Wilmar International Limited, headquartered in Singapore, is a global processor and merchandiser of tropical oils and specialty fats and the leading agribusiness group in Asia, operating in 50 plus countries and employing 90,000 people.
WEH, cited in the Netherlands, was looking to discover personal data and potential risks in a major project aimed at assessment of its readiness for the regulation. GDPR was drawn up to reinforce the data rights of the EU residents and attune data protection law across all EU member states. It impacts the handling of Personal Data for a company’s customers, employees and partners across Europe.
The data challenge
WEH wanted to reduce risk and improve accountability by analyzing and classifying its data in accordance with Article 30 of the regulation, which covers the recording of data processing activities.
GDPR places great emphasis on accountability, which means that companies must document a number of areas when it comes to Personal Data such as purpose of data collected and categories of data. This requires keeping a record of data activity and ensuring it is up-to-date. In preparation for GDPR, WEH needed a solution to map the Personal Data within its unstructured data.
Mapping the 'where and what' of personal data
Data mapping is critical, especially unstructured data, when it comes to GDPR compliance. Data mapping enables companies to see where their data is located as well as highlighting ways it can be secured.
In preparing for GDPR, WEH needed to run an assessment of its data within Europe. By way of interviews with the business processes’ owners and internal assessment of the structured data stored in different systems, WEH could map most of the Personal Data it collects. However manual review of unstructured data proved to be time consuming. To facilitate the assessment WEH decided to use a third-party technical solution to specifically conduct an audit for its unstructured data held in France, Spain and the Netherlands to map the Personal Data, identify its nature, where it is processed, stored and how it could be transferred from one location to another.
“With GDPR coming into force, we needed to ensure that our systems and processes were compliant. Critically we had to assess what data we had, where it was and how we could manage it in a way that meets the Regulation,” says Viktoria van Doeland, Legal Counsel, WEH.
Taking the necessary steps
WEH looked at several options and decided to work with Orange Business, which provides a ‘GDPR Data Assessment Service’. Orange Business helps companies with global data management and storage to assess data and provide risk, data and security recommendations. The Service purchased by WEH fitted the criteria: straightforward, relatively quick and not resource intensive, but providing the full insight in the researched data.
GDPR came into force on 25 May 2018, so there was a very short window for the project to run: between 12 March 2018 to closure on the 2 May 2018, around 11.5 million files, amounting to 6 terabytes of data, were to be assessed. All unstructured data was to be searched for aging and Personal Identifiable Information (PII) content.
Once the project was engaged then a joint workshop was held locally to decide on what data needed to be assessed. A team from Orange Business worked very closely with key players from WEH’s IT, HR and Legal to define this.
The project also utilized Orange Business’ Flexible Engine, a highly-secure worldwide public cloud. The project team connected to WEH’s virtual machines sitting close to the data. Metadata was created and carefully analyzed showing the quantity and location of personal data that was found as well as potential risks. The Orange Business project manager held weekly calls with WEH to discuss deliverables and ensure the project was on track.
The team at Orange Business put together a final closure report for WEH on all PII data on requested network drives together with findings and recommendations. The report provided visibility into WEH’s unstructured data environment - providing an understanding of file type, size, data content and potential PII risks. “The report is extremely comprehensive and includes recommendations as well as business and technical options,” explains Arno van Beijnum, VP Cloud Services Europe, Orange Business.
Going forward this knowledge base has helped WEH minimize personal data and define steps to take, such as use of applications and fine-tuning of the internal instructions and policies.
Find out why data legislation does not stop with GDPR and read about our GDPR consulting capabilities.