ICO Fine Highlights Spreadsheet Risk for GDPR Compliance

Secondly, manually managing and monitoring GDPR-related information (that often resides in spreadsheets) effectively is challenging, if not impossible, in many organizations because of its sheer volume. The complexity of many business-critical spreadsheets, and the thousands of cells within them, means that identifying hidden data is difficult, to put it mildly.

This data breach is a stark reminder that unstructured data, which is often stored in spreadsheets and distributed across the organization, must be part of the GDPR compliance efforts, similar to the structured data that resides in core IT applications.

To ensure ‘sustainable’ compliance with the GDPR and other data protection frameworks for the foreseeable future, it’s imperative that organizations establish a management framework for structured and non-structured GDPR-relevant data so that they can be proactively managed based on the level of risk they pose to the business.

A systematic, automated approach will ensure that data is captured in accordance with the organization’s GDPR policy and provide an auditable attestation process to make GDPR compliance business-as-usual. It will also deliver organizations the capability they need to speedily meet the requests of erasure and data portability should an individual demand it. Crucially, it will minimize manual intervention and therefore human error, which can prove catastrophic when it comes to manually managing and monitoring spreadsheet environments for things like version control, changes and approvals, new data additions and attestation.

Organizations will do well to establish what Personally Identifiable Information (PII) data resides in their Excel estate and then implement the necessary systems and processes for data protection to maintain compliance with the GDPR. As shown in this case, it’s no longer a luxury, but a necessity.