File Shares have become corporate dumping grounds these days. So much so that only 15% of all files shared within an organization contain business value. The remaining 85% of file share data is either dark or ROT. This dark file share data is largely unmanaged for regulatory compliance.
Why Govern File Share PII
With regulations such as GDPR and CCPA, an organization can incur heavy penalties on non-governance of PII – Personally Identifiable Information. A study shows that 16.2% of all file share contain PII. Another study shows that 9.2% of all files shared outside the organization contain PII. Some of the compliance and security risks associated with PII are PII data loss and PII data leak. If they cause a GDPR infraction, data leak and data loss can cost an organization $10M or 2% of the organization’s annual revenue. Thus, it’s important to clean up and govern file share by deploying a file management policy.
File Share PII Concerns
The biggest challenge in cleaning up and governing file shares, is defensible deletion. The process of defensible deletion consists of having a clear policy, implementing that policy consistently, and retaining an audit trail to show the action that was taken.
Lifecycle policies often consider certain metadata about a file, for example: file creation date/time, file type, file activity, file location, file size etc. However, the above information is not sufficient to decide whether the file is eligible for deletion or not. It’s equally important to check with various governing departments within the organization such as Records Management, Compliance and Legal to determine whether the file is eligible for a global deletion or not. Since GDPR and CCPA also require the production of evidence on why a file containing PII was deleted, an organization needs to run an audit trail to prove that the PII deletion was in accordance with the policies set.
The above processes, which include enforcing a consistent policy, checking with each governing department, and retaining an audit trail is what constitutes a defensible deletion of file share PII data.
But the story doesn’t end here. Data governance regulations such as GDPR also require organizations to produce, delete, or modify file share PII data on a subject’s request. Since organizations store billions of documents inside their file shares, finding a subject’s PII can be difficult. However, file analysis solutions that use a full-text index can enable organizations to find and remediate PII as needed.
At ZL Tech, we have helped a top 5 bank manage over 4 petabytes of file share data for privacy and governance. Please reach out to learn more.