Data mapping is a broad term that can mean different things to different organisations, but commonly there are two main strategies for establishing where the data actually resides:
PII Discovery and Personnel: establish employee involvement in parts of the business and usage and creation of PII, readily customisable, auditable and repeatable.
Electronic mapping: more complex process of searching repositories using targeted criteria and data crawling techniques to map PII based on metadata.
Data lifecycle scoping
Building on data mapping by creating a shortlist of possible locations where the data will likely be found, taking into account all stages of document lifecycle from creation/input through to destruction of data.
Define data sets
Establishing what data is personal vs business, through discussion with internal policy makers and stakeholders (Legal, IT, Compliance, Risk).
Structured data searches
Specialist software is then used to search the identified data for PII using a combination of techniques:
Keyword and keyphrases – looking for obvious words that denote personal information.
Formats – looking for particular reference number formats e.g. 16 digit bank code, Sort Codes, D.O.B., Postcodes (exclusions used).
Concept searching – sophisticated routines look for documents that have the same contextual content as others that are known to contain PII, but were not flagged during the structured searching.
Machine learning – teaching the system to better spot PII that has passed previous filtering rounds.
Effectively implementing these 4 tactics will work towards GDPR compliance, however, there are other strategies that Apogee can help utilise that will be needed in order to ensure your organisation is fully compliant.
GDPR will be introduced on 25th May 2018 and non-compliance by this time will incur heavy fines. Make sure your organisation isn’t at risk - to understand all the tactics that Apogee can help with before significant financial penalties are imposed, fill out the form below.