How well do you know your data?

Our client’s subcontractor had millions of unspecified records containing personal data that they were concerned about storing. Our team of Consultants helped them to identify exactly the data they were storing and processing and advised on which data to safely remove or null data that should be retained.

The scenario

Our client’s subcontractor had millions of unspecified records containing personal data that they were concerned about storing. Our team of Consultants helped them to identify exactly the data they were storing and processing and advised on which data to safely remove or null data that should be retained.

Context

Our Consultants discovered 18.5 million personal data records that were not required, much of it historical, which invalidated their data protection documentation and cyber insurance. During the discovery phase we uncovered data that the company was unaware they were storing, and in addition to this, due diligence and security assessment findings had not been followed up.

The supplier was providing support from outside the EU which had not been agreed to or covered by a data processing contract with them. Our client was sending unnecessary personal data to their supplier, and the security on their supplied scanners was inadequate.

Customers of our retail client scanned in personal codes to access discounts and exclusive deals. Their details were retained for processing and analytics purposes; however, data was not removed as it expired or was no longer needed. It was also discovered that data was being stored in test and development environments.

Our Service

The Data Governance and Protection Service consisted of three elements.

• Discovery and analysis to uncover the issue and key aspects of the situation
• Remediation planning and recommendations to show how the issue could be resolved.
• Support throughout the planning and remediation.

Our Approach

After carrying out an immediate documentation review, our Consultants interviewed key stakeholders, held detailed workshops, and made further enquiries.

Working with the technical and data architects to make sure that removing or nulling of the data would have no impact on their retail systems, we carried out detailed data analysis with the technical team, their external technical support, and the supplier.

We then provided Data Protection as a Service for our client and in line with data governance, we reported on what data they needed to retain and what must be removed.

The Solution

Delivering a presentation to the board with observations, recommendations, and actions Leading Resolutions assisted in turning this into a detailed project plan with adequate testing and checks.

We explained how Leading Resolutions would support the execution with Data Protection and Security assurances.

The plan had several key stages:

• Remove unnecessary personal data from all 18.5 million records.
• Change the supplier’s contract to support data processing outside of the EU and to review and improve the security on their scanners.
• Update the customer’s data protection documentation in line with the changes and complete due diligence, particularly around security.
• Make changes to systems so that no further unnecessary personal data is sent to the supplier to ensure that the issue does not occur again, putting in place systems that are easy to follow.

The Real Value Add

• The cost saving to the customer was through their insurance policy which covered approximately 5 million records. The discovery of the additional 13.5m records would have invalidated their policy and in turn, dramatically increased their premium.
• The client is no longer at risk of receiving a fine through the removal of data.
• With the advice and assurance from our experts, we ensured that no unnecessary personal data would leave the company, which has also meant safeguarding our customers from future risk.
•  Drawing upon our 20 years of working within data processing, data protection, and GDPR, we were able to quickly ascertain where to look for data and draw upon our Consultant expertise in current data protection laws.