What personal data does your organisation hold? Do you really know?


What personal data does your company hold and where is it stored? Simple enough questions, and yet when we ask, it tends to be greeted with an embarrassed look and a whispered “we’re not sure“.

Data breaches can happen to anyone. But when the data stolen is personal data, you fall foul of the GDPR in the worst way:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear; when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental GDPR data privacy rights.”

Elizabeth Denham, UK Information Commissioner.

The problem is that without understanding the scope of the personal data collected, you won’t know how to go about identifying what you’ve got, where it’s stored, how to secure it and protect data.

Exonar's own research over time and the insight gained from working with our customers reveals that approximately 80% of a typical organisation's data estate is unstructured. Of which:

  • 46% is duplicated
  • 42% contains company sensitive information
  • 9% holds personally identifiable information (PII)
  • 1% contains passwords in plain text.


Where do you even start?

Take a minute to consider your SharePoint implementation…

Is it beautifully neat, with everything saved in a logical, precise file structure?

Is everything tagged appropriately and assigned to the correct people?

Is it the only way people use to store and share information?


Is it a more typical implementation, which started with the best of intentions but over time evolved into some organic monster with millions of files stored in hard to find places, so your employees now resort to saving locally, or on other applications, like Dropbox or Slack?

Behaviours like this are common – and understandable. In just trying to do their jobs, employees are exporting data from your systems to spreadsheets for their reports, editing it, emailing it across the business and then saving it in a folder somewhere.

But it’s this behaviour that leaves your organisation vulnerable and exposed to GDPR breaches. Research from the ICO shows that two-thirds of people don’t trust the companies storing their personal information.

And they’re right to be concerned…

Industry research shows that 83% of security professionals believe that employees have accidentally put customer PII at risk, due to the high volume of unstructured data (emails, documents, files) in the organisation.


The first step to regaining control…

The longer your leave your data unchecked, the worse the issue is going to be when you finally get around to sorting it out – because in line with your GDPR policies, you will need to work out what personal data you have in both structured and unstructured data stores in your estate at some point.

You can go through a manual process, asking teams in each of your business units or departments to spend hours, days and weeks trawling through their file structures to give you a (probably inaccurate) picture of where they think it is in order to meet your GDPR compliance responsibilities. But remember this will be at one point in time only.

However there is an easier way to reveal what personal data you have and where it resides…

With data discovery software tools, you can reveal everything within your organisation’s data estate, at scale, and at regular, ongoing points in time. Giving yourself an automated view of the amount of personal data your business holds, is the key to regaining control. and assuring regulatory compliance. Because unless you know what you’ve got, you can’t do anything about deleting, moving or encrypting it.


How an Exonar client Identifies the scale of personal data within their data estate

Like many organisations, our client’s SharePoint deployment had got a bit out of hand. With millions of files located across thousands of individual SharePoint sites, it had no idea what personal data was hidden within its data estate. Identifying that information manually was a near impossible task, so the company knew it needed to automate the solution.

Using the Exonar platform to reveal what they’ve got, the company was able to identify the scale of personal data located across the SharePoint sites, prioritise areas for remediation and manage the associated risks in the Exonar software’s management-level dashboards.

Personal data should be your most prized possession

Your customers, partners and employees have trusted you to keep their most sacred asset safe. Fail to do so and it’s going to have a lasting and dramatic effect on your organisation’s financial health.

To find out how you could operationalise the management of personal data, read our Guide “How to transition data protection to business-as-usual“.