EXPERT SPEAK
Two sides of
unstructured data
Risk and value are two sides of unstructured data, especially
important in GDPR, explains Nigel Tozer at Commvault.
I
n life, we generally think we know
the value and corresponding risks
associated with things we own and
take reasonable precaution to protect
them. Unfortunately, we do not always
get things right, which is much truer of
data than it is with our possessions. It
is entirely possible to let your kids play
with something that looks like a piece of
junk, or leave it in a poorly secured-out
building, when in reality it is actually a
valuable antique.
This might not be a commo n
occurrence in our lives, but with data
you can be sure of a cast-iron guarantee
that this is the case, and often at an
unimaginable scale.
I have seen many instances where
companies have no clue where sensitive
data is held, and are aware they do not
know, yet take no action. I have also
regularly seen the complete opposite,
where a business is fully aware of how
important a data set is, but it is not secured
as it should be because it is always been
done that way, or because an individual
expects to work in a certain way.
Unstructured data – files, media and
documents – typically account for 70–80%
of an organisation’s data, and just as I
mentioned above, you do not always know
its value. Or as we are looking at it here,
the corresponding risk.
The problems are numerous including:
the sheer volume of unstructured data,
ease of copying and moving it, the myriad
locations in which it can be placed, the
large number of applications that interact
Nigel Tozer, Solutions Marketing Director for
EMEA, Commvault.
with it, poor controls due to the historical
acceptance of not managing it in a better
way, and lack of a mandate for IT to better
manage it.
All of these points combined add up to
big risks and possibly even bigger costs.
Under GDPR, retaining data forever is off
the table, and so is a failure to understand
uses and locations of unstructured data
that contains personal information –
which, let us face it, could be any of it.
This is why it is important to look inside
all of your unstructured data, even on
laptops and in the cloud. So that once it
is profiled it can be secured, retained for
use, or disposed of appropriately. With
ever-increasing data volumes, policy
is necessary, education is great, but
automation is critical.
Having risk-based dashboards and
implementing automated policies based on
content means that if you are breached in
systems deemed to be low risk, the actual
risk of important data being compromised
is minimised. If it is a more secure location
that is affected, having sensitive data heat
maps – plus a content index and search
tools at hand – means you can then meet
the seemingly impossible 72-hour breach
notification period of GDPR.
This is where solution platforms can
really help, and it is one of the areas
of GDPR and many other global data-
breach laws that is almost impossible to
protect against manually or by applying
new working practices alone. One-off
assessments are not suitable either. You
really need on-demand dashboards, risk-
based alerts and the ability to automate
processes to be effective.
When I mentioned the antique, I talked
about value. But data breaches are really
about risk. I did that on purpose.
The point I am making is that risk
and value are two sides of the same coin.
If you understand your risk profile, you
might just also be in better shape to
effectively use or dispose of that data that
has been sucking your resources for all
these years.
53