The principles of data minimisation and storage limitation aren't just legal requirements. They're crucial means of preventing data breaches and GDPR violations.
Data minimisation, as outlined by the Information Commissioner’s Office, stipulates that organisations must identify the minimum amount of personal data needed to fulfil a specific purpose. Storage limitation, meanwhile, states that personal data should be kept ‘no longer than is necessary’ for the purposes for which it is processed.
Together, these principles represent best practice when it comes to maintaining customer trust, reducing risks and mitigating security threats. Yet defining them and achieving them are two different things.
To achieve data minimisation and storage limitation, organisation first must work to develop and maintain a healthy and compliant data inventory to understand exactly what data they have, where it has come from, and why it is being processed.
Also known as a data map, data inventories are centralised platforms containing real-time, detailed and neatly organised information on all data that is held by an organisation. Providing holistic visibility, they are the key to identifying data that is sensitive, not being used, or subject to policy controls, as well as helping to outline the risk levels associated with an organisation’s data storage practices.
Critically, data risks can’t be determined if you’re unable to see pain the full picture. Not only is it difficult for entities to be compliant with key data laws if they don’t know what they’re collecting, how they’re collecting it, or where it's going. Equally, if blind spots exist, you simply can’t protect data properly.
The challenges of creating a data inventory
It is for this reason that data inventories are business critical.
Indeed, they enable organisations to put steps in place to minimise risks on any data that is held, as well as helping organisations to make intelligent business decisions by providing an understanding of the value of data and how it can be maximised to enable more efficient operations such as improved reporting practices.
However, building an effective data inventory is easier said than done.
Data mapping is a complex process that poses several challenges. If conducted manually, it can be a major strain on resources, with many organisations simply unable to complete and sustain it owing to the time and costs involved. In other instances, several shortcuts are taken that leave out critical information, rendering any data map as much less useful.
These approaches simply aren’t adequate. Indeed, proper data discovery processes can play a critical role in legal processes, with million- or billion-dollar class actions often hinging on just a few snippets of data.
Unfortunately, legal teams continue to face challenges in obtaining this critical information at speed to meet any litigation, data subject access request or other investigative process. At the same time, many employee groups are able to create new data sources at will, continuing to expand an organisation’s data footprint and at speed.
Owing to these challenges, legal teams often need to turn to IT to collect relevant information – a step which creates significant time delays.
Data discovery and AI
So, how can these be challenges overcome?
Organisations must adopt best practices for data discovery in order data mapping to be comprehensive and in turn effective. In an increasingly connected world, that means accounting for everything from cloud-based applications to mobiles devices, as well as identifying how and by whom these sources are used, and any noteworthy data that may exist on them.
It also means consistently evaluating, updating and assessing data maps for quality, this being critical in ensuring that they don’t become outdated and provide continual value to an organisation.
To achieve excellence in data discovery, legal and IT teams need to collaborate more effectively to eliminate the communication gaps that hamper the efficiency and effectiveness of data-led actions.
However, humans can only do so much. For true success, advanced technologies such as artificial intelligence must also be adopted and implemented within the data discovery process. Not only do these help to ensure that any data map stays up to date, but they do so while reducing the amount of human resource needed by undertaking much of the heavy lifting on mundane data management and processing tasks.
Of course, humans are capable of performing such tasks. However, it is only natural that they should get tired or distracted, increasing error rates. AI, on the other hand, will never make mistakes, while also completing tasks at much higher speed and accuracy, all while identifying hidden relationships and freeing up skilled individuals to focus on higher-value tasks.
Four things to look for in software vendors
In this sense, AI augments current data practices and finds more effective ways of getting through mundane tasks at lower costs.
However, not all technologies are made equal. To truly maximise the benefits of AI in data discovery processes, organisations should first look for software that is easy to use, intuitive, and reflects the way people work. It should be simple to get up and running and require minimal training, enabling broad-level access from the outset.
It must also be able to integrate with enterprise data sources and IT investments such as HR systems in order to bolster the exchange of up-to-date information and eliminate the risk of human error.
Flexibility is another key consideration. Indeed, the growing embrace of cloud computing and other cutting-edge technologies has revolutionised the world of work, including the deployment and management of enterprise software. As organisations’ IT environments evolve, their data discovery software must therefore move in tandem.
Finally, any service should be underpinned by sound client support services. If a vendor is willing to go the extra mile and engage with you before, during and after the purchase of the software, they will help to ease any complex processes or teething problems.
Should a vendor tick all these boxes, they will be able to facilitate the thoughtful implementation of AI throughout the data discovery process, allowing you to move quickly, cheaply and securely in handling, managing, disposing of and processing data.
Register here to attend #RISK 2022, of which the Global Risk Community is a partner, and gain entry to the speaker session Data Discovery: Revealing Data Skeletons in Your Closet at 16:05-16:50 on 17th November within #RISK’s Data Protection & Privacy Hub.