Spreadsheets and other EUC (End User Computing) applications are frequently used for PII and data storage processing, which make them a compliance risk under the EU’s GDPR.
What is GDPR?
The European Union’s General Data Protection Regulations (GDPR) went into effect on May 25, 2018. The law governs data protection and privacy for citizens of the EU and aims to hand control over personal data back to individuals. The penalty for non-compliance with GDPR can be significant depending on the size of the organization. The GDPR sets out 7 key principles that should underlie any organization’s approach to processing personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Are Spreadsheets GDPR Compliant?
Do EUCs, such as spreadsheets, present a compliance risk under GDPR? Yes. EUCs are frequently used for data storage processing so it’s inevitable for data relevant to GDPR to end up in an Excel spreadsheet or Access database. Enterprise systems are usually rigid when it comes to meeting the diverse needs of different users and groups, especially as they change over time. A large percentage of users across the functional spectrum export data from financial systems and HR systems and project management systems and dump that data into one or more spreadsheets in order to further process it. This is when data leaves highly controlled and secure enterprise systems, and it enters an environment where sharing is widespread, and controls are very sparse.
How do you control GDPR spreadsheet & EUC risk?
It is in this environment that the company carries additional risk of breaching the mandates of GDPR. Given that businesses are not going to stop using spreadsheets or other EUCs anytime soon, and the end user is no more likely today to comply with company policy as they were before GDPR. There is now a growing need for a reliable and effective way to identify and mitigate the risks associated with non-compliance, while also preserving the efficiency and the utility of EUCs throughout any given business cycle or process. What can you do to bring data in EUCs under control? It’s important to remember that GDPR is not designed to prevent you from storing personal data. Rather, GDPR mandates that you retain control over it.
Business need to:
- Ensure Data Policy Covers spreadsheets and other EUCs – Data governance, risk and compliance teams along with other stakeholders need to ensure that their data protection policies cover EUCs.
- Discover the Population – Spreadsheets and other EUCs are often out of sight and duplicated easily and needlessly. Organizations need to find and create an inventory of EUCs that are stored in shared and widely accessible locations in
- Analyze Content – Analyze content to understand if personal information or sensitive data is in use. If so, organizations need to understand whether it is a one-time data dump, or if it is periodically and repeatedly used to store sensitive data.
- Assess the Criticality – EUCs are an essential part of many business processes and it may be hard, often impossible, to replace them. Businesses need to assess the purpose and usage of such spreadsheets or other EUCs to ensure that they can be subject to the appropriate level of scrutiny and control.
- Track Changes, Manage and Review – The long term goal for a business should be to ensure critical spreadsheets and other EUCs are version controlled with an ability to get an insight into content change history. EUCs should be periodically reviewed to ensure that any changes are well understood and the EUCs continue to function as expected.
How Does Apparity help with EUC governance?
Most regulations share common philosophies that mandate that at any given time, organizations are in control of their data and processing assets so that risk is mitigated. The Apparity platform, with its Discovery, Registration and Active Management modules, helps businesses implement effective EUC governance and controls. Apparity’s configurable nature aligns to the mandates of unique policy and procedural demands from industry and government regulatory bodies.
- Automated solution that finds, catalogs, and analyzes spreadsheet and other EUC data.
- Intelligently groups related spreadsheets to easily identify those spreadsheets and other EUCs that may be responsible for the iterative and/ or periodic duplication of sensitive data and content.
- Discovers database connections made by spreadsheets allowing companies to understand external data sources.
- Automatically updates the Apparity Inventory Management System (AIMS) with the Discovery results.
- The Apparity Inventory Management System (AIMS) Registration module allows the governance team to design and build an online assessment model that allows users to assess the criticality and purpose of the spreadsheets or other EUCs they are responsible for.
- The registration process can then be used to automatically determine the level of controls that should be assigned to an EUC.
- The Registration process, combined with the systematic oversight provided by Discovery, ensures that AIMS helps companies maintain a comprehensive, accurate and up-to-date listing of all the EUCs that present a GDPR risk to the organization.
Active Management Module
- All spreadsheets and access databases that are deemed to present the highest possible risk to the organization can be subject to the rigor of ‘constant compliance’, with real-time tracking, version and change management controls.
- The Apparity Active Management module allows organizations to capture every significant change made to a high risk spreadsheet or access database, ensuring an on-demand change management review and approval cycle with workflow that is tightly tied into the approval cycles demanded by the organization’s EUC Policy.
- For some types of EUCs like spreadsheets, the Apparity ‘fingerprinting’ technology ensures that regardless of where a user saves, moves, names or renames the EUCs they are working with, Apparity will track all copies and the sensitive content contained within those spreadsheets.