Everyone should be moving down the line with their Data Protection Programmes at this stage, however, there are some common blindspots you need to be aware of in the privacy space. In this article, I’ll break down three of the top unexpected sources of data that I find regularly during gap analyses.
Forms are a very common data ingress point for businesses, with people capturing data in order to apply for a role, obtain access to a white paper, register for a service, and a host of other possibilities. In ideal instances, these forms are part of a lead tracking system or a CRM, and the information is captured directly into the system. In most cases, though, this data is emailed to someone designated within the company, or perhaps sent to a group mailbox.
Now, this has its challenges to begin with. Email is unstructured and is a veritable NIGHTMARE when it comes to retention periods and data protection. But further to this, often these forms are stored on the website that hosts it. Be it WordPress, Joomla, or otherwise, these systems have backend databases that frequently store a copy of the information submitted on forms, without any notice to the end recipients.
You need to ensure that your online systems are adequately managed, cleaning out these datapoints when they are no longer required. On a related note, if you outsource your web maintenance to another company, you need to ensure that there are confidentiality and data processing agreements in place, as they will also have access to this information.
The term Shadow IT refers to the systems that are purchased by teams without official approval. You may think that you have control of all systems owned by your company, but you may well be wrong.
When putting together a privacy programme, a quick route to working out who you have data held with is to pull your vendor master and work through that. This, however, assumes that all your providers are paid via your vendor process. In many companies that I deal with, there are additional tools that have been purchased on a manager’s credit card or an employees account, only showing up as an expense claim at the end of the month, and not appearing in the vendor master at all.
When looking at the systems in use, you need to combine your approach of looking at the accounts department, with that of looking directly at the teams and computers in use. Many antivirus tools will let you pull a list of the software installed on all computers in the network – this is a great way to see what is ACTUALLY in use within the company. Failing this approach, the next (and less reliable) approach is to interview the different teams and ask what they use. This is, however, subjective and often tools will slip someone’s mind.
This is one aimed mostly at the software and managed services space. Log files are everywhere. You need them for diagnostics, record keeping, and a variety of other purposes. In many cases, personal information such as client names and other identifiers are stored in these logs and are totally overlooked by the privacy office.
Whoever is running the privacy programme needs to delve into the technical detail and involve someone who knows what is stored where in terms of the technical operations. Reducing the information stored in these files and making proper use of log levels such as INFO and DEBUG can drastically help to reduce your data footprint in this sense.
Keep an eye out
In short, these kind of blindspots are why awareness training and involving others is vital to the success of your data privacy programme. An Information Officer simply cannot know the entire operation of a business from end-to-end, and they should pull on the knowledge and expertise of others in the business to identify and address whatever “unexpecteds” may appear.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.