Data discovery is not a new requirement for complying with any data privacy standards or laws. Though Data discovery is not a recent requirement, most of the organizations still struggle to discover and classify their data, which is another very important requirement under data privacy umbrella. Data classification activity has been mandated by various laws across the globe such as the GDPR, the CCPA, LGPD, and other laws.

Out of the different data privacy laws mentioned above, EU’s GDPR is one of the special ones for me. Not because of any fine it has imposed for any personal data breach but rather because it furthered the revolution in the domain of Data Privacy by making the law much more transparent than before and keeps data subject rights as one of the key focus areas.

Talking further about EU’s data protection laws, they have been referred to as gold standards for a long period of time. The EU’s General Data Protection Regulation (GDPR) is one the most prominent privacy laws in today’s world. The European Parliament approved the GDPR on 14^th April 2016 and it went in effect on 25^th May 2018, replacing the 1995 Data Protection Directive. GDPR is applicable not only to the organizations operating within the EU but outside the EU if the organization handles EU citizen’s data.

GDPR expanded territorial scope and strengthened individual rights compared to previous Data Protection Directive. Out of multiple requirements for GDPR compliance, below are key principles relating to processing of personal data:

• Processing personal data with lawfulness, fairness, and transparency.
• Collecting personal data basis on specified, explicit and legitimate purpose.
• Processing only for adequate, relevant, and limited to what is necessary basis on the purposes for which personal data is processed.
• Keep personal data accurate and up to date where necessary.
• Store personal data of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• While processing personal data, organization should ensure that appropriate security measures are in place to prevent data from being accidentally or deliberately compromised.
• Organizations must ensure that appropriate measures and records are in place to be able to demonstrate compliance.

When we talk about complying with all these GDPR requirements, compliance-only mindset would not bring in the real business value and would only be seen from the survival perspective for an organization. To achieve the business benefits out of GDPR compliance, it is critical to form a proper data management strategy. From my experience, most of the organizations struggle to outline and implement a data management strategy, which results in complexity to fulfil data subject rights and put appropriate controls to mitigate data risks.

In order to form a data management strategy to comply with GDPR requirements, companies can implement controls at different levels or in different areas which would help to design a strong layer of protection from external as well as internal threats. The focus areas/levels are as follows:

• People
• Process
• Technology

People: Human resources is key to GDPR compliance for an organization. Employees should be made aware of GDPR requirements and how the organization is taking all the required steps in the form of relevant polices or processes to comply with those requirements. Scope of awareness should not be limited to GDPR requirements and policies of an organization, but it should also cover the types of data an organization handles and how critical the data is. While forming a data management strategy, human resources would have a very critical role to play in managing the data as well.  

Process: For complying with GDPR, putting across appropriate processes would be crucial to ensure there are no gaps while exercising compliance related activities. Integrating operational processes and GDPR related processes would be key to having a successful compliance framework. For example, we have onboarding process for an employee in an organization, integrating process of making an employee aware about GDPR requirements and policies, and taking a formal quiz to assess level of knowledge shall bring in more confidence for an organization to comply with GDPR. Similarly, making GDPR related processes as part of different operational processes shall help an organization to make compliance a BAU activity and not only do it when it’s needed. Moreover, when implementing data handling or data management strategy, processes related to Data discovery, Data Subject Request, Data retention would be essential to have a robust framework around complying GDPR requirements. 

At a high level, below are some of the Process Controls for implementing GDPR compliance framework:

• Keeping Records of Processing
• Conducting Data Protection Impact Assessment where necessary

Technology: GDPR compliance can’t be 100% without utilizing technological solutions. Without appropriate Technology, People and Process would always be vulnerable and shall fail to comply with GDPR requirements. Below are few key Technical Controls which every organization should consider for complying with GDPR requirements:

• Identity and Access Management
• Encryption
• Intrusion Detection / Prevention System (IDS/IPS)

Taking all these controls into consideration, it all revolves around protecting personal data. Now taking one step back, I believe that before an organization starts focusing on protecting personal data, it is crucial to have complete visibility of personal data stored across different data sources and in different data formats. Data discovery is important because there are some key requirements in GDPR which mandates an organization to respond/act on Data subject request with accurate information. Requirements like Data Subject Access request, Data rectification, Data Erasure.

Types of Data

To implement appropriate data discovery strategy, it is important to know types of data as it can help to further decide on type of tools or processes to be designed/implemented. On a broad level, Data can be primarily classified into Structured and Unstructured basis on where and in what form the data is stored and accordingly you can plan your strategy of discovery and protection.

Structured data usually is stored in databases and has defined format of columns and rows. While Unstructured data is less organized and can be generally found in PDF file, Word Documents, Email, Google Drive and more.

Out of Structured and Unstructured, Unstructured is ideally more difficult to discover because Personal data is scattered across different types of system and in different formats. If you are trying to follow manual processes, it will be a never-ending endeavor and the amount of human hours and effort it will take is immense.

For any automated means of discovering data, it is important to have the ability to scan different filetypes and databases, tag sensitive personal data, perform analysis and visualization of data risk scoring.

CyberRes Voltage offers one of the most comprehensive solutions for Structured as well as Unstructured Data discovery. Structured Data Manager helps in managing structured data by providing data discovery, insight, protection and management features. While File Analysis Suite (FAS) helps in managing unstructured data by offering capabilities of finding sensitive data and classifying high-risk data.

Structured Data Manager offers the following built-in integrations to cover a broader scope of information management:

• Amazon S3
• Content Manager
• SecureData
• Vertica

With File Analysis Suite, a user can Perform Risk-based random sampling, inbuilt templates to perform ROT analysis and scan individuals’ data to fulfill Data Subject Access request. With file analysis suite, an organization can connect to some of the most common repositories like NT file shares, SMB (Samba), Microsoft Exchange, Microsoft SharePoint, Content Manager, SharePoint Online and Teams, Office 365, Google Drive, Microsoft Azure file and object stores, Amazon S3 object stores (S3) and with FAS REST API an organization can also build custom integrations with other tools as well. 

More Resources:

Request a demo of to see how File Analysis Suite can help your organization. Join our Voltage Data Privacy and Protection Community. Keep up with the latest Tips and Info about Data Privacy and Protection. We’d love to hear your thoughts on this blog. Log in or register to comment below.