GDPR & Spreadsheet Risk
The General Data Protection Regulation
Spreadsheets under the General Data Protection Regulation (GDPR) pose a significant challenge for organizations, both in the way they are deployed, and the way the applications works. Despite significant investment in corporate IT systems, spreadsheets continue to underpin many critical business processes, despite significant investment in corporate IT systems. While very powerful and flexible, they typically lack the controls, visibility and auditability that corporate systems provide, exposing organizations to spreadsheet risk under GDPR.
Personally Identifiable Information (PII) data, such as names, email addresses and phone numbers, for example, are often embedded in spreadsheets, but the lack of data indexing in spreadsheets means that it is difficult to identify. Again, this lack of visibility and control can expose organizations to reputational, commercial or regulatory damage, as well as fines up to 4% of their annual turnover.
A Four-Step Process For Sustainable GDPR Compliance:
1. Finding the files
Finding a GDPR-relevant file can be difficult. Powerful search tools are essential, to analyze files for PII-relevant terms. Spreadsheets can be especially challenging to search, with the PII being difficult to scan.
2. Analyzing the files for risk
Next, produce reports based on the organization’s GDPR profile and assess them to the spreadsheets that potentially contain PII-relevant data. Use tools to categorize the files on the basis of high, medium and low risk.
3. Creating an inventory framework
Placing the key GDPR files in an inventory framework allows businesses to proactively monitor their most sensitive, highest risk files, as well as providing a framework for attestation for PII data files.
4. Monitoring for changes
Organizations must ensure that they are able to proactively monitor the GDPR-relevant data for version control, changes and approvals, new data, as well as the attestation process.
What Causes Spreadsheet Risk?
Spreadsheet risk is more likely to occur if there is a lack of:
- Understanding of what spreadsheets are used across the business.
- Appreciation of the business impact of spreadsheet errors.
- Clear ownership of spreadsheets across the business.
- Process around how changes are made to spreadsheets.
- Defined risks to the business due to spreadsheet complexity.