What Next With Your Personal Data Inventory (Article 30)?

3 Step Guide, Survey Results and Article 30² Toolkit

What Next With Your Personal Data Inventory (Article 30)?

Data privacy legislation requires organisations to discover and document their personal data processes e.g. GDPR – Article 30 ‘Record of Processing Activities’. For most organisations the simplest way to fulfil this obligation is to create and maintain a Personal Data Inventory.

Understanding what data you have, why you have it, where it is processed, who can access it, when it should be deleted, and how it is secured is the foundation of any data privacy or cyber security programme that aims to protect personal data and comply with data privacy legislation i.e. GDPR, CCPA, PIPEDA, PDBP and more.

Exonar Survey

Exonar surveyed 104 organisations to understand their experience discovering and operationalising their Personal Data Inventory. We have detailed the findings of this survey alongside a 3 Step Guide to Personal Data Inventory and Article 30² Toolkit.

Our first section on data discovery and personal data inventory will be most useful for organisations who are planning to create their Personal Data Inventory (e.g. those preparing for the California Consumer Privacy Act (CCPA) in 2020).

Our second and third sections will be most useful for organisations who have already created their Personal Data Inventory (e.g. those complying with General Data Protection Regulation (GDPR) from May 2018) to explain next steps for monitoring and compliance activities.

The Article 30² Toolkit can be filled to help you structure your journey through this process.

Download: What Next With Your Personal Data Inventory (Article 30)?

Download: Article 30² Toolkit

 

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

 

A First-Hand Account of the Problematic Role of SARs Processing.

It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines? Now that they’re free of charge for the public to request following the introduction of the GDPR mandate in May, it’s not just the NHS who are struggling to manage the pressure of the increased quantity of SARs. Even large organisations with chunkier department budgets are struggling to maintain their current pace of responding to SARs. However, at Exonar, we believe we have a solution that will dramatically reduce human effort in processing SARs, easing the pressure on admin staff across the globe, in any sector.


To highlight the need for more system automation, we spoke to a former NHS employee who shared their insights in regards to processing requests in a recent exclusive interview with Exonar’s Head of Marketing, Dan Welberry. The following points were discussed during the interview;

  • Why do the public need access to their data?
  • The SAR process
  • Privacy and sensitivity of data handled
  • Issues of processing SARs within the NHS
  • Size and scale of requests
  • Turnaround deadlines
  • What would make SARs handling easier?

 

Why Do the Public Need Access to their Data?

‘Within the NHS, a subject access request is usually raised for one of two main reasons;

  • A patient who requires proof of a case for funding purposes.
  • A family member trying to bring probate to conclusion on behalf of the deceased.’

The Process:

‘Before any request for information is considered, the following steps must be taken:

Image source: Black Country Partnership NHS Trust; Subject Access Request Procedure

http://www.bcpft.nhs.uk/documents/policies/i/1623-information-sharing-sop-03-subject-access-request/file

 

Since the GDPR mandate was introduced on May 25th, there are now no fees charged to the public for processing SARs.


Privacy, Confidentiality and Sensitivity of Data Handled
Whenever assessing a case, the privacy of the individual has always been the most important thing to me. If there was any information required that couldn’t be provided, the request would be declined and I would want to be sure that all the right documents were in place before any records were retrieved. There was always a need to also consider the content with discretion too. There may well be a case where the requested content could contain very private information – information that actually might not be helpful or upsetting to the family and therefore could perhaps be withheld or redacted. Where historical records were requested, there was also a case for reviewing the language used. What might have been appropriate to say a number of years ago may not now be so politically correct today – this too would have to be reviewed.’

 

Issues With Processing SARs Within the NHS

  • Lack of system automation: One of the biggest issues faced was the amount of manual work required to fulfil a request. I believe this is a huge challenge for the NHS going forward as they simply don’t have the capacity to cope now, let alone handle the anticipated increase after the introduction of the GDPR in May, 2018. Where redaction was required to hide any information, this would be done manually using a black felt tip pen which was massively time-consuming in itself.’
  • Paper to Digital: ‘Prior to 2007, all records held by the NHS were on paper and from 2007 to date it’s probably around 50/50 – paper/electronic. All paper records were therefore required to be scanned. Any Post-It Notes or other attached notes would also need to be scanned without obscuring any content underneath’.  
  • Illegible Doctors’ Handwriting: ‘Covering notes present their own set of challenges, particularly when trying to decipher a Doctor’s handwriting!’
  • Single Sided Responses: ‘Any documents sent out as part of a response couldn’t be double-sided, so single pages only added to the amount of documentation to be issued.’

 

SAR Size and Scale

‘To give you an idea of the scale of typical requests, I believe the following to be a fair assessment:

 

Turnaround Deadlines:

When considering the delivery time, you have to take into account a number of factors. Firstly, an FOI must be completed in 20 working days and a SAR will be one month to collate after GDPR is introduced on May 25th (previously 40 days). Crucially, a SAR demanding one month lead time means that all weekends and public holidays are included in the time allowance. Whilst the work is being undertaken, all cases must remain on the premises and locked away when not being reviewed. This can result in a fair amount of late nights which of course can be counterproductive when you really need to be very alert.

It’s my opinion that the ICO (Information Commissioner’s Office) provide very little support other than the information provided on their website. This in itself can be challenging as it’s written in a very ‘legal’ way, so it can often feel like taking guidance rather than knowing confidently that you are delivering what’s required. I recall when I started that very little training was given other than a quick run-through of some legislation. This worried me as I soon realised how forceful lawyers and the general public can be!’

 

What Would Make the SAR Process Easier Within the NHS?

During my time at the NHS, I often thought about how much easier the whole process would be with technology. I accept that the manual process of scanning would still be required, but the reading and redaction process could be completed in a fraction of the time. Consider these further issues once the collation process is complete – all impacting further on time and resources:

  • The office printer being out-of-use or out of ink due to the amount of pages being printed and delaying colleagues.
  • The need to use courier services to deliver vast amounts of paperwork.
  • The need to package up various parcels to be sent via recorded delivery.
  • The need to compress files where documents can be sent via email.
  • The need to send out multiple emails due to the amount of data being sent.
  • Formats and file types that can be read by the user as well as platform compatibility ie Mac v PC.
  • Secondment of staff to achieve delivery deadlines.
  • FOI requests delayed whilst SARs take priority.

 

Having watched a product demo, it’s my belief that the NHS and central government would benefit hugely from the Exonar software. I know that from my experience, it would have made my life in SARs delivery so much easier! The initial outlay to install the platform in Trusts across the UK would save the NHS an untold fortune, and it’s here where I believe that Exonar would provide the most value. If SARs can be produced in minutes, not days, this will significantly speed up processes, release some of the burden currently weighing heavily on the NHS and centralise patient documents, allowing for better data security. I can’t think of a single reason why the NHS shouldn’t invest in Exonar – to me, a former data handler on the front line, it’s a no-brainer!’

 

Do you work in an industry that is buckling under the pressure of SAR requests? We’d love to hear from you. Please reTweet this blog using #SARWars and tell us all about your Subject Access Request woes!

 

 

 

The Impact of Privacy on the Public Sector

Data Requests Under GDPR to Push Cost to Public Sector Past £30 million

  • Annual costs to complete requests for personal data reach £20.6m for NHS and £7.9m for local government
  • £2.1m gap will emerge as organisations can no longer charge a fee to complete requests
  • Some 30million requests are expected across public and private sector this coming year, which will cost UK PLC £4.5bn

Newbury, UK, 4 July 2018: New research released today shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year. The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.

The impact of GDPR doesn’t stop there. Further new guidelines ruling that in most cases an organisation must also complete requests free of charge are an extra blow to budgets. This marks a key change from previous guidelines under the 1998 Data Protection Act (DPA), which allowed a processing fee to be charged. As such, a £2.1m gap in income per year is expected to emerge.

The detail behind the numbers:

The figures are the result of an extensive Freedom of Information (FOI) Act request made by Exonar, a leading provider of GDPR data mapping and data inventory solutions, to 458 organisations, including NHS Trusts (206), local government (125), central government (61) and emergency services (66) from across the UK.

The FOIs asked for the number of subject access requests (SARs) received by the organisation in 2014, 2015, and 2016* and the cost of processing each SAR.

On average, a SAR cost £145.46 to process, though some bodies admitted it costs much more, sometimes running as high as £1,800 such was the complexity of finding data and the associated administration. Multiplying the average cost to complete a SAR with the number of SARs received by the respondents in 2016 (209,023), results in a total administration cost to the public sector of £30.4 million.

Each organisation could previously have recouped some of the cost and charged a recommended £10 fee to complete a SAR but under GDPR they will no longer be able to, resulting in a £2.1m deficit that is set to grow wider as more requests are made.

NHS will be hit hardest

The study found that on average each NHS Trust already receives 800 requests per year. Multiplying this by the average cost of processing SARs and then by the 241 Trusts in the UK, the total cost to the NHS of managing SARs stands at £20.6million annually. It’s expected this will only go up as more people become aware of their rights.

In general, the public sector will struggle to meet SAR response deadlines

The GDPR has trimmed the amount of time that organisations have to complete SAR requests from 40 days – as per the 1998 DPA – to one month.

Exonar’s research found that many organisations struggled to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

Some Trusts can’t put a figure on the cost of processing a SAR

Some NHS Trusts declined to provide a figure such was the complexity of finding all the data related to a person. One such Trust was Calderdale and Huddersfield NHS Foundation Trust, which though couldn’t provide a figure, highlighted that the costs would include 3 WTE band 2 staff (approx. £16,500 pa each), plus costs such as discs costing £1,044/year, envelopes with an annual cost of £40, and postage costs at £1.48 per patient.

The Trust added that this would be a minimum cost and there are other costs that “cannot be quantified”, such as involvement of management, clinicians, physio and health visitors, finance and even X-ray costs.

Adrian Barrett, CEO and founder of Exonar, said that the variance in time taken to respond demonstrates how complex a task SARs are in the public sector: “The good news is the public sector is taking its responsibility to do a thorough job and find all the data pertaining to a person seriously. However, there’s a heavy process burden, especially when multiple bodies are involved, and the NHS in particular needs an alternative to manpower to trace data if it is to avoid penalties of non-compliance.”

Adrian adds that digital initiatives in the public sector have to be accelerated to relieve the burden on the public purse: “Our estimates on the costs of managing SARs is probably conservative but we do expect an immediate bow wave in response to all the GDPR emails we saw in May and June.

“Because the public now knows about the GDPR they are more likely to raise more SARs, and if there is a sudden wave of requests the public sector will be stretched further. It’s clear that the government needs to take advantage of new technology, particularly artificial intelligence, to help the public sector become more efficient with handling, organising and retrieving its data.”

Local government also hit hard to tune of £7.9million

For local government the cost of managing a SAR stands at £596. With each council receiving around 138 SARs annually, the 418 local government bodies across the UK could expect to see total costs of £7.9million/ year. This number is expected to rise given that between 2014 and 2016 the number of SARs jumped from 15,173 to 17,274.

It’s estimated by Exonar that an average SAR will run to thousands of pages as complete medical histories and the like are produced. It’s a reflection of the situation in the private sector, where a bank provided 2 boxes of paper for a single customer who had banked with them for 25 years.**

Barrett says the total number of SARs could cost UK PLC billions: “We expect 30 million requests to be made this year to private businesses of all sizes and the public sector. If we assume the cost to process a SAR is the same in public and private sectors, then the cost to UK PLC stands at £4.5bn. That’s an extraordinary sum to set against admin that has no value to a company.”

A copy of the full report, which details all the findings and compares NHS, Emergency services, local and central government can be requested here.

Notes to editors
*complete data for 2017 was not available
** A limited scope SAR submitted to a high street bank that a customer had been with for over 20 years generated over 800 sheets paper, enough to fill two DHL boxes. An image showing the results is here.
Additional research related to how the public will react to their new-found data rights is here. It highlights that 57% of UK adults would raise a SAR on companies and public sector organisations once GDPR was explained to them.

About the research
458 public sector organisations responded to FOI requests between September and November 2017. The FOI asked for number of SARs received between 2014-2016 and the cost to complete a SAR. 206 NHS Trusts, 125 local government, 61 central government and 66 emergency services from across the UK completed the request.
Numbers have been calculated by averaging the figures provided by the different sectors to provide sector comparisons in particular for the NHS and local government. There are 418 local government bodies, and 241 NHS Trusts.

About Exonar
Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what I’ve got”. Exonar finds and fixes an organisations’ information, from databases to documents – instantly and at scale. We use machine learning to understand what’s important, where it is and who has access to it.
Exonar identifies documents containing passwords, customer and confidential information enabling successful governance, risk management, document retention, cyber security and compliance with forthcoming regulations such as GDPR – with ease.
We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at exonar.com or follow us @Exonar.

 

PWC – The Global State of Information Security Survey 2018

Revitalising privacy and trust in a data-driven world

Key findings from The Global State of Information Security Survey 2018

‘49% of the 9500 respondents did not have an accurate inventory of personal data’

Massive data breaches and the constant collection of personal information routinely spur debate on whether privacy, rooted in ancient times, is dead in the digital age. Are we in a post-privacy world? In many ways, it is the wrong question. Privacy, security and trust—all increasingly at risk—are also more vital and intertwined in our data-driven society.

Read the full survey results: exo.nr/PWCsurvey

 

Millions of Brits set to make GDPR personal information requests

Finance, telecoms and even social media in the firing line as customers set to demand a copy of personal information held on them

LONDON, November 1st 2017 – New research released today shows that millions may submit Subject Access Requests (SARs) to find out what personal information businesss hold on them after the General Data Protection Act goes live in May 2018.

The research, conducted by Exonar, a leading provider of General Data Protection Regulation (GDPR) data mapping and data inventory solutions, set out to identify what people know about how their privacy rights will change in May 2018. The findings showed that 70% of people have no idea about the changes. However, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.

The research also considered which sectors will be hit hardest. Financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider. This could result in around 21million* current account holders raising a SAR and around a further 8million** credit card holders also asking for information held on them.

Other targets for SARs included mobile network providers (11%), social media companies (16.4%), insurance companies (8%), and loan companies (5%), 8% a utility firm, and 5% a retailer. A further 9% would raise a SAR on a current employer, 4% on an ex-employer.

Julie Evans, COO at Exonar, said companies need to make the most of the time they have before the Information Commissioner’s Office (ICO) starts its consumer publicity campaigns: “Companies often ask us how they can predict how many SARs they will receive. It’s an impossible task as so much of it will come down to consumer awareness.

“At the moment all communication efforts from the ICO are focused on getting companies ready for the GDPR, but come next Spring, we expect the focus to change as they start to inform the general public about the changes. If the ICO succeeds in raising consumer awareness then, as this research shows, the floodgates will open. Businesses really do need to make the most of the remaining months to get their data house in order.”

The research found that people are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.

As part of the research, it was explained that a SAR could run into hundreds of pages***. Almost a fifth (18%) stated ‘shock’ that a company could hold so much about them and everything they have ever done, with 15% saying that if they held that much information they would want to know exactly what it was and a further 10% went as far as to say they’d want companies to forget about them altogether.

There were also environmental concerns: a third of people (31%) said they thought SARs were a waste of paper and would prefer to receive them in a secure digital format – just over a quarter were surprised a SAR wasn’t digitized anyway. 12% said environmental concerns would put them off doing a SAR.

Evans adds: “Going digital should be at the heart of any GDPR strategy. New technologies like data mapping, big data and machine learning will make it easier for businesses to ensure personally identifiable data is easy to locate and secure. Technology can help everyone in a business to follow best practice and avoid the potentially hefty cost of failing to deal with SARs and comply with the GDPR.

“Aside from the cost, relying on manual processes is too high risk. Going digital will make the process of finding and retrieving information quicker and cheaper, and also lessen the environmental impact of completing a SAR request.”

In order to offset the environmental impact of producing paper-based SARs and to encourage organisations to consider moving towards a digital process, Exonar is asking that for every SAR that is produced in paper a tree is planted or a donation is made to the Woodland Trust.

For more information about the research go to: www.exonar.com/plantatreeforprivacy

 

Notes to editors 

About the research: 1028 adults were surveyed between 6th and 10th October 2017, by Opinion Matters.

* Approx. 21m active current account holders (33% of 65m –  https://assets.publishing.service.gov.uk/media/53c834c640f0b610aa000009/140717_-_PCA_Review_Full_Report.pdf)

** Approx. 8m active credit card holders (16% of 50m –http://uk.creditcards.com/credit-card-news/uk-britain-credit-debit-card-statistics-international.php)

Calculation: 33% of 1028 people questioned said they would submit a SAR to their current account provider, and 16% said they would submit a SAR to their credit card provider, multiplied by the total active current account/credit card holders.

*** People can raise a request today but companies can take as long as 40 days and charge for the service. An Exonar employee asked their bank, with whom they have been a customer for 20 years, for the information they held on them. This picture features all the paper the employee received. It amounts to eight reams of paper.

Millions of Brits to submit SARs when the GDPR goes live

 

Finance, telecoms and even social media in the firing line as customers set to demand a copy of personal information held on them

LONDON, November 1st 2017 – New research released today shows that millions may submit Subject Access Requests (SARs) to find out what personal information businesss hold on them after the General Data Protection Act goes live in May 2018.

The research, conducted by Exonar, a leading provider of General Data Protection Regulation (GDPR) data mapping and data inventory solutions, set out to identify what people know about how their privacy rights will change in May 2018. The findings showed that 70% of people have no idea about the changes. However, once GDPR and the term SAR was explained to them, 57% said they would raise a SAR.

The research also considered which sectors will be hit hardest. Financial services topped the charts with a third of people saying they would submit a SAR to their bank and 16% to their credit card provider. This could result in around 21million* current account holders raising a SAR and around a further 8million** credit card holders also asking for information held on them.

Other targets for SARs included mobile network providers (11%), social media companies (16.4%), insurance companies (8%), and loan companies (5%), 8% a utility firm, and 5% a retailer. A further 9% would raise a SAR on a current employer, 4% on an ex-employer.

Julie Evans, COO at Exonar, said companies need to make the most of the time they have before the Information Commissioner’s Office (ICO) starts its consumer publicity campaigns: “Companies often ask us how they can predict how many SARs they will receive. It’s an impossible task as so much of it will come down to consumer awareness.

“At the moment all communication efforts from the ICO are focused on getting companies ready for the GDPR, but come next Spring, we expect the focus to change as they start to inform the general public about the changes. If the ICO succeeds in raising consumer awareness then, as this research shows, the floodgates will open. Businesses really do need to make the most of the remaining months to get their data house in order.”

The research found that people are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.

As part of the research, it was explained that a SAR could run into hundreds of pages***. Almost a fifth (18%) stated ‘shock’ that a company could hold so much about them and everything they have ever done, with 15% saying that if they held that much information they would want to know exactly what it was and a further 10% went as far as to say they’d want companies to forget about them altogether.

There were also environmental concerns: a third of people (31%) said they thought SARs were a waste of paper and would prefer to receive them in a secure digital format – just over a quarter were surprised a SAR wasn’t digitized anyway. 12% said environmental concerns would put them off doing a SAR.

Evans adds: “Going digital should be at the heart of any GDPR strategy. New technologies like data mapping, big data and machine learning will make it easier for businesses to ensure personally identifiable data is easy to locate and secure. Technology can help everyone in a business to follow best practice and avoid the potentially hefty cost of failing to deal with SARs and comply with the GDPR.

“Aside from the cost, relying on manual processes is too high risk. Going digital will make the process of finding and retrieving information quicker and cheaper, and also lessen the environmental impact of completing a SAR request.”

In order to offset the environmental impact of producing paper-based SARs and to encourage organisations to consider moving towards a digital process, Exonar is asking that for every SAR that is produced in paper a tree is planted or a donation is made to the Woodland Trust.

For more information about the research go to: www.exonar.com/plantatreeforprivacy

 

Notes to editors 

About the research: 1028 adults were surveyed between 6th and 10th October 2017, by Opinion Matters.

* Approx. 21m active current account holders (33% of 65m –  https://assets.publishing.service.gov.uk/media/53c834c640f0b610aa000009/140717_-_PCA_Review_Full_Report.pdf)

** Approx. 8m active credit card holders (16% of 50m –http://uk.creditcards.com/credit-card-news/uk-britain-credit-debit-card-statistics-international.php)

Calculation: 33% of 1028 people questioned said they would submit a SAR to their current account provider, and 16% said they would submit a SAR to their credit card provider, multiplied by the total active current account/credit card holders.

*** People can raise a request today but companies can take as long as 40 days and charge for the service. An Exonar employee asked their bank, with whom they have been a customer for 20 years, for the information they held on them. This picture features all the paper the employee received. It amounts to eight reams of paper.

IDC Insight – Exonar Probes Depths Where No GDPR Solution Has Gone Before

Analyst IDC Publishes Insight into Exonar’s Capability to Help Organisation’s Comply with GDPR

Exonar Probes Depths Where No GDPR Solution Has Gone Before June 19, 2017
By: Mark Child, Alex Proskura, Dominic Trott

 

IDC’s Quick Take

At InfoSec 2017 in London, Exonar briefed IDC on its innovative solution to the challenges of content discovery, classification, and management. Its proposition is built on open source technologies and utilizes advanced methodologies to overcome many of the hurdles faced by traditional DLP and eDiscovery solutions. Exonar’s solution enables companies to get to grips not just with GDPR, but with a much broader set of challenges.

Event Highlights

Exonar’s demo focused on its data discovery, management, and compliance solutions, highlighting high- level dashboard views, as well as tools and capabilities for users to drill down and analyze any component of a company’s data assets. The vendor emphasized the importance of developing processes and mechanisms that ensure compliance is achieved by design and business risk is reduced in the long term.

IDC’s Point of View

Modern organizations face numerous challenges in terms of managing their systems and data. The current era of digital transformation and the shift to 3rd platform architectures are driving a need to focus on securing data rather than ensuring a secure perimeter or border; at the same time, the confluence of users and processes with data and systems means the human aspect and use cases are often as important as technology considerations. Data protection efforts are further complicated by the presence of data not only on a variety of devices, including mobile, but also in a variety of forms. Unstructured data, such as data in emails and office documents, presents a particular challenge. Compliance looms over all of this, with frameworks such as the forthcoming EU General Data Protection Regulation (GDPR) compelling organizations to address many of their data management challenges in the face of a hard schedule and concrete deadline.

Significantly for Exonar, the EU is not the only area where data compliance regulatory requirements are evolving. With markets such as China, Russia, and Singapore also setting out stronger guidelines, Exonar has the opportunity to address a much broader market than just its “home” region of Europe.

Exonar’s development arose from addressing specific needs in the defense and aerospace sectors. In trying to resolve its customers’ requirements, the vendor looked at the information assets component and at data loss prevention (DLP) solutions. However, it saw a key obstacle in that the solutions on the market typically could not understand what they were looking at. Contextual understanding was a challenge. Then it looked at ediscovery solutions to overcome these hurdles, but found major problems with scalability — a critical requirement in modern organizations ramping up to billions of files and documents. As a result, the company opted to develop its own solution and did so using a lot of open source components.

The Exonar solution is built on search technology (the appliance version might be described as “Google in a box”), supported by NoSQL, and is able to handle billions of documents. The solution makes use of machine learning (ML) for context identification; it is delivered to clients pre-trained, but it is further trainable; and it takes into account the document metadata, as well as the content.

Exonar’s solution uses natural language processing for contextual awareness; in other words, it not only looks for specific terms but also the language and structure around them. The language and structure tend to be fairly consistent in many document types (NDAs, CVs, purchase orders, etc.). The solution then creates rules around the location of the file and can make files available only to specific groups, such as HR and finance. It may be described as working on a principle of master data aggregation rather than management.

When it comes to deployment, Exonar’s solution is available on premises as an appliance and hosted in the cloud; it can even be consumed as a managed service. A portable version is also available, although, to date, the on-premises version and the MSP offering provide the most robust functionality. And, as the vendor looks to broaden its reach, it is now opening up its APIs to allow other systems to communicate with it. One of the API integrations that may bring significant benefit is the integration of Exonar with existing document management and email solutions, which could help remediate some of the traditional data protection risks.

Who Needs It?

Exonar reports that its customers come from across the market spectrum — finance, local government, travel and transport, law, and telecommunications. Although the largest portion of Exonar’s customer base is in the U.K., the vendor is fielding more and more inbound enquiries from abroad and is in negotiations with partners in the U.S. and in the Nordics to help manage its expansion. Regarding the drivers of adoption, becoming GDPR compliant is, perhaps unsurprisingly, the number-one reason (by a considerable margin) that organizations are seeking out Exonar. However, as important as cybersecurity is, it comes a distant second to making sure companies do not fall foul of privacy regulators. Exonar has published a white paper on data management and getting to grips with GDPR, which is available here.

What Next?

Exonar’s solution addresses many of the challenges around data management — such as discovering hidden data and dealing with data at the speed it is created — and has emerged at a time when the need has never been greater, with GDPR coming into force in less than a year. The volume of inbound enquiries Exonar is receiving from beyond its core market is testament to the current market need for such a solution and points to rapid expansion over the coming months. Beyond compliance, the solution clearly has tremendous potential from a business enablement and efficiency perspective — drivers that should fuel even further expansion.

©2017 IDC #lcCEMA42801817 3

IDC Research Paper on Exonars Capabilities for GDPR compliance

Find your data. Deal with its legitimacy. And put the controls and monitoring in place.

IDC – Exonar Probes Depths Where No GDPR Solution Has Gone Before

Analyst IDC Publishes Insight into Exonar’s Capability to Help Organisation’s Comply with GDPR

Exonar Probes Depths Where No GDPR Solution Has Gone Before June 19, 2017
By: Mark Child, Alex Proskura, Dominic Trott

 

IDC’s Quick Take

At InfoSec 2017 in London, Exonar briefed IDC on its innovative solution to the challenges of content discovery, classification, and management. Its proposition is built on open source technologies and utilizes advanced methodologies to overcome many of the hurdles faced by traditional DLP and eDiscovery solutions. Exonar’s solution enables companies to get to grips not just with GDPR, but with a much broader set of challenges.

Event Highlights

Exonar’s demo focused on its data discovery, management, and compliance solutions, highlighting high- level dashboard views, as well as tools and capabilities for users to drill down and analyze any component of a company’s data assets. The vendor emphasized the importance of developing processes and mechanisms that ensure compliance is achieved by design and business risk is reduced in the long term.

IDC’s Point of View

Modern organizations face numerous challenges in terms of managing their systems and data. The current era of digital transformation and the shift to 3rd platform architectures are driving a need to focus on securing data rather than ensuring a secure perimeter or border; at the same time, the confluence of users and processes with data and systems means the human aspect and use cases are often as important as technology considerations. Data protection efforts are further complicated by the presence of data not only on a variety of devices, including mobile, but also in a variety of forms. Unstructured data, such as data in emails and office documents, presents a particular challenge. Compliance looms over all of this, with frameworks such as the forthcoming EU General Data Protection Regulation (GDPR) compelling organizations to address many of their data management challenges in the face of a hard schedule and concrete deadline.

Significantly for Exonar, the EU is not the only area where data compliance regulatory requirements are evolving. With markets such as China, Russia, and Singapore also setting out stronger guidelines, Exonar has the opportunity to address a much broader market than just its “home” region of Europe.

Exonar’s development arose from addressing specific needs in the defense and aerospace sectors. In trying to resolve its customers’ requirements, the vendor looked at the information assets component and at data loss prevention (DLP) solutions. However, it saw a key obstacle in that the solutions on the market typically could not understand what they were looking at. Contextual understanding was a challenge. Then it looked at ediscovery solutions to overcome these hurdles, but found major problems with scalability — a critical requirement in modern organizations ramping up to billions of files and documents. As a result, the company opted to develop its own solution and did so using a lot of open source components.

The Exonar solution is built on search technology (the appliance version might be described as “Google in a box”), supported by NoSQL, and is able to handle billions of documents. The solution makes use of machine learning (ML) for context identification; it is delivered to clients pre-trained, but it is further trainable; and it takes into account the document metadata, as well as the content.

Exonar’s solution uses natural language processing for contextual awareness; in other words, it not only looks for specific terms but also the language and structure around them. The language and structure tend to be fairly consistent in many document types (NDAs, CVs, purchase orders, etc.). The solution then creates rules around the location of the file and can make files available only to specific groups, such as HR and finance. It may be described as working on a principle of master data aggregation rather than management.

When it comes to deployment, Exonar’s solution is available on premises as an appliance and hosted in the cloud; it can even be consumed as a managed service. A portable version is also available, although, to date, the on-premises version and the MSP offering provide the most robust functionality. And, as the vendor looks to broaden its reach, it is now opening up its APIs to allow other systems to communicate with it. One of the API integrations that may bring significant benefit is the integration of Exonar with existing document management and email solutions, which could help remediate some of the traditional data protection risks.

Who Needs It?

Exonar reports that its customers come from across the market spectrum — finance, local government, travel and transport, law, and telecommunications. Although the largest portion of Exonar’s customer base is in the U.K., the vendor is fielding more and more inbound enquiries from abroad and is in negotiations with partners in the U.S. and in the Nordics to help manage its expansion. Regarding the drivers of adoption, becoming GDPR compliant is, perhaps unsurprisingly, the number-one reason (by a considerable margin) that organizations are seeking out Exonar. However, as important as cybersecurity is, it comes a distant second to making sure companies do not fall foul of privacy regulators. Exonar has published a white paper on data management and getting to grips with GDPR, which is available here.

What Next?

Exonar’s solution addresses many of the challenges around data management — such as discovering hidden data and dealing with data at the speed it is created — and has emerged at a time when the need has never been greater, with GDPR coming into force in less than a year. The volume of inbound enquiries Exonar is receiving from beyond its core market is testament to the current market need for such a solution and points to rapid expansion over the coming months. Beyond compliance, the solution clearly has tremendous potential from a business enablement and efficiency perspective — drivers that should fuel even further expansion.

©2017 IDC #lcCEMA42801817 3

IDC Research Paper on Exonars Capabilities for GDPR compliance

Find your data. Deal with its legitimacy. And put the controls and monitoring in place.

UK GDPR Preparedness Survey 2017

Most UK businesses on target for GDPR compliance but funds, lack of resource and Brexit are holding the rest back 

  • 77% on course for compliance by May 2018
  • 84% believe that the GDPR will make their business data more secure
  • Time and money issues cited by many as key challenges of compliance
  • 6% wrongly believe that Brexit will overrule the GDPR.

LONDON, August 3rd, 2017 – Exonar, a leading provider of General Data Protection Regulation (GDPR) data mapping and data inventory solutions, has announced the results of its UK GDPR Preparedness Survey which found that 77% of respondents say they are on course to be GDPR compliant by May 2018.

The results of the survey were largely positive, with 61% of IT and Data Protection professionals stating they are on course for GDPR compliance (26% have a plan and started preparations, 6% already compliant, 23% ready for May 2018). A further 16% added that they have a plan but have not started to implement it yet.

The survey also found that data security may be the hidden gem behind the GDPR, with a combined 84% stating that they expect their business data will become more secure due to an audit to identify personal data (52%) or as a result of data storage and handling improvements (32%).

However, the results demonstrated that substantial roadblocks will need to be overcome in a short space of time for a large number of businesses. 15% reported that they don’t have the funds to get their GDPR plans off the ground, while 20% say they don’t have time to focus on it. A further 18% admitted that they don’t know where their data is.

Startlingly, 6% are waiting for Brexit in the hope it will mean that GDPR won’t apply to them. Under the terms of the GDPR, UK businesses will still have to comply if the data they handle concerns EU citizens, or has the potential to identify individuals within the EU.

The results also suggest there is some confusion over who will take responsibility for GDPR compliance within a business, as only 29% of respondents had a dedicated Data Protection Officer (DPO).

Most respondents believed that IT holds the data protection role (42%). This is despite the terms of the GDPR, which state that all organisations with more than 250 employees must employ a DPO. This person will be responsible for ensuring that a business collects and secures personal data responsibly.

Exonar’s CEO Adrian Barrett commented: “Although the overall results were positive, significant challenges still remain in the form of time, money and understanding over the reach and implications of the new regulation. It’s clear some companies are shackled and their plans aren’t progressing or even formulated. This situation is often worsened by a lack of project leadership and failure to identify responsibility.

“Businesses must ensure they fully understand the new regulations and, crucially, understand how, where and why their data is currently being processed. For most, a period of data discovery needs to be undertaken before they can put a plan into action and it needs to be done quickly as time is running out. To that end, new technology such as Big Data and Machine Learning will prove invaluable in speeding up the first steps to secure data handling.”

To download the full report, click here.

About Exonar

Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what data I’ve got”. The Exonar solution discovers and interprets an organisation’s data, identifying issues, reducing risk and making it more productive and secure. Exonar has received £3.3m in investment to date from a mixture of experienced business Angels, Winton Ventures and Amadeus Capital Partners. Visit us at www.exonar.com or follow us @Exonar.

UK GDPR Preparedness Survey

Exonar’s UK GDPR Preparedness Survey – Key Trends and Challenges

With less than a year until the implementation of the General Data Protection Regulation (GDPR) in May 2018, Exonar surveyed the data protection and wider IT community to gain an understanding of how prepared UK businesses are for the new regulation and what challenges are standing in their way.

Exonar’s goal was to understand the challenges that businesses are facing in the journey to become GDPR compliant. The research has highlighted numerous challenges to becoming compliant. GDPR is the best excuse a company has to identify opportunities to improve the data protection processes that they may already have in place. Approached in the right way it can even provide a competitive edge through forming a better understanding of a customer to tune products and services.

See the full survey results here.