3 Common Blindspots for Personal Data
By Ross Saunders
Many companies have some form of privacy program in place, whether it’s a very small program for an SME, to large complex governance plans for larger companies. Despite these maturities, there are some common blindspots you need to be aware of in the privacy space. This article breaks down three of the top unexpected sources of data we found while working with our clients.
Online Forms
Forms are a very common data ingress point for businesses, with people capturing data in order to sign up for a newsletter, apply for a role, obtain access to a white paper, register for a service, or a host of other possibilities. In ideal instances, these forms are part of a lead tracking system or a CRM, and the information is captured directly into the system. In many cases, particularly for SME’s, this data is emailed to someone designated within the company, or perhaps sent to a group mailbox.
Now, this has its challenges to begin with. Email is unstructured and is a veritable nightmare when it comes to retention periods, data subject access requests (DSARs), and data protection. But, further to this, often these forms are stored on the website or the platform that hosts it. Be it WordPress, Joomla, or otherwise, these systems have backend databases that frequently store a copy of the information submitted on forms, without any notice to the end recipients, and often without you realizing this is happening (i.e., a blindspot).
You need to ensure that your online systems are adequately managed, cleaning out these datapoints when they are no longer required. On a related note, if you outsource your web maintenance to another company, you need to ensure that there are confidentiality and data processing agreements in place, as they will also have access to this information on your behalf, information that could be quite personal.
Shadow IT
The term “Shadow IT” refers to the systems that are purchased by teams with or without official approval, but not making it into official asset registers. You may think that you have control of all systems owned by your company, but you may well be wrong.
When putting together a privacy programme, a quick route to working out who you have data held with is to pull your vendor master or software asset inventory and work through that. This, however, assumes that all your providers are paid via your vendor process or have been approved by process. In many companies that we deal with, there are additional tools that have been purchased on a manager's credit card or an employees account, only showing up as an expense claim at the end of the month, and not appearing in the vendor master or approval logs at all.
When looking at the systems in use, you need to combine your approach of looking at the vendor and asset inventories, with that of looking directly at the teams and computers in use. Many antivirus tools will let you pull a list of the software installed on all computers in the network - this is a great way to see what is ACTUALLY in use within the company. Failing this approach, the next (and less reliable) approach is to interview the different teams and ask what they use. This is, however, subjective and often tools will slip someone's mind (or they may not want to disclose they’re using it).
Shadow IT is a difficult issue to manage, particularly if you are smaller and agile, but it is not impossible. Robust policies, fast and efficient procedures, automated scanning tools, and encouraging suggestions of tools for approval, are foundational means to maturing your inventories and avoiding Shadow IT.
Log files
Whether you know it or not, almost every tool you use and system you access creates logs. Log files are everywhere. You need them for diagnostics, record keeping, and a variety of other purposes. In many cases, personal information such as client names and other identifiers are stored in these logs and are totally overlooked by the privacy office (particularly when you develop in-house tools).
Whoever is running the privacy program needs to delve into the technical detail and involve someone who knows what is stored where in terms of the technical operations. Reducing the information stored in these files and making proper use of log levels such as INFO and DEBUG can drastically help to reduce your data footprint in this sense.
If you’re involved in Privacy, get involved in the dev and tech teams. Where you find the technical detail overwhelming, reach out to consultants who can assist. We at Bamboo have operated as a “bridge” between compliance and technical, creating visibility and understanding on both sides of the coin (hint, they’re still the same coin).
Keep an eye out
In short, these kinds of blindspots are why awareness training and involving other stakholders is vital to the success of your data privacy program. A Privacy Officer simply cannot know the entire operation of a business from end-to-end, and they should pull on the knowledge and expertise of others in the business to identify and address whatever "unexpecteds" may appear. Failing that, getting in specialized consultants can offload the burden and learning curve of doing this yourself, often resulting in a faster turnaround and rapid identification of these (and other) blindspots.
