Data Subject Access Solutions

Process SARs in minutes, not days

The Exonar platform provides automated, intuitive and rapid processing of subject access requests (SARs), substantially reducing costs and decreasing disruption to your organisation.

After 25th May 2018, when the EU’s General Data Protection Regulation (GDPR) came into force, organisations can no longer charge for producing SARs. This means you should prepare for a significant increase in the number of requests your organisation handles. In our recent survey 57% of individuals said they would want to request their data as there is now no cost.

SARs can be over 800 Pages Long. Where do we start?

Subject access requests can cross many business units, departments, systems, processes and people. Often the only way to deal with them has been to email line management and request printed copies of the information requested, coralling that information then sending it to the customer via courier.

There’s an easier way. Use Technology

Connect to all of the sources of your customer data; emails, databases, word documents and spreadsheets, in your fileshares or in the cloud. Build an index of all of that information so that you can search it, instantly. Use machine learning to help guide you to all of the right and less of the wrong information. Manage your SARs online and track them as they progress.

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

A First-Hand Account of the Problematic Role of SARs Processing
It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines?
Read More

The Exonar platform continuously indexes all of your organisation’s data, meaning producing a subject access request is simple, quick and efficient:

Process, redact and produce SARs directly from the Exonar platform, without needing to scan or photocopy information
SAR dashboard shows you where you are with cases, and who you’re waiting on
Create simple templates to enable untrained users to find information relating to an individual
Review documents without needing to access the originals
Use machine learning to identify and redact personal and commercial information

CIO Solutions

Harness your data – unlock your assets

Gartner’s 2018 CIO Survey (above) plainly reveals that the job of the CIO is changing. As digitalisation
and innovation put more emphasis on the information rather than the technology in “IT,” the CIO’s role is transforming from delivery executive to business executive. They must now control costs and re- engineer processes to drive revenue and exploit data.

So, how does a CIO transform their organisation to help drive revenue and the exploitation of data whilst controlling costs and facilitating these business objectives?

According to The Economist ‘the world’s most valuable resource is no longer oil, but data’. Therefore, the Chief Information Officer should be an organisation’s most valuable asset. However, many are struggling to operate at their full potential. Time and again, strategies are defined and goals are set but the fundamental data question remains –

“I don’t even understand what data I’ve got. Where do I start so I can begin using it?”

By answering this seemingly simple yet complex question, CIO’s are able to advance the objectives of their business, transforming the model whilst supporting the digital agenda.

Often seen as a risk, we want to demonstrate that rather than being something to be concerned about, data can be controlled and turned into an asset.

The Issues With Today’s Solutions

If ‘data is the new oil’, then the ability to use the information we hold about our customers and businesses appropriately and in context is the key to digital transformation and organisational success. In this new world, the ability to remove friction from the customer journey whilst efficiently ensuring the safety and security of the data becomes paramount.

If we assume that to harness and control data we first need to know what we have, we can see that there are a number of approaches currently being deployed to establish a foundation:

  • Clipboard exercises interviewing line management to ascertain where the organisation thinks its data should be and what the data flows should look like. Time intensive, often requiring external consultants and delivering an espoused view as opposed to reality often facets this approach.
  • Tackling structured data with a barrage of queries often yields results but precludes all of the unstructured data both within those structured sources (like CRM systems) and the ‘Wild West’ of shared drives, email platforms, cloud storage systems and ‘servers under a desk in Stoke’.
  • eDiscovery systems can be deployed to try and forensically assess what data is out there. Expensive, restricted and with an inability to respond quickly, these systems only get a partial job done. Our system reduces the size of your data lake, minimising Data Analyst’s effort to complete the task.
  • Data Governance Solutions are utilised to try and control users and their access to, and use of, information. Largely focusing around directories and fileshares but with rules and some AI, these tools do their job but on a limited set of data up to a capped scale with some, but often restricted, insight into what’s going on with the information estate.
  • Data Loss Prevention (DLP) platforms are acquired to get control on the data and how it flows. Expensive, lengthy and with inflexible rule matrices that can often take 2 years to develop and can become obsolete in an instant means that this ‘hard code’ approach to try and tag and bag data to get it under control and understood often falls short of the overall goals.
  • Data Management platforms like Hortonworks provide powerful tools to leverage data and understand it. However, they are often mired in lengthy development cycles and require hard-to- recruit and retain developers and technologists.
  • ‘Traditional’ storage systems such as a SAN allow organisations to easily add data capacity but not to automatically manage or control information based on content and therefore relevance.

Click here to download the PDF version of this guide.

The Smart Alternative

The diagram below provides an architectural overview of the Exonar Information IntelligenceTM platform and how this platform has been harnessed to create a new concept in data management – Search Optimised Smart Storage (SOSS).

Exonar Search Optimised Smart Storage

The verb SOSS means ‘to move gently’. The movement of data, or data control, within an organisation is crucial not only for controlling Total Cost of Ownership (TCO) but also for utilising information as an asset and managing information as a risk.

Search Optimised Smart Storage (SOSS) from Exonar allows intelligent data control policies to be defined through the powerful and flexible search capabilities inherent in the Exonar Platform. SOSS provides the capability to automatically move data to the right location with the right performance and protection based on the data’s content, metadata and importantly, its value and risk. Crucially, SOSS moves data gently enough that it always remains searchable, discoverable and accessible to the right set of people and applications.

SOSS Platform Capabilities

  • Optimising TCO and performance for frequently accessed data through smart storage tiering.
  • Placing verbose or repeated data into Deduplicated and Compressed storage locations.
  • Moving important data to storage locations with DR policies that define data appropriate Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
  • Reducing TCO for orphaned, stale and rarely accessed data by moving from ‘hot’ to ‘warm’ or ‘cold’ storage (e.g. cloud storage).
  • Protect sensitive data by moving it to an encrypted and access restricted storage location.
  • Retention and records management via search based retention policies that control not only where data is kept but how long it is kept for.
  • Enable rapid data production for regulatory production (such as GDPR Subject Access Requests)

But How?

The Exonar platform is uniquely positioned to combine massive scalability, speed and data ingestion from almost any source. It has the ability to interrogate and analyse content rich data in bulk or at the level of an individual item, in near-real time. This is delivered on a clustered and resilient software and hardware platform that can economically scale to a range of customer data requirements and sizes; from around 100,000 up to billions of items. Exonar’s platform provides: integration, coordination and deployment of scalable big-data technology on commodity hardware, the use of Machine Learning and natural language processing techniques to understand and classify information, and the use of indexing and a user-experience layer to provide insight for our clients, with security always top of mind.

The vast amounts of data and variety of usage patterns pose a number of challenges:

Data presentation – users are provided the high level insight they need as well as an ability to zoom in and work with individual documents.
Finding the needle in a haystack – users can easily locate that one document they care most about amongst 10s or 100s of millions of documents in their organisation. This requires a powerful search interface, flexible schema and fast response times. An intelligent platform backed by Machine Learning makes it possible to automate processes which otherwise would require a huge amount of manual processing.
Scalability – the high volume and variety of data and fast rate of growth put Exonar firmly in the Big Data category. As our customers’ data volumes increase, the platform is designed to scale up with the volume.
Evolving requirements – we are able to quickly react to the needs of our customers and pivot when necessary. Using open source components at the core of our platform enables us to take features to market quickly, focus on solving the most pertinent problems and provides clients with the assurance of long term utility should Exonar no longer exist.

Exonar has an open framework that can connect to all of the most frequently used business information systems. Implementation is rapid and the platform delivers results from day one of installation. We employ a layered architecture which takes data from external systems and applies a series of processes to understand and index it, making it available for interrogation by users and other systems. For organisations with more complex environments, custom connectors are created to integrate legacy systems data into this new environment. The platform doesn’t need an analyst to operate it and is accessible by a regular business with a half day of training.
Exonar is provided as a scalable appliance. It is licensed on an annual basis against the amount of data indexed, with sliding scale discounts applying to larger data volumes, and includes all hardware and software support and maintenance as well as product updates.

Leveraging The Exonar Platform

Clients are deploying the Exonar platform to solve a range of business imperatives, such as:

Data Privacy

  • Achieve and maintain compliance with Data Privacy regulation like GDPR, CCPA and POPI
  • Process access requests for personal data in minutes, not days
  • Create a Data Inventory of ALL your data.

Partner Data Indexing

  • Reduce costs in limiting time finding your partner data
  • Index data remotely, improving operational efficiency.

Cloud Bloat

  • Detect cloud data classified as ‘digital litter’ – duplicated, outdated and trivial
  • Organise information to speed up usability, efficiency and governance.

Records Management

  • Assemble practical intelligence on data and file location and sensitivity
  • Drill into specific files of the same subject, regardless of location and format.

Information Security

  • Discover and understand your sensitive information, what it is, where it is and who has access to it to ensure it can be properly and appropriately protected.

Data Lake Filtering

  • Our eDiscovery tool reduces your data lake, minimising human effort.

The Exonar Advantage

Intuitive User Interface

  • You don’t need to be a data scientist or an analyst. Simply connect Exonar to your network and our easy-to-use dashboards enable you to pull charts up and drill to any level of detail.

Intelligent Classification

  • Intelligent Classification automates the process of identifying patterns in documents and categorising them for protection, accessibility or deletion. Categories are defined by anything a user can search for, such as document markings, location, authorship, accessibility or contents.

Massive Scalability

  • Exonar’s ability to search billions of enterprise documents and return not just one but all of the most relevant results swiftly is enormously powerful. Our product can be scaled horizontally and can be installed either on-premise or in the cloud.

Boundless Connectivity

  • Exonar has an open connector framework allowing it to connect to almost any data source.

Near real time performance

  • Exonar’s platform delivers near real time responses to queries so it can be utilised both for single instance and ongoing monitoring of information assets. In addition, users can interrogate information from day one with a single ‘crawler’ ingesting around a million items a day.

Customer Obsessed Culture

  • Exonar’s agile culture sees our development process evolve through iteration, continuous feedback and evolution. We are highly focused and work collaboratively with our customer base to deliver a solution that can enable your digital transformation.

Exonar Background And Experience

The Exonar platform was originally developed for the needs of clients in the Defence sector. The system enabled them to understand their Intellectual Property, assess the ramifications of its loss including the business impact, and to help design improved processes for future protection.

We are an innovative technology company, based in the UK. This year we were selected by one of the UK’s largest retail banks over IBM to meet their initial requirements for ‘life after GDPR day’ and their platform for information management. We were selected by them not just for the unique capability of our technology but to deliver their information insight swiftly, simply and at scale because of our innovative approach and our ability to react to changing customer requirements. As a company, we pride ourselves on being utterly professional whilst maintaining our belief that people don’t want to deal with ‘the Corporate Entity’, they want to deal with real people who they can work with to solve their business problems.

We partner with the ‘big four’ consulting firms and specialist ‘boutique’ partners to deliver projects and ongoing programmes. Our investors include Amadeus Capital Partners and Winton Ventures, two of Europe’s most respected Venture Capital firms.

Where Do I Start?

The answer is to simply start. The task does not have to be approached as a big bang and no elephants need eating. Exonar can help you plan your approach and the benefits are almost immediate – the index that is created is searchable from day one. Every organisation is different with a balance bias between structured and unstructured data, different employee behaviours and different blends of knowledge and process workers but all yield benefit. The business benefits of action are clear, the rewards tangible and attainable. For the first time, discovering your information advantage is simply and easily achievable.

The first step in the process is to get in touch with Marcus Hill who will organise a walk-through of the platform for you and your team. Marcus can be contacted via 07793 857122 or

In return, you could have peace of mind with regards to your GDPR Compliance, PII, Cloud Migration, Information Security and many other of your data challenges.

Click here to download the PDF version of this guide.





Information Security Solutions

Cloud Migration Solutions

Cloud migration without the risks

Migrating everyday business information to one of the many cloud services such as Box, Dropbox or Office365 makes sense for almost every organisation.

Everyone’s migrating

Even traditionally risk adverse industries such as Finance, Government and Defence are adopting this model as they see the benefits of collaborative working whilst reducing the need to manage infrastructure. However, the question as to what can and should be moved must be addressed during migration projects.

Cloud migration can provide cost savings and productivity improvements.

Migrations equal regulations

Information is increasingly the subject of regulation. From EU GDPR dictating the nations deemed fit to hold EU Citizen data, to UK Government regulating how protectively marked information must be treated, or a hundred other industry specific regulations on how and where information can be stored, a poorly planned cloud migration project will expose your organisation to substantial additional regulatory and financial risk.

Cloud migration without the risks

Understanding what information you have, where it is, how old it is and who has access to it enables you to make sense of your unstructured information and prioritise what information should be de-duplicated, what should be archived, what should be deleted and what should be carried forward to your new cloud infrastructure. The Exonar platform enables you to cleanse information of unwanted and risky information, leaving your staff with just the valued information, properly protected, easily located and accessible within your chosen cloud service.

Download Cloud Governance brochure

CCPA Solutions

Generation privacy has begun

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organisations holding data on US Citizens.

Exonar simplifies compliance with the California Consumer Privacy Act (CCPA) by getting right to the heart of the matter: Finding, Mapping and Managing your data.

How Exonar can help with CCPA

Data Mapping and Inventory

Data Subject Access Requests

Data Portability

Enforcing Compliance

Right To Be Forgotten

Meet the Personal Data Privacy dashboard

Exonar’s Privacy dashboard provides a top-down view of your organisation’s information in relation to the EU GDPR and California Consumer Privacy Act (CCPA).

It shows a comprehensive picture of all the data held which is relevant to these laws, where it is held and its characteristics.

This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well-informed decisions, rapidly.

Where Do I Start

Preparing for CCPA will share many characteristics with those undertaken for GDPR:

Assemble the team: Include Executive Sponsors and stakeholders from Legal, Compliance or your data privacy team, people with oversight of you corporation’s technology and it’s security and representatives from the key personal data owners in your business (e.g. HR, Sales, Marketing, Customer Service).

Get started with a data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical, start with those that are easy to create an inventory form.

Don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (your head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets). You will need technology to do this effectively (and we can help!)

Establish a culture of security and privacy and ingrain this into your day-to-day operations. Communicate a simplified overview of CCPA to the key stakeholders.

Create and practise your business processes that will be required to satisfy the rights of the individual (Access to data, erasure, breach notification).

CCPA versus GDPR

There are many similarities and some key differences between GDPR and CCPA. Here is Exonar’s take:

Basis for consent

GDPR – Opt in

CCPA – Opt out

Who it applies to

GDPR – Any organisation holding personal data on EU citizens

CCPA – For-profit entities that process personal data of California residents and either:

Do $24 million in annual revenue

Hold the personal data of 50,000 people, households, or devices

Do at least half of their revenue in the sale of personal data.

Rights for individuals

GDPR – Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.

CCPA – Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.

When does it come into force

GDPR – May 25, 2018

CCPA – Jan 1, 2020

Financial Penalties

GDPR – 4% of turnover or €20m (whichever is greater)

CCPA – $7,500 per violation. $750 or actual damages for each individual, whichever is greater

Time allowed to respond to a request

1 month

45 days

NB, California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

The CCPA – The Definitive, Easily Searchable Text

Follow the link below to read the full California Consumer Privacy Act text, with each section clearly marked and searchable.

The legislature passing of the California Consumer Privacy Act 2018 (AB 375) happened on June 29th 2018, and these new rules will now govern most organisations holding data on US Citizens.

Read More

Event Update – Join us for our Exonar meet-up in London

We’re delighted to be partnering with Brown Rudnick who will host a meet-up at their London offices on Tuesday, June 18th.

One year on from the start of the new GDPR regime, Exonar and Brown Rudnick invite you to join us to discuss the trends, issues and lessons learnt from the last 12 months. The session will be followed by a drinks and canpé reception for networking.

Topics will include:

  • Weaponising SARS – litigation friend or foe?
  • GDPR class actions – just around the corner?
  • What data can be excluded from a SAR response?
  • The €50m Google fine

Our panel will feature:

  • Mark Lubbock – Partner (Intellectual Property and Technology), Brown Rudnick
  • Adrian Barrett – CEO & Founder, Exonar
  • Gilbert Hill – CEO, Tap My Data
  • Ben Falk – Founder, Yo-Da
  • Anya Proops, QC – Barrister, 11 Kings Bench Walk
  • (Chair) James Cole – Partner (Corporate), Brown Rudnick

Date: Tuesday 18 June 2019

Venue: Brown Rudnick LLP, 8 Clifford Street, London W1S 2LQ

Time: 18.00 – 21.00

To book your space, please visit:
We hope you can join us!


Free Webinar – The Perfect Privacy Programme. Register Now!

GDPR One Year On: What Does a Perfect Privacy Programme Look Like?

Free Web Conference – Brought to you by Exonar

Broadcast date: 2:00pm, April 24, 2019

One year on from the introduction of the EU General Data Protection Regulation (GDPR), join Exonar and experts from the field in discussing ‘What does a perfect privacy programme look like?’

In this web conference we will hear from our panel of experts as they discuss:

  • What are the necessary components of an enterprise-level privacy programme?
  • How do we optimally assign roles and responsibilities within a privacy programme?
  • How can we most effectively create and manage accurate personal data inventory? (Article 30 – Records of Processing Activities)
  • How do we best monitor for GDPR compliance using both manual and technical controls?
  • What is the best way to deliver privacy training to our employees?
  • What are the most effective tools available to satisfy individual rights? I.e. Subject Access Requests (SARs), Right to be Forgotten, data deletion and retention.

In addition to discussion from the field, our panel will also discuss Exonar’s recent findings based on surveys of 100+ organisations and consumers into:

“What’s Next with Personal Data Inventory?” – Exonar have profiled 100+ organisations’ attempts to create personal data inventory. One year on we ask what monitoring and compliance actions they are now planning to take as a result.

“Consumer Attitudes to Subject Access Requests (SARs): A SARvey” – Exonar have surveyed 100+ consumers to assess their sentiment towards data privacy and the ability to exercise their privacy rights.

There will be a live Q&A session in the final 15 minutes of the webinar so, to avoid missing your chance to contribute, register on the form below:

John Tsopanis, Data and Privacy Director, Exonar

Ralph O’Brien CIPM, Vice Chair UK Data Protection Forum, Principal Reinbo Consulting
Sophie Payne, Customer Success Lead and Data Scientist, Exonar
Ben Falk, CEO of Yo-Da, Your Data


Book your place now:

Free IAPP Web Conference – Registration Now Open

Thriving in Generation Privacy: Capitalising on DSAR Data from the Field

Free IAPP Web Conference – Brought to you by Exonar

Broadcast date: Thursday, February 7, 2019
Time: 8:00–9:00 a.m. PT, 11:00 a.m.–noon ET, 4:00 – 5:00 p.m. GMT

With the introduction of the EU General Data Protection Regulation, the California Consumer Privacy Act and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. Exonar recently surveyed a number of organizations to understand how they have been coping with these new and increased privacy control operations, and the results were remarkable.

Join us for this upcoming web conference to hear from the field about these survey results and more, including:

  • The cost of handling data subject access requests. (U.K. public sector organizations example).
  • What the results of a SAR request to a U.K.-based, High Street Bank resulted in.
  • How the world’s leading tech companies dealt with recent requests for personal data.
  • How organizations are profiting from their privacy programs.
  • The toxic data you’re storing and what to do about it.
  • How companies have prepared for Generation Privacy and what you can do now.

Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP

Adrian Barrett, CEO, Exonar
Phil Lee, CIPP/E, CIPM, Partner, Privacy, Security and Data Protection Practice, FieldFisher, London, U.K.
Steve Wright, GDPR Advisor at Bank of England, CEO, Data Privacy Architect, Privacy Culture, London, U.K.

Book your place now:

Sky News interview – UK to raise the bar on cyber security

The UK is set to become a world leader in the race against some of the most damaging cyber security threats.

Our CEO, Adrian Barrett spoke live on Sky News on Monday, 28th January about the announcement, on the current state of cyber security and how this investment will impact the industry. Watch the full interview here:


This morning, the Government announced their £70 million investment through the Industrial Strategy Challenge Fund to online services and digitally enabled products by investing in the development of UK hardware solutions to complement software solutions. This means that many UK firms who produce hardware could be offered a financial leg-up to strengthen their cybersecurity, empowering the UK to set the benchmark on the protection of consumer data. Initial reports indicate that this new investment to build on UK strengths in cyber security and increase share of a global market is predicted to grow to £39 billion in a decade.

The investment will help fund research into the development and design of hardware, to make them more resilient to outside threats from the outset. This aims to ‘design out’ many forms of cyber threats by ‘designing in’ security and protection technology/solutions into hardware and chip designs.

More than 40% of UK businesses have suffered a cyber security breach or attack in the last 12 months. Consumers are often the worst affected by mass information leaks than the organisation that held their data. Businesses are having to spend increasing amounts on cyber security, up to 20-40% of their IT spend in some cases. As more and more systems are connected, whether in the home or businesses, there is a need for security that is dependable by design.

Looking to the future, the government aims for R&D investment to reach 2.4% of GDP by 2027– the biggest increase in public investment in R&D in UK history.

Read the full announcement here from the Government website:

The Data Protection Officer’s (DPO’s) Toolkit – The 6 Essentials

The Data Protection Officer’s (DPO’s) Toolkit

2018 saw the General Data Protection Regulations (GDPR) in Europe, California Consumer Privacy Act (CCPA) in America, and the Personal Data Protection Bill (PDPB) in India introduce privacy protections to nearly 2 billion citizens.

With enforcement set to take centre stage in 2019, what essentials do data leaders need to keep themselves out of the crossfires of regulators?

6 Essentials of the DPO’s Toolkit

1. Data inventory
2. Data monitoring
3. Data rights fulfilment
4. Data champions
5. Data training
6. Data security

1. Data inventory

The first step to taking control of your data is being able to answer ‘what data do I have?’ ‘why do I have it?’ ‘who can process it?’ ‘where is it stored?’ ‘how and when do I delete it?’

Creating an inventory of all of your data processes is the first step for any DPO needing to comply with global privacy legislations (and mandatory under the GDPR Article 30 Records of Processing Activity).

Discover and document your organisations’ data practices; this will give you the best possible platform to comply with global privacy regulations and get the most value from your data.

2. Data monitoring

So you’ve documented your data practices, but is that really how data is being processed on your network – Is your data inventory reflective of your true data practices?

The answer is usually no. Luckily, the days of manual data audits and ‘privacy compliance platforms’ with no data monitoring capabilities are over and cutting edge data discovery and compliance technologies like Exonar are now available.

By monitoring your data estate you can make sure your marketing leads stay in your marketing department, your payroll files stay within your payroll department, and your Top Secret Project X documents remain exactly where you want them to be.

3. Data Rights Fulfilment

2019 is the year citizens take back control of their data.

Personal information belongs to the individual it relates to and organisations are required to provide full access to that data upon request under the GDPR in Europe (within 30 days) and CCPA in
America (within 45 days). In Europe 48% of Generation X and Y have exercised their right to access with over a third of all European citizens having done so since May 2018.

As a data leader, you must have a permanent and robust process in place for being able to respond to subject access requests (SARs), detailing the personal information you are processing and what you are using it for.

Subject Access Requests (SARs) can take days to fulfil if you are relying on manual data discovery so employing a data discovery tool to help you can reduce your SAR response time from days to minutes.

4. Data Champions

Data is big and it’s only getting bigger. A DPO is (for now) only human and keeping your data estate in compliance is only possible with a little help from some friends.

Once you’ve got your data inventory you should have a good understanding of your business units that have data processes that fit into natural silos e.g. Sales, HR, Legal, Payroll, Customer Services, Operations A, Operations B.

Assign a data champion for each business process, ensure they understand what the data inventory says about expected data practices, and empower your data champions with the resources needed to keep your data estate in compliance.

Data champions within their business units will often understand the nuances of data processing in more detail than a DPO so delegation of responsibility is key.

5. Data Training

Data protection is a collective action problem. If you have thousands of employees it only takes a small number of bad practices to throw your compliance programme into disarray.

If you have a strong handle on your data inventory, are monitoring your data repositories, and have data champions willing to help you, delivering an organisation wide training programme to communicate expected data practices is the way to embed a culture of privacy into your organisation and reduce your exposure to insider breaches.

As with most leadership, communication is key!

6. Data security

So you understand your information estate and your employees are doing their utmost to process data appropriately; now it’s time to lock down your high risk systems.

Your data inventory and data champions should be able to give you a clear view of the IT systems (and locked filing cabinets) that store and process your most valuable data.

Identify your high, medium and low risk IT systems/applications/shared drives/data repositories/locked filing cabinets, communicate those risks to your information security team, and seek assurance that cyber security controls are in place that are proportionate to the sensitivity of the data processes.


Embracing the crossover between data privacy and cyber security will best allow you to demonstrate that you have adopted data protection practices that are proportionate and appropriate for your organisation.

With these 6 tools you will be in an excellent position to navigate the data privacy landscape in 2019 and beyond.