GDPR Compliance – Data Sources

In order to comply with GDPR itself and the requests you will need to respond to – you will need an accurate data inventory, data classification scheme and audit functions.  ClassiDocs will allow you to perform a global search across your enterprise (Structured & Unstructured data sets), review and document the placement of the data in question, and audit the remediation process.

PII – What is it really?

People: You need to find information about customers, employees, stakeholders and other potential requestors.  More importantly, you need to find explicit and specific identifiers about your personae in scope like account numbers, relationship, gender and other Identifiable Information sets.

Other Identifiers: In addition to explicit information identifiers, you still need to classify your information sets according to country & jurisdiction-specific definitions.  Relational/referential data sets – data that may be attached to other information to form identifiable data points – also need to be documented, managed and classified.

Sources of Identifiers: Traditionally customer, employee or partner information was always simply treated as islands of data on their own.  Custom applications, CRM, billing and process management systems all will contain some portions of PII information sets.  These authoritative information sets are all excellent sources for PII identification.

How to find PII?

Unstructured Data: As data communications and integrations increase – data tends to exist in many different formats and locations (office documents, PDFs, etc.).  In plenty of instances PII information may be included in these files (PDF from a fax machine, Excel documents with customer records, letters to individuals, etc.).. This data tends to be scattered and not well controlled.

Applications & Databases: Repositories with specific functions (custom and commercial applications) are also within scope of the GDPR regulation – so must be included in any of your discovery activities.  PII information may reside in any of these repositories, and may also be sources of ‘anchor’ identifier information.

And when I find it?

Remediate: To have a ‘magic’ process the removes/updates all PII-related data for a GDPR query in one click is quite some time away, maybe never.  In the meantime, you have to comply and deliver results.  ClassiDocs will report via API and/or console detected results for your PII query – leaving your team to action the request – manually, automated – or some combination of both!

Audit, Confirm, Validate: After sourcing, finding, reporting and remediating PII-related data – you will need to audit and continuously monitor for these data sets.  ClassiDocs will report ‘initial’ state, ‘remediation phase’ and ‘complete state’ results as is discovers and re-scans and re-classifies data sets ongoing.  You will be able to report and document your current and ongoing compliance state to the query