How rogue data puts organisations at risk of GDPR noncompliance

The GDPR compliance deadline came in by force on 25th May 2018 and applies to all organisations processing and holding the personal information of data subjects. This includes contacts such as customers, partners and patients. Much has been written about the immense efforts of organisations to improve their data privacy procedures in order to comply with GDPR, but there is a largely undiscussed oversight lurking just under the surface which, if left unaddressed, still leaves organisations exposed to potential risks and hidden costs.

While progress has been made in privacy and control procedures for managed data typically held in customer and/or patient databases and business applications, most organisations will (reluctantly) admit to a problem of “rogue” personal identifiable information (PII) that is not under some form of direct IT control and governance.

These electronic office documents, presentations, images, video recordings, etc. are quite often hiding in plain sight, so to speak, and within an organisation’s IT infrastructure. We are of course referring to the countless letters, spreadsheets, data extracts, x-ray images, voice recordings (the list goes on) containing PII and stored in places such as an employee’s desktops, personal folders, shared folders, cloud storage or mobile devices. Not having good visibility and control over these kinds of rogue PII does not diminish the accountability of organisations – in fact, it exposes them to the worst kind of risk: the unknown type.

Three main problems associated with rogue PII

1. Data subjects (the people whose information is being controlled) are entitled to request all PII data held on them. This is really hard to do when a business is not 100% certain if all PII is being managed in known, secure and managed information systems. Information blind spots will leave organisations exposed to risk.

2. Requests for either a copy and/or erasure of PII by data subjects need to be completed within certain time limits (typically one month). This can be a challenge if organisations do not maintain a certain level of process efficiency in order to comply. Organisations may also be caught on the back foot if swamped by a sudden spike in requests or where there is a heavy reliance on manual procedures to fulfil these requests.

3. The new regulation typically leaves data controllers with no recourse to charge for fulfilment of these data requests. Under most circumstances, these rights translate to both a potential cost and accountability risk burden on organisations. Not only do they need the capability of finding PII faster and cheaper than ever before, but they also need to be confident that they have provided (or erased, as the case might be) ALL managed and unmanaged instances of PII held on a data subject.

Dealing with rogue PII data?

How then should an organisation deal with rogue PII data? If we assume that managed sources of PII are well understood and practices adopted to ensure data processing is governed within data privacy policies, organisations face two options for dealing with their unmanaged PII:

• Migrate or move rouge sources of data to a managed environment.
• Develop a capability to monitor – on an ongoing basis – unmanaged PII (providing visibility) combined with the ability to then manage such PII (providing control).

Endpoint Detection & Remediation (EDR) solutions enable organisations to perform investigation and remediation across their entire IT estate, at speed and at scale. This means that EDR tools can firstly help find traces of PII in unmanaged locations as well as automate the remediation process of either removing or relocating such data.

A good EDR solution should perform such remediation in real-time, and make it easy to configure the remediation steps as easily repeatable instructions for ongoing maintenance purposes. Speed, scale and automation are key here. Together, these form the essential ingredients for a solution to address problems of “hidden PII” cost and risk.