Compliance and Risks
Audit, Risk management, Litigation, GDPR
Personal data scans for GDPR compliance
Our client had to comply with the General Data Protection Regulation (GDPR). In order to do that, all the personal data present in his information system had to be associated with processing acceptable to the supervisory authority.
To achieve this goal, our client had to be able to answer these 4 questions:
Who within the company keeps personal data?
What types of personal data are these?
Where are these personal data stored? Databases but also Shadow IT (e.g. Excel files disseminated on the internal network)
For what purpose are these data kept?
Solution provided by Tale of Data
Our “Mass Data Discovery” technology has enabled us to automatically scan:
All relational databases
All shared network disks: all directories, and their sub-directories, were searched for Excel, CSV, XML or JSON files
The CRM and the content management systems (Sharepoint)
Each record in each table was analyzed, searching for sensitive data: last name, first name, addresses, e-mails, telephone numbers, bank account numbers, etc.
The results were aggregated at the field level (whether it was a database, an Excel file or a CSV listing): at the end of the scan we knew, for example, the exact number of people last names present in any Excel file, in the network drives.
The application mapping document provided by our customer's IT department has enabled us to establish the link between the personal data found and the actual usage of the data.
Scanning all the data (= "Bottom - Up" approach) made it possible to carry out a comprehensive analysis, as opposed to interviews which rely on the memory of the people interviewed and on documentation that is rarely up to date.
The scan report gave the register of processing operations a lot of credibility and enabled the DPO (Data Protection Officer) to better organize his anonymization tasks and therefore, to greatly minimize the risks of non-compliance.
The automation of the entire process gave our client the ability to run regular scans, in order to prevent any accumulation of non-legitimate personal data over time.