Gavilan offer services around data privacy requirements across a number of highly regulated market sectors.

Data Privacy has become a hot topic, accentuated by the recent GDPR laws which impact on data management, ownership and access for any company that is engaged in activitie across the EU. Whether that is for EU based companies, or global companies, who may have EU customers, suppliers or employees, the GDPR framework matters to you.

Sensitive data stored in files exposes organizations to significant security and compliance risk. For example, organizations are very focused on controlling access to sensitive data within their payroll application (structured data), but with a simple “export” button, that information can be migrated into a spreadsheet, which can then be stored in a variety of ungoverned locations such SharePoint or Box. Very quickly, that highly sensitive data finds its way into many unstructured files with virtually no oversight. Without the proper visibility and controls, it is difficult to know where these files reside, what sensitive information they may contain, who has access to them, and what they are doing with the data.

Adding to these security concerns, many enterprises are challenged to maintain compliance with the growing number of data privacy laws as these files proliferate across the organization. The European Union’s General Data Protection Regulation (GDPR)has stringent rules for the protection, management and control of any EU citizenry personally identifiable information (PII). This means organizations need a clear view of what PII or other sensitive information they possess and who has access.

Our partner Exonar have recently issued helpful guidance around Article 30, and how businesses need to manage personal data privacy

What Next With Your Personal Data Inventory (Article 30)?

Data privacy legislation requires organisations to discover and document their personal data processes e.g. GDPR – Article 30 ‘Record of Processing Activities’. For most organisations the simplest way to fulfil this obligation is to create and maintain a Personal Data Inventory.

Understanding what data you have, why you have it, where it is processed, who can access it, when it should be deleted, and how it is secured is the foundation of any data privacy or cyber security programme that aims to protect personal data and comply with data privacy legislation i.e. GDPR, CCPA, PIPEDA, PDBP and more.

Exonar Survey

Exonar surveyed 104 organisations to understand their experience discovering and operationalising their Personal Data Inventory. We have detailed the findings of this survey alongside a 3 Step Guide to Personal Data Inventory and Article 30² Toolkit.

Our first section on data discovery and personal data inventory will be most useful for organisations who are planning to create their Personal Data Inventory (e.g. those preparing for the California Consumer Privacy Act (CCPA) in 2020).

Our second and third sections will be most useful for organisations who have already created their Personal Data Inventory (e.g. those complying with General Data Protection Regulation (GDPR) from May 2018) to explain next steps for monitoring and compliance activities.

The Article 30² Toolkit can be filled to help you structure your journey through this process.

Download: What Next With Your Personal Data Inventory (Article 30)?

Download: Article 30² Toolkit