By Patrick Devine – Data Security Specialist at Solid8 Technologies

Unstructured data and subject rights requests

If your business is like most businesses, 80% of the data you store is unstructured. This unstructured data comprises files, documents and emails. This ‘digital debris’ is the inevitable by-product of the majority of business operations and business change.

It is a matter of record that being able to find what you are looking for provides numerous business productivity benefits. That is why search is a big thing. Big for global technology titans but also a real differentiator for businesses if they implement enterprise search platforms.

But in terms of subject rights requests (SRRs), where do information officers (and their deputies) stand when it comes to finding what they are looking for?

Consider that a colleague, supplier, customer (or anyone) requests legitimately that your organisation delete all the personal information that your business holds about them. Could you do it? If so, to what time-scales and cost? 3 What is your level of confidence that the information you have provided is complete?

How could you validate your answers to these questions objectively? Just because you have a report (or the files themselves) does not mean you have them all.

Testing your organisation’s readiness

One way to test your organisation’s readiness is to collate 100 (±50) personal documents for five separate people. ‘Seed’ these in emails, file shares, SharePoint and any other repositories used by the business and then submit 5 test SRRs and see how many of the documents were found. Crucially, parties should not know how many documents there are actually in circulation. You can source synthetic data from a variety of sources4 so you do not need to rely on what you can lay your hands on internally.

Even as a thought exercise, this has the potential to cause a little apprehension. In the right circumstances however it needn’t.

Where does the responsibility lie?

As information officers, is it your responsibility to ensure that information is stored (and able to be retrieved) effectively? Ideally, efficiently and economically too. No it is not. This responsibility sits with the business areas, process owners and departments which are creating, storing and processing the data.

While the duty for overall POPIA compliance sits with the information officer (and any appointed deputies), responsibility to create, process and safely store data must sit with the business. There is a risk here however of simply kicking the can down the road. Making it the business’s responsibility doesn’t itself contribute towards POPIA compliance.

So consider a test activity of the sort described above. Challenge business stakeholders to deliver. At the same time, explore the business benefits of simply being able to quickly find and retrieve files and documents.

A necessary investment

The only way to make sure that you can consistently retrieve the relevant files and documents in response to an SRR is to ensure all your files and documents are pre-indexed with a technology solution designed specifically for the purpose. That means all files and documents within the scope of an SRR request can be reliably and economically retrieved. You will also be able to provide evidence and assurance in regard to your activities.

If you already have an enterprise search solution – make sure it is indexing all your unstructured storage repositories. If you do not have an enterprise search solution, consider the business case for getting one. DocAuthority provide solutions for business which cover a wide variety of information governance workloads including SRRs. There is a cost model here which will help you explore the costs and saving of using DocAuthority to help with your business’s SRRs. You can also find more information here on Subject Rights Requests and how DocAuthority can help.