Our Consultants discovered 18.5 million personal data records that were not required, much of it historical, which invalidated their data protection documentation and cyber insurance. During the discovery phase we uncovered data that the company was unaware they were storing, and in addition to this, due diligence and security assessment findings had not been followed up.
The supplier was providing support from outside the EU which had not been agreed to or covered by a data processing contract with them. Our client was sending unnecessary personal data to their supplier, and the security on their supplied scanners was inadequate.
Customers of our retail client scanned in personal codes to access discounts and exclusive deals. Their details were retained for processing and analytics purposes; however, data was not removed as it expired or was no longer needed. It was also discovered that data was being stored in test and development environments.