Why is it important to know where data flows, with whom it’s shared and where it lives at rest, and what is the best way of achieving this?


It would be unacceptable for a company not to know where its physical assets were stored, how they got there and who had access to them. So why should it be acceptable for companies to have no visibility over where their data assets live and who can access them?

With the General Data Protection Regulation (GDPR) now in play, there is growing recognition that companies must have better oversight and control over their data. This requires the ability not only to secure data and prevent mishandling and misuse, but also to ensure it is only used or processed according to the permissions granted by the law. Achieving such control requires an unprecedented and granular level of understanding of how data flows through organisational processes across the entire business ecosystem.

Most organisational processes now involve moving data between several disparate companies. Recruitment, for example, involves not only the recruiting company, but also its agencies, the payroll provider, the HR department, benefits and pension schemes, and more.

Under GDPR, this means companies must be able to anticipate where personal data may end up, and how it may be compromised. This contrasts with the previous trend of collecting data en masse in the hope that it held some enigmatic value waiting to be unlocked.

It is a major challenge due to the rise of the bring-your-own-device (BYOD) trend and shadow IT, which have widened the data flow landscape to a point where organisations now have little to no visibility over their data, at rest or in transit.

Before GDPR, failure to have adequate control of your data would be a risk, and a diversion from best practice. But today, with GDPR in full force, the risk to the business as a whole has intensified. With this in mind, I’ve outlined several practical steps to help in the journey to better control and manage data flow for the organisation.


Conduct a data inventory: Businesses should map the why, who, what, when and where. Of all the personal data being processed. This will not only put you in a better position from a compliance standpoint, by understanding how secure the data is as it travels through the organisation, but it also provides the opportunity to see where you can make some processes more efficient.

Delete any data you don’t need: Conduct a “data cleanse” to purge the organisation of any unnecessary data. Many organisations have been collecting “dark data” for several years, not taking the time to sort through it to understand its potential. While “mass deleting” it before a data inventory means valuable data could be lost forever, deleting data once you have already assessed and decided what could be useful allows you to limit admin and resource to requirements.

Classify the data you do need: Article 30 of the GDPR specifies the requirement to maintain a written record of processing activities, which includes a description of the categories of data subjects, and the categories of personal data. Classifying the data means that not only can you find and manage it easily for processing, but also that there is a much clearer view of how users and machines are interacting with the most sensitive content so that users can be alerted when potential threats occur in real time.

Change organisational habits: BYOD and shadow IT need to be closely monitored if data flow is to be managed effectively within an organisation. Enabling employees to download unapproved third party applications means important company data could be open to risk. An effort should be made to encourage best practice among staff – for example, encouraging employees to stop saving files on their own desktops – and ensure that everyone has a clearly communicated role in the data flow management process.

Carry out assessments: Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. A DPIA should be conducted as early as possible within any new project lifecycle, so its findings and recommendations can be incorporated into the design of the processing operation.

Develop sustainability: It is not enough to just conduct a data inventory, delete some superfluous data and hope that this has made your organisation secure. The inventory needs to be updated, and you need to respond to changes within the company to ensure that your posture remains the same. Conducting regular checks and ensuring a thorough inventory and mapping exercise is conducted at least once or twice a year will help keep the business much more secure.


Written by Yves Le Roux – (ISC)2 EMEA Advisory Council – June 2018