3 Steps to EU GDPR-Ready Information

In one of our earlier blogs we addressed five of the most common myths relating to the GDPR.  At the top of the list was “You don’t have to worry about the GDPR until 2018”.  As we established, and as the ICO pointed out in 2016 in “GDPR – 12 Steps To Take Now”, this is incorrect – organisations need to act immediately, especially those who are currently creating contracts that will be in force when the legislation takes effect.

In the spirit of making the whole process of compliance easier, and focusing on our belief that data management is at the heart of GDPR compliance (you can read more in our whitepaper here) we’ve put together our top three steps to getting your business ready for the GDPR.

Step One: Data Management Begins with Discovery

Before you can implement any processes regarding the treatment of data, and requests for data under GDPR legislation, you must find the data that is within your organisation.

Given how rapidly data is collected, created and stored by organisations, it would be impossible to find this out manually and meaningfully.  What is correct at the beginning of this year could be wildly different in 6 months’ time.

By using Big Data and Machine Learning principles as part of an eDiscovery and data mapping process developed and applied by Exonar, you have the ability to rapidly find and categorise data and to do so on an ongoing basis – keeping you compliant overall rather than at a single point in time.

The added benefit of a digital discovery process is that you can also uncover the unknown data resident in your organisation – something also covered in greater detail in our whitepaper.

Step Two: Classification

Once you’ve found your data, you need to be able to classify it.  Not only for your own corporate governance but also for the purposes of the GDPR which distinguishes between Personal Data and Sensitive Personal Data.  To make sure that your classification is applied consistently, it shouldn’t be left to people to try to remember, or a lengthy guidebook.  Here, Machine Learning and Big Data make sure that nothing is left to chance and that every data point is treated as it should be, every single time.

Step Three: Implement Relevant Processes

Once you have identified and classified your data you have a robust platform upon which to implement your processes.  Given the speed at which discovery and classification can take place when using the Exonar platform, this third step is where you can really apply the skills of your people and any consulting teams that you engage to do the following:

  • Decide which processes are required – this may include:
    • De-duplication
    • Handling of requests for information
    • Handling requests for deletion of data
    • Managing interactions with third-parties and assessing their compliance status
    • Communication of the GDPR and what it means, throughout your organisation
  • Decide which processes can be automated, and which need to be handled by people.

These are just the first three steps in what will be a longer, and ongoing process.  We think that they’re crucial for any organisation that wants to get it right first time.  To find out how Exonar could help you make the right first steps in your journey towards GDPR compliance, get in touch.

The EU GDPR: How to Know What You Don’t Know

Here’s a little challenge for you: can you list how many departments there are within your business?  How about the number of teams that sit within each department?  If that seems too easy, then how about listing the number of databases held by each team?  And if you really want a stretch, how about taking a guess at the number of data points your business holds on individuals.

It’s likely that everybody would know (or, in the case of a large corporate, could find out) the answers to the first two.  The second two can be almost impossible to manually discover.

Some would argue that it’s easy to find the number of databases within a business but what we have discovered during the course of our work is that many organisations have terabytes of unknown data – something we reflect on in our whitepaper “GDPR – Why It’s About More Than Legislation”.

For this blog post, we’re going to focus on just one element – that of unknown data.

The Data That You Know About

Let’s say an organisation has a team for each of the following functions: HR, Finance, Marketing, Sales, Operations and Customer Service.  Each of these teams is likely to have its own master data source.  It could be as straightforward as an SAP ERP system, each of the teams having a discrete Line of Business app or database, plus the company having an overall infrastructure to provide email and collaboration software.  Every interaction leaves a digital marker, and so every piece of data and its movement can be tracked.

If your organisation only has data that it knows about, then if you are asked by an individual to disclose or delete the information you hold on them as part of the GDPR then you should be fine.  Except that you’ve probably got the following:

Data That You Don’t Know About

What the above example doesn’t include are data repositories that many organisations have, but either don’t think about or don’t know that they exist.  These include, but are not limited to:

  • Decommissioned servers that are still holding data
  • Duplicated databases from campaign activity / mergers / roll-outs of new software
  • Data that has been wilfully misused
  • Data shared with a third party as part of a service-delivery contract
  • Emailed data that has been shared innocently or to avoid corporate process
  • Development servers that are not considered as part of the company’s live data estate


















All of the above instances introduce risk and cost to an organisation.  Risk in that confidential information could be leaked, lost, or accessed by unauthorised persons.  Costs come in the form of data breaches that result in legislation, plus remediation costs to fix the weakness in the network / governance process.

Pinning Down Unknown Data

Whilst you may have unknown data, it won’t take teams of consultants or outrageous cost to locate it within your organisation, and neutralise the risk it poses.  At Exonar, we’ve developed a platform that uses Big Data and Machine Learning to track down, identify and classify data – wherever it might be hiding.  We have helped clients to find and retrieve data containing passwords, personally identifying data points and company sensitive information.  We’ve also helped them to find terabytes of duplicated information.  As part of this process, they’ve reduced cost and avoided risk but what is perhaps more important to them organisationally is that they have flushed out what was previously ‘unknown’.

Better Business as Usual

Organisations that have a firm handle on all of their data assets not only have a more stable platform for managing the customer experience, they also have greater knowledge of their overall business.  At a time when businesses are awash with data, the ability to identify it and make it meaningful has far greater impact beyond GDPR compliance, but it’s a good place to start.

Exonar are experts in helping businesses to uncover unknown data, reducing risk and cost.  To find out how we can help you, get in touch.

Busting the 5 Big GDPR Myths

When a piece of legislation like the GDPR comes along, it makes for a huge amount of noise which can create a lot of confusion.  Not everyone has the time or inclination to read the official ICO documentation or, indeed, the Regulation which can mean that the truth becomes a little clouded.  At Exonar, we’re trusted by organisations to put them on the path to GDPR compliance by putting data management at the heart of their strategy.  Through the course of our work we’ve come across a few myths, so this short blog is here to bust them:

1)     You Have Until 2018 To Be Compliant

In March 2016 the ICO issued guidance on what organisations should be doing to get ready, so if you’ve not already considered how the GDPR will affect your business, you’re actually behind.  If you’re writing contracts today that will be in force during 2018, then those contracts must reflect GDPR legislation.  This includes treatment of data on European individuals and making sure the relevant processes are in place should they wish to see their data, or request for it to be deleted.

2) You Don’t Need to Worry About GDPR If You Only Hold Data on Customers

GDPR applies to information held on any European individual.  If you hold information on employees, prospects, contacts at suppliers, shareholders or customers, GDPR applies to you too.

3) It Doesn’t Apply to Companies Based Outside of the EU

What matters for the GDPR is the data that you hold – not the location of your organisation or data stores.  Even if your company is located outside of the EU, if you’re holding data on European individuals, the GDPR still applies.

4) If Your Databases Are Secure, You Don’t Need to Worry

The big question here is how do you know for certain that your data is secure?  We regularly find that organisations have terabytes of unknown “hidden” data across their networks in the form of decommissioned servers, emailed spreadsheets, development databases and other unexpected places (you can find greater detail on unknown data in our whitepaper).  Unless you can provide proof that you have conducted a detailed audit of the data that you hold on individuals, we would be very wary of assuming compliance.  The unknown data in your business could be what causes you to become unstuck.

5) GDPR Only Applies to Corporates, and Only to Data Controllers

GDPR applies to any organisation with more than 250 employees and places responsibility on both Data Controllers and Data Processors.

New legislation can feel overwhelming, and it can be tempting to leave it in the hands of the legal team, but we believe that our combination of straightforward advice, plus a software platform that reduces the cost and time associated with data management, puts you in control of the GDPR compliance process and gives you confidence that you’ll get it right first time.

To find out more about how Exonar could help you, get in touch.