on average, each of us is working with twelve, yes twelve, different software applications. This means we are accessing, inputting, exporting and reporting on a wide variety of data held in different repositories.
Let’s consider a common business practice: hiring or letting go an employee. You might be using HR software, sending e-mails, receiving CVs by file sharing software (e.g. Drobox), having internal discussions on Slack, storing data in a CRM, producing reports in Excel, making payments in financial software. Thus the ability to manage personal data across the company is almost impossible as you actually don’t know how much there is and where it’s stored, as it’s everywhere and a cross-repository reporting tool doesn’t exist. It’s rare that anyone has access to all files within a company.
With that in mind, one may say itis no surprise that companies are increasingly being fined by regulators and that the volume of the fines grows year on year. When an employee is made redundant they frequently file a “Right to be forgotten” request which according to GDPR regulators requires the company to remove all personal data from the company that is held in various software applications. The data includes items like names, e-mail addresses, telephone numbers, tax identification details, driving license numbers, bank account details and health insurance information.
If you think about it; how could any company find all the information stored about an employee when it’s stored in multiple e-mail inboxes, archives, Word docs, Excel spreadsheets, Slack chats, Dropbox, etc.?
There are solutions available used by corporates that are continuously crawling, extracting and reporting on all of the information held in various applications. If you need to run a report on an employee, a patent number, a driving license number, you can identify all of the places where a person’s data resides. There is no need for manually search each software application one-by-one. Actually there is little manual review effort at all.
You need about 15 minutes to enter the data sets you want to query, and voila, a report is automatically generated showing you how much personal data, what type of personal data and where the personal data resides within every single file within each software application.
The risk of fines can easily run in the millions of euros, while licensing a GDPR tool acts as an insurance policy and a data maintenance tool for Data Protection Officers.
It seems that the cost is too high not to invest in such a solution.
Source: Atlas VPN for number of GDPR fines in 2022