In preparation for the GDPR, our client Sompo Canopius requested a data protection audit.
Their systems were generally well-governed, so they were confident that their structured data – essentially data held in databases, making it relatively easy to search and classify – was managed in an effective and compliant way. But they felt less assured that their unstructured data – including email, images, documents, video and audio files – was managed with the same rigour. This led to concerns within the business about the level of risk to which the company was exposed, and the possible threat to the personal data of their valued customers. Canopius were keen to ensure a consistently high level of governance and asked Oyster IMS to perform a Data Protection Audit on their unstructured data.
Sompo Canopius is a global insurer and reinsurer. A Japanese owned global business with c.$85 billion total assets, with its European headquarters in Switzerland.
Canopius underwrites a diversified portfolio of speciality lines business from its operations at Lloyd’s and around the world.
The organisation has enjoyed significant growth over the last twelve years through a mix of organic expansion and acquisition, meaning that it is now one of the top 10 insurers in Lloyd’s insurance market, writing premiums in excess of £1 billion.
The two objectives were:
- To ensure that Canopius could understand what personal data they had, how they use personal data, where and how that personal data is stored and how personal data is transferred internally and externally, including cross-border transfers.
- To propose and implement a programme of remediation which would address any issue uncovered through the process.
Three levels of personal data were defined for classification and prioritisation of any remedial actions, these were:
- Sensitive (Type A);
- Core (B);
- Contact and Organisational (C)
Oyster IMS carried out a Global Data Protection and Privacy Audit to report on creation, capture, storage, management and transfer of type A and B personal data.
A sophisticated, automated file analysis tool was used to search across 50Tb of data equating to 30 million files, primarily located in network file shares and email servers. Based on the audit findings Oyster IMS supported a remediation project carried out as part of a full Information Governance Programme.
We identified over 250,000 files containing personal data.
Of this, 26% of the personal data was found outside the locations where it was expected.
Canopius and Oyster were then able to implement an ongoing plan of remediation and support including:
- Internal awareness regarding the importance of personal data – types, usage, storage locations and any sharing
- Understanding of how personal data is kept accurate and up to date
- Understanding of the legal basis for having or using the personal data, and the necessary consent to use personal data in the way(s) it is used
- Procedures around dealing with data loss or breaches whether malicious or accidental
- Procedures to make individuals aware of what personal data may be held about them and why
- Understanding any privacy implications around change of process or new technology initiatives
This is an excellent arrangement for us. Oyster IMS gives us access to subject matter expertise with the flexibility to switch on the service as and when required.
Oyster IMS specialists are on-site when we need them – and they are always on the end of a phone if we need a quick answer.
The managed service suits us well at our stage of development and we are now into the fourth year of a relationship which continues to provide the peace of mind that we have Information Governance under control.
David Francis – Head of Information Protection and Governance, Sompo Canopius