Blog

Data Discovery and the GDPR – the ultimate short guide

Article 30 of the GDPR requires you to know what personal data your company stores and processes. But what are you required to know and document? And how do you find all the information without going through thousands of files and folders manually? This is the ultimate short guide to data discovery and the GDPR.

Storing and processing personal data and the GDPR

Every company is responsible for keeping track of the personal data they store and process.

So says Article 30 of the General Data Protection Regulation (GDPR).

Article 30

Records of processing activities: 
1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. 

General Data Protection Regulation – article 30

That means, as a DPO or compliance manager, you must know exactly what personal data your business stores about clients, leads, employees, past employees, etc.

And in this case, personal data is everything from social security numbers, health records, phone numbers, and if an old employee appears in a photo from the company Christmas party.

That’s a lot of data.

Let’s look at what the GDPR says about storing personal data.

What are you required to document according to article 30 of the GDPR?

Whenever your business collects, stores, and processes personal data, you are responsible for this process being compliant with the GDPR.

If we look specifically to article 30 in the GDPR, we find that data controllers (like you) must keep record of what personal data they process and why.

It’s important that you can document the following:

  • Your business’ name and contact information.
  • Why you process personal data (purpose)
  • What type of personal data you process (categories).
  • Who you share the data with (third parties).
  • Where you transfer the data to (third countries).

Therefore, it is important that you know where your business store personal data so it can easily be found, categorized, and accessed.

Name and contact details are easy enough.

But how do you find all the personal data you store across many different systems and platforms?

And what constitutes personal data?

What is personal data under the GDPR?

Personal data can be any information that can lead to the identification of a person.

Or any piece of information that can lead to the identification of a person when linked with another piece of information.

From the obvious:

  • Name
  • Phone number
  • Address
  • Social security number
  • Images

To more sensitive personal information:

  • Health records
  • Religious views
  • Sexual orientation
  • Political viewpoints

To the more abstract:

  • IP address
  • Device ID
  • Cookie ID
  • Geolocation
  • Profiling data
Data Discovery and the GDPR - what is personal data?
Personal data is everything that can lead to the identification of a person.

That’s a lot of different data and data categories that you can potentially hold about someone.

And when a person has been in contact with your business – as a customer, a lead, a partner, or perhaps an employee, it leaves behind a trail of personal data.

But how do you ever find all that information? Where do you even start looking?

Introducing Data Discovery.

What is data discovery?

Data discovery is a process that aims to find and categorize personal information across different system and platforms.

It enables your business to build and manage records of personal data, so you always know exactly what data you store, where you store it, and why.

Data Discovery is also an important step forward in your compliance process and is fundamental for complying with article 30 of the GDPR.

Why is data discovery important?

Your business may have grown over the years. More and more data has been collected and stored on various systems.

It may be scattered all over your mail programs, HR platforms, payroll systems, website, and other places.

You may use this data or not. You may have forgotten all about it. Or you may have placed it where no one ever looks.

By finding and classifying personal data, Data Discovery helps you and your business understand what kind of data you hold and process.

Especially when required by the GDPR (article 30).

But also, if you get a Data Subject Request or must perform a DPIA.

If you don’t know where your data is, it can be virtually impossible to respond to a Data Subject Request.

So where do you start with Data Discovery?

How to approach Data Discovery in your company

1. Discover personal data

First you must identify personal data across your systems. This data may be scattered across several platforms and programs.

Outlook, HubSpot, Teams, Gmail or any other documents where personal data is stored.

Identifying all this data can be a real hassle and require many work hours and countless of co-workers to chip in.

2. Categorize Personal Data

Now, when you have found personal data in your systems, it’s time to categorize it.

It’s important that you know:

  • What type of data it is (category).
  • What format it comes it.
  • Where it is stored.
  • The sensitivity of data (e.g., health records)
  • Where it comes from (source).

It is much easier to work with personal data when it is properly categorized.

And of course, by finding this data, you are also much more adapted to carry out a Data Subject Request.

3. Manage Personal Data

When all personal data is labeled by category, format, source, and sensitivity, you can now manage possible violations of your GDPR compliance.

And it is necessary to keep track of all the data about customers, leads, employees, etc. that can be classified as personal data.

Not only because of article 30 of the GDPR (record of personal data).

But also because of article 5.1(c) (data minimization) which states that the processing of data must be relevant and limited to what is necessary to fulfil the purpose of the processing.

But how do you ever find all that information? Where do you even start looking?

Are you prepared to go through thousands of files and folders manually?

Automated data discovery

There are 2 ways in which you can discover personal data across your systems:

  • Manually

Search through tons of spreadsheets and documents, lists and emails to find any information that can be categorized as personal information. Meticulously label every single piece of information by what it is and who it is connected to. Collect in a spreadsheet or document.

  • Automated

Automation takes the workload from your hands. AI data mapping ensures that your personal data is found, categorized, and labeled. All data is then displayed in one central platform, and relevant employees are automatically notified if they can solve violations concerning them or the data, they are responsible for.

Cookie Information’s Automated Data Discovery

Cookie Information’s Data Discovery automatically locates and classifies files with personal data in your systems.

It connects your systems and platforms with one click and instantly discover non-compliant data.

All found personal data is classified to what category it pertains to using AI data mapping.

Yes! We use machine learning and AI to find and categorize personal data.

And that’s how you simplify your compliance workflows. Fast, cost-efficient and secure.

Here’s what you get:

  • A solution that carries out the hard work by mapping and classifying personal data (so you don’t have to).
  • A compliance process sound enough to meet your business compliance goals.

Never look manually through old emails, forgotten files and folders again. Let the machine do the hard work.

Let’s discover your personal data, so you can stay compliant with the GDPR!

Get Data Discovery

And never look for a single file manually again. Your company’s personal data will be found, categorized and displayed in one single platform so you can act on risks and violations.  

Facebook
Twitter
LinkedIn
Email

The best Consent Management Platform for businesses and brands

250,000 websites already trust us with their GDPR compliance