GDPR: False Assurance Of Personal Data Security?

20th July 2018

If you’re anything like us, you will have spent the weeks leading up to the 25th May either responding (or ignoring) the frenzy of emails from every company you’ve ever dealt with, requesting that you authorise them to continue communicating with you in some shape or form. Not only this, but these emails are publicly acknowledging their own compliance with the new GDPR regulations, so we consumers can feel safe in the knowledge that these ultra-secure and strict regulations protect our personal data and stop it from getting into the wrong hands.

As a company who manages data, we’re not convinced that the flurry of activity prior to the GDPR deadline is anywhere near sufficient enough for many organisations. It’s important that these organisations are asking for our consent to hold our information and communicate with us, but what are organisations doing with our data and are they storing it securely.

“The main hive for personal identifiable data (PID) are inboxes – people have and do share sensitive information and PID over email frequently. Employees often do not delete this data, potentially meaning there could be years and years of emails that could pose a serious risk”

Jan Trevalyan, Co-Founder DDC AS

Our concern is that many organisations have seen the GDPR regulation introduction as a one-off activity in gaining consumer consent and have neglected a huge part of this regulation when it comes to ongoing personal data security. We can shred one bank statement and dispose of it correctly but that doesn’t mean we’re protected from personal data theft unless we continue with the same activity each time we receive a bank statement. This is equally true for personal data within organisations as emails and documents are created and shared every minute. How does an organisation keep on top of the continual creation and storage of personal data when complying with the stricter GDPR regulations? We’re not convinced that organisations can do that manually. Some organisations reading this may argue that they can (and are doing) and link to their policy documents but this doesn’t prove that all their employees or contractors are following their guidelines – they have no physical evidence of this should the ICO or customer come knocking at their door. The likelihood is that organisations will only be aware of their data management security capabilities when a breach occurs and at that point, it may be too late!

No doubt the new regulations will offer a challenge to those individuals who tirelessly seek to expose security flaws, not forgetting those within an organisation who may intentionally or unintentionally expose data, but this blog is not all doom and gloom. By focussing on compliance with the GDPR regulations, and data security management in general, as a continual process of evaluation, fear of breach or non-compliance could be reduced.

Whilst Data Protection Officers are the saviours of the modern organisational security age, comprehensive manual evaluation of data security is unfeasible on an ongoing basis. There is just too much data (structured and unstructured) that exists within a company to have one view of everything!

One option would be to invest in appropriate automatic discovery tools. These trawl through your data estate to locate the files that are preventing your company from complying with the GDPR. RiskView uncovers all files that contain PID at scale, enabling you to quickly take corrective action to avoid fines and reputational damage.

To find out more about RiskView and the benefits it can bring to your organisation, contact us on +44 (0) 161 306 8529 or email us at

Schedule a demonstration of RiskView here

Begin your free trial of RiskView here 

View More Articles