I've done my first DataMapper scan. What's next?

Review and assess

1. Go to your dashboard tab. Your dashboard will give you an idea of your overall risk. How much risk and high-risk data was found? Is it more than you expected?
2. Review your high-risk categories.  What types of files contain the most risk data? Think about which categories you really need to keep. Do you spot any that could be eliminated?
3. Check the data locations box on your dashboard. In which storage location were most of the high-risk files found? Do you consider that storage location a safe place? Have you set up the proper controls to restrict access to it?
4. Make a correction plan for your company. Who should clean up the shared drives? How long should files be kept according to your privacy policy? Are there certain locations you do not want risk data to be stored? Are there certain types of sensitive data you want to avoid storing altogether?

What if I don’t have very much risk data?

Awesome! Now that you know your company does not store a lot of sensitive data, keep it that way, and feel free to brag about it. Use your privacy policy to tell people that you perform regular data inventories with DataMapper to minimise privacy risks.

Start your clean-up

1. Go to your risk documents tab. Here you can use filters to review files by location, category, person, or risk level, and then open them right from DataMapper.
2. Start by filtering for “high-risk” files. Filter for high-risk files first. Open each one in the list to review, and mark it “ok” or “critical”. Look out for: Old files, inappropriate keywords, files stored in multiple locations.
3. Delete old files. The GDPR does not specify a time limit for keeping data, but it does require you to set a data retention limit, justify it in your privacy policy and stick to it. Keeping personal data longer than your privacy policy promises is considered a violation of regulations.
4. Delete inappropriate data. Checking the keywords that caused a file to be flagged will give you an idea of whether you should keep it. Consider whether you have a legitimate purpose for keeping sensitive information about someone’s race or beliefs, for example.
5. Move data to designated folders and locations. Storing duplicates of the same high-risk file in multiple locations or inboxes is a red flag. Make sure data is where it should be, and delete unnecessary copies.

What if I have a lot of risk data and clean-up seems overwhelming?

The most labor-intensive part of data management, the data inventory, has been done for you. This has already put you ahead of the game, compliance-wise. Remember you are allowed to store sensitive data if you had a legitimate purpose for collecting it and you keep track of it.  

Privacy laws like the GDPR do not specify exactly what must be done with the personal data you store or how much you can store, but they do require you to introduce “appropriate organizational and technical measures” to protect it.

A little check-up from time to time to make sure you know what you have goes a long way. And every little bit of data minimization helps. Don’t put off clean-up for fear of what you might find. Log in to DataMapper regularly, for just a few minutes, and look for a couple of files you can put in their proper place or delete.

Improve your privacy practices

1. Lock shared folders when appropriate. Folders in OneDrive or Sharepoint that contain high-risk data can be locked to limit access to only those employees that need it.
2. Be aware of synching. If synching is turned on in OneDrive, attachments people share with you by email will be automatically saved in your personal folder, even if you do not open or download them. 
3. Set up automatic deletion for your emails. of files in email. Often folders like "deleted" & "sent" can be good places to set up automatic deletion.
4. Improve your privacy strategy. Can you keep sensitive data out of email folders altogether by using a safe data sharing add-in or private upload point?  Could certain types of sensitive data be kept in one place and protected?
5. Repeat the scan and all the above steps periodically. Your company collects more personal data every day. Keep up with it by periodically repeating your DataMapper scan.