In order to comply with GDPR itself and the requests you will need to respond to, you will need an accurate data inventory, data-classification scheme and audit functions. ClassiDocs will allow you to perform a global search across your enterprise (structured and unstructured data sets), review and document the placement of the data in question, and audit the remediation process.
People: You need to find information about customers, employees, stakeholders and other potential requestors. More importantly, you need to find explicit and specific identifiers about your personae in scope including account numbers, relationship, gender and other identifiable-information sets.
Other Identifiers: In addition to explicit information identifiers, you still need to classify your information sets according to country & jurisdiction-specific definitions. Relational/referential data sets – data that may be attached to other information to form identifiable data points – also need to be documented, managed and classified.
Sources of Identifiers: Traditionally customer, employee or partner information was always treated as islands of data on their own. Custom applications, CRM, billing and process-management systems all will contain some portions of PII information sets. These authoritative information sets are all excellent sources for PII identification.
How to find PII? Unstructured Data: As data communications and integrations increase, data tends to exist in many different formats and locations (office documents, PDFs, etc.). In many instances, PII may be included in these files (PDF from a fax machine, Excel documents with customer records, letters to individuals, etc.). This data tends to be scattered and not well controlled.
Applications and Databases: Repositories with specific functions (custom and commercial applications) are also within scope of the GDPR regulation, so must be included in any of your discovery activities. PII may reside in any of these repositories and they may also be sources of ‘anchor’ identifier information.
What to do when you find unsecured PPI? Remediate: To have a ‘magic’ process that removes/updates all PII-related data for a GDPR query in one click is quite some time away, maybe never. In the meantime, you have to comply and deliver results. ClassiDocs will report via API and/or console-detected results for your PII query, leaving your team to action the request manually or in an automated (or some combination).
Audit, Confirm, Validate: After sourcing, finding, reporting and remediating PII-related data, you will need to audit and continuously monitor for these data sets.
ClassiDocs reports ‘initial’ state, ‘remediation phase’ and ‘complete state’ results as is discovers and re-scans and re-classifies data sets continually. You will be able to report and document your current and ongoing compliance state to the query.