Here you will find five articles about GDPR and data that can inspire you and help your organization on its way.
You are always welcome to book a meeting with me directly HERE, or write to me at abs@dataandmore.com if you want to hear more or want to collaborate with us.
.
Andreas Strøbek, Partner, Data & More
PS: Are you curious about your compliance with GDPR – then we offer a free data scan of your data (see at the end of the text)
A: Do you have a handle on your file sharing systems?
Do you lack information about what is in your file sharing systems? Are you concerned about data breaches or reports to the Swedish Privacy Protection Authority (IMY)? Do you want to ensure that you comply with legislation in the field?
Few people can in good conscience agree with the following statements:
- We do not store illegal data.
- If there is a data breach on our file sharing systems, we know exactly which (personal) data may have been exposed.
- If there is a ransomware attack on our file sharing systems, there is no risk of our company secrets being stolen.
- If we are subject to supervision by the Swedish Privacy Protection Agency, we can quickly find relevant data in our file sharing system.
File sharing is like a large basement: You never have to clean down there – there is always room for another cardboard box. Year after year, the basement is filled with more cardboard boxes until some cardboard boxes have been there so long that no one knows what’s in them anymore – or who put them down there.
But then came GDPR, Ransomware and data breaches. All in all, a need to clean up all the legacy and debt that has accumulated, which we have together contributed to year after year.
Unfortunately, the problem is far greater than one might think. Data & More manages over 2,000,000,000 datasets (Excel sheets, PDFs, Word documents, PowerPoints, etc.) daily to help organizations comply with legislation and ensure respect for data. And it turns out that 3-7% of all data outside of HR, case management and finance systems is illegal and should be deleted.
3-7% may not sound like much, but when an organization with 100 employees has around 150,000 illegal datasets – then you understand the scale of the problem (multiple the number of employees if you have more…). And just one dataset (for example, an Excel sheet) can contain a lot of personal data and sensitive information. Here are some real life examples:
- A large insurance and pension company had a five-year-old Excel sheet in their file sharing system containing information about their customers, financial information, illnesses, family information, social security numbers, etc. We are talking about deeply personal and sensitive data about hundreds of thousands of people, which was available to all employees for decades.
- Or what about a municipality that, in connection with their annual budget determination, had ancient Excel files with information about disabled children in the municipality and related costs lying in the common file sharing.
- Or the company that saved photos of passports and driver’s licenses of old customers, which should have been deleted long ago.
I could go on, but the point is that out of respect for each other’s data, we should make sure to clean our data before it is shared with others – or put up for sale. This is not a problem that will go away on its own.
Fortunately, there are solutions that can help with the heavy lifting, as manual cleaning is an impossible task. For example, by using a data scanner to automatically scan data, a real overview of exactly what the file sharing system contains can be established, without stressing its employees. In this way, you at least attract the attention of the management and hopefully get support to fix the problem. After all, we are talking about our own data.
B: Heading towards cloud storage?
If you plan to move your data to cloud storage (or change platforms) – then it is a good idea to clear the data that you no longer need or have the right to store. Cleaning up old, unnecessary data isn’t just the logical thing to do – there are actually quite a few good reasons for it. Here are some of them:
1 – You save money
First, cleaning saves money. Cloud services cost money – and the price is often based on how much data you store and how often you access it. If you clean up and remove all the old data you don’t need – well then you have less data to move. This means that both the costs are lower when you move your data and for the actual storage in the cloud. Think of it as not having to pay rent and not having to store things you never use anyway.
2 – For the sake of the environment
Moving and storing data goes beyond the environment. Any handling or storage of an email, an attachment, files on file drives, etc. requires power. How much Co2 depends on several factors, but according to Berners Lee’s book “The Carbon Footprint of Everything” the amount of Co2 is between 30 gr to 5 kg for only 100 emails… Then add up how many emails you have – and remember your data on file sharing.
3 – Minimize business risk
Storing old data poses a high business risk, as it often contains sensitive personal and business-critical data. Keeping this data, which you no longer need and which is stored in the wrong places, or which may even be deeply illegal according to the Privacy Protection Authority, is a significant business risk. Many reports to the Data Protection Authority actually come from the employees themselves, who are far from satisfied with how the organization (management) prioritizes compliance with legislation. And if there is a data breach and there is no overview of the organization’s data – then it can end up with lots of your and my data suddenly being sold on.
4 – Do it efficiently and save time
Cleaning is often not done because it simply takes too long. And in a busy everyday life, it’s not exactly what’s at the top of the to-do list. But the Swedish Data Protection Authority’s demand for erasure has meant that new types of solutions have come onto the market – solutions that can effectively scan, identify and delete data either by including the employee or automatically, depending on how you want to handle the erasure. And if you look at how much time you save as an organization – it’s often a good solution to an otherwise annoying and difficult problem.
5 – Minimize the time for moving your data
The more data you have, the longer it will take to move it. By getting rid of the data you don’t need, the whole process can be made faster. This means less downtime for your organization and a faster transition to the new set.
6 – Remember all the data – not just the surface ones
You need to be in control of all your data, and not just the ones that are easy to wipe. There can be lots of data to be deleted in emails, pdf attachments, in images, Excel sheets and of course in ordinary documents. A single Powerpoint presentation with nice graphs and budget proposals for 2019 can, for example, contain an embedded sheet with all the municipality’s expenses (including social security numbers and detailed information) about the municipality’s disabled citizens.
7 – Establish roles and responsibilities around data
Moving data to the cloud is also a good chance to get your data in order. Over time, your file drive has surely become a mess of outdated files, duplicates, mislocations, etc. By cleaning before moving your data, you ensure that only relevant data is moved – but you should also establish roles and responsibilities for data management.
8 – Avoid everything being true
In connection with the move, you should of course have established methods, tools and assigned responsibilities to ensure that this does not happen again. Sweden is a largely digitized country and the amount of data in organizations increases every day.
Insert a few words – clean up your data before moving it to the cloud – it makes sense, you save time and money and it’s good for the environment. And finally, determine the necessary measures so that it does not happen again. We have a shared responsibility to clear our old legacy and debts – even in a busy everyday life. After all, a lot of it is your data and mine.
C: Succeeds with Microsoft Purview
Many people try Microsoft Purview to better manage their data, but have to give up using it after a while. But there is actually hope! The biggest challenges with Purview can be summed up in a few sentences – and luckily, they’re all solvable:
In Purview, you have to build and maintain a complex search engine yourself, which will always have a high error rate – and which is also incredibly slow to search through data. And if there are errors or changes, you have to start over. Not all relevant data can be handled by Purview – and when you finally want to delete the data – you delete blindly without knowing if Purview has done it properly.
These areas are often obstacles for organizations that want control over their own data. I have therefore formulated the things that Purview has problems with – and the solutions that are available.
So where does Purview fail?
1. Poor identification of data
Purview comes with some predefined searches. They are far from what is needed and they are not very accurate either. You therefore have to set up all the many thousands of types of searches yourself that are necessary to comply with, for example, GDPR and soon NIS2. It’s not a dealbreaker – but it’s a huge job that requires a whole team of both language experts and MS consultants. For each language you use in the organization, a separate set must of course also be made for this language. And then you also have to make sure that, for example, a German serial number is not confused with the Danish personal identification number. Unfortunately, the complexity of ensuring accurate searches is both an enormous task and critical to success.
2. Very slow scanning
Purview is an (extremely) slow data scanner – so you can easily wait years for your data to be scanned. If you have 250 employees with about 100,000 data files each (emails, attachments, files, etc.) it will take about 365 days to scan all the data (multiplied if there are more of you). And that’s just a scan. Since you can only run one scan with a duration of 7 days at a time, it also becomes a project-heavy process to complete the scan of all data.
3. Rescan is often necessary
Of course, you need to adjust your searches when, for example, you become more knowledgeable about your own data, when you know more about what you want to scan for, if you want to minimize false positives, etc. Each change requires a rescan of all the organization’s data (see above ).
4. Labeling – but only on a few data
Labeling is a very central feature of Purview. It is therefore important that the correct data is marked with a label so that it can be handled correctly afterwards. However, it is only a select few data that Purview can scan and label. The rest of the organization’s data is then still unmarked.
5. Cleaning with closed eyes
Few people dare to clear their data with their eyes closed without knowing exactly what they are deleting (data that is often even incorrectly selected). But you do in Purview. The employee/data owner is not involved – and instead the decision to initiate erasure is made from a centralized team. This in itself can have huge business implications when important data is lost.
But that said, there is an opportunity to keep Purview, increase the launch and succeed:
Data & More’s solution can overcome all these challenges (and more) where Purview falls short. For example, you can use Data & More’s solution as a stand-alone solution or as a complementary solution that handles the heaviest work. In this way, the organization can quickly start using Purview for its core competencies.
A little about Data & More’s solution:
- The solution is ready to use. There is no need for configuration, programming, etc.
- It contains hundreds of thousands of predefined and tested searches in several languages
- The solution scans quickly and can handle huge amounts of data (petabytes)
- If searches change, you don’t need to do the scan again
- The solution always has control over all data in all connected data sources – including new data
- Labels can be placed on all types of data – which can then be used by e.g. Purview, DLP etc.
The employee is automatically involved if necessary
The employee can double check what is set for deletion before it is deleted
The solution can find selected data in seconds (eg in case of access requests) across all data
Basically, Data & More’s solution does the hard work – namely, quickly and efficiently scanning all data and applying the right markups – to the right data – in all relevant data sources. And involves the employee if data is also to be deleted. Over the last few years, Data & More has developed and continuously maintains classification for GDPR, CCPA, PIPEPA, etc. based on billions of data sets (emails, attachments, files, etc.) every day – and it can be used directly with Purview.
In this way, Purview gets the optimal starting point to succeed.
D: AI also Microsoft CoPilot
When you e.g. using Microsoft CoPilot (or some types of AI), data is often distributed. But if you do not have control over your data, you may risk distributing large amounts of data to e.g. Microsoft. Data that shouldn’t be shared, and even data that maybe should have been deleted a long time ago.
It is one thing to be exposed to a data breach from the outside due to e.g. lack of security. Another thing is knowingly putting out your organization’s data, often including other people’s personal and sensitive data, without ensuring that you know exactly what data you are sharing.
If you are the least bit unsure about exactly what data you are sharing – be sure to check your own and other people’s data before you share it.
E: Dataläck (Data Breach)?!
Make sure your contingency plans include information on how you will ensure quick and accurate insight into leaked data in an efficient manner if you have a data breach.
This allows you to quickly communicate and manage the data breach in relation to the private individuals concerned based on factual information about the content of the data leak.
Data & More quickly and efficiently helps organizations that have a data breach by ensuring full transparency into exactly which personally identifiable and sensitive data has been leaked. Of course, we can also help determine which business-critical information has been leaked.
But a good piece of advice is still the well-known “Empty the car before the thief” – so make sure to clean up your data beforehand. Then the damage is so much less – if it were to happen.
Read more here: https://dataandmore.com/sv/data-breach/
Gain insight into your data compliance risk – efficiently and for free
Organizations have not been good at cleaning up old data.Lots of data is still being stored, which should have been deleted long ago under GDPR – and new data is being added every day. That’s the downside of living in a digital society. We are all affected by this as individuals when our personal and sensitive information is included in a data breach – or as an organization when the Privacy Protection Authority comes to visit or you end up in the media.
To help secure organizations and all of us as individuals, we now offer free scans. It is exactly the same type of solution that we otherwise sell – and which handles over 2,000,000,000 emails, attachments, documents etc. every day. It’s just free.
- Get up and running in minutes – no installation required
- Automatic scanning of your organization’s emails (up to 250 accounts)
- The scan is based on the authorities’ GDPR rules
- The solution looks for content at high risk, which would be catastrophic in the event of a data breach
- Factual risk overview that can be downloaded
- No one in your organization has access to the scanned information – not even you
- Follow your key figures, trends and risks over time.
- The supplier is from Scandinavia and is ISAE 3402 and GDPR 3000 certified
- All legal documents (data processing agreement etc.) are included
The actual scan can take 2-4 weeks depending on how many accounts need to be scanned and how much data there is. If you are interested in a faster or larger scan – or if there are other types of data you want to scan, write to me at abs@dataandmore.com
- Automated Data Compliance: Identifies and deletes non-compliant privacy data with end-user validation.
- Data Breach Mitigation: Identifies and reports on data subjects involved in a data breach, ensuring proper data validation.
- Copilot Privacy: Prevents Microsoft Copilot from inadvertently accessing sensitive information by tagging privacy data with Microsoft’s sensitivity labels.
- Data & More for Purview: Enhances Purview with full GDPR privacy classification and automatically sets Microsoft privacy sensitivity labels on data.
- AI Enterprise Data Platform: Uses our classification technology to identify and leverage data from large unstructured repositories for large language models (LLM).