The challenge of knowing where your data is really stored

22 Jun 2018

In this post-GDPR world, the question of data protection and security will always be a key part of any discussion around new systems and devices. It will be forefront in all of our minds whenever we add data to our primary systems.

But what about those secondary systems or a one-off-bluetooth setup you were testing out? What happened to the data in those systems and devices?

Our MD, Graham Anderson, looks back on his preparations for GDPR and how he tackled just these kinds of questions in his latest article for Business Direction.

This article also appears in the latest issues of Business IntelligenceBusiness CommentBusiness Edge, and Norfolk Voice.

Now that we’ve all managed to survive GDPR, I guess we know a whole lot more about what we are supposed to do with the data we hold on our customers, prospects, and basically anyone we’ve ever met.

You will have gone through your systems and tightened up procedures about whose data we’re keeping and for how long.

But let me ask you this: you’ve gone through your CRM, customer spreadsheets, accounting software, and maybe the odd industry specific system you’ve got lurking around…did you consider all those “other” systems? (not to mention the dusty boxes in the attic)

What other systems?

Here’s where I started to scare myself. I thought about my emails and the files on my local PC. I even thought about the filesharing system we’ve got and the internal messaging system we use.

And I felt safe and sorted. We’d thought about these things.

Saying that, there were other systems, when discussing this issue with some colleagues things that need considering. My Outlook Contacts and iPhone contacts, I panicked thinking there might be some data hiding there! Then I started thinking about all those times I’ve read emails on my phone…could there be personal data hiding in my backups or my iCloud account?

I even scared myself to the point that I checked my car contacts to make sure I wasn’t sharing anything I didn’t want to share and worried for a few short minutes about any hire cars I may have connected to via Bluetooth. (Don’t worry, I got it all sorted.)

And backups…oh the backups!

What if I missed these in my GDPR prep?

Once you’ve got over the initial panic, the important thing is to take action.

Find out which systems your team are using:

Which of these are hosted and which are stored locally? How many people have access to them? What data is stored in them? To understand where you hold data Its crucial that you do a systems audit.

Are they all using the same ones? If they aren’t, which systems can you get rid of? Just think of the time you are losing with people having to copy from one system to another.

Make sure these systems meet your security requirements:

Is the data held in the EU? What about the backups? Do your data retention policies cover all of these periphery systems or just the central ones?

Now get the procedures in place:

Work with your team to ensure that everyone knows how and when these systems should be used. Think about who should have access and how long the data should be held in them.

You will also want to put procedures in place to stop any new systems being added into rotation without undergoing some of these same rigorous checks.

GDPR has changed everything…hasn’t it?

In reality, especially for most small businesses, everything has changed. GDPR has caused a few weeks of grief for everyone, no doubts there. My question is: are there any out there that won’t see an impact on their day-to-day way of doing business?

I guess there are some businesses that don’t send out marketing and didn’t really need any of that “old” data that they had lying around. GDPR gave them a reason to tighten up their processes, but otherwise didn’t change a great deal.

Other businesses (those who sent out regular mailshots, bought and sold data, had additional obligations, etc.) will have been forever changed by the introduction of these new regulations. The way they operate on a day-to-day basis will have changed forever.

The big thing GDPR has done, for all businesses, is to make us all stop and think about where we are holding our data and why.

In some cases, this has been an easy question to answer. In others, the answer is more complex and needs a serious investment of resources to answer.

In still more cases (and I think a lot of people will find this an ongoing battle), business will be uncovering data that they didn’t know they had. They will be sorting it out, putting procedures in place to prevent it happening again, and looking at their GDPR compliance as an evolving process rather than anything that can be marked as completed.