The EU\u2019s General Data Protection Regulation (GDPR) is a big change from how many firms have approached data protection in the past, from how responsive their security teams need to be to how clearly and quickly they can tell where personal data resides. It\u2019s on the issue of personal data that companies are starting to sweat the most.With the May 25 deadline looming, it\u2019s quite likely organizations still hold copious amounts of personally identifiable information (PII) \u2014 anything from cookie data to device identifiers to IP addresses \u2014 across disparate systems located on-premises and in the cloud. That\u2019s before you get into the murky world of identifying whether your business is a data controller or processor.What is PII and how can it be used?Under GDPR, the processing of personal data is broader than under the previous local data protection legislations. Article 2 of the GDPR states that the regulation applies to \u201cthe processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.\u201dSo, how do you define personal data?Under article 4, personal data means \u201cany information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.\u201dThis can include IP addresses and cookie data and with GDPR introducing newer concepts like subject access requests (SARs), the right to be forgotten\/right to deletion, and data portability, EU citizens now have a right to know what data is collected on them and that\u2019s a concern for businesses when PII can be everywhere from email and social platforms to HR, HCM, and CRM systems. (For a deeper dive on PII, see \u201cWhat is personally identifiable information (PII)? How to protect it under GDPR.\u201d).First step is a scoping exerciseThe lack of awareness around where data resides has been troubling for organizations large and small. \u00a0Take UK pub chain Wetherspoons, for example, which apparently deleted its 500,000-plus email marketing database and started again, presumably under the belief that it couldn\u2019t readily get renewed consent, nor properly manage and protect that personal data.\u201cWe felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data,\u201d the firm said in a statement to Wired at the time.Nick Ioannou, head of IT at UK-based architecture firm Ratcliffe Groves, says organizations need to first identify if they are a data processor or controller, as well as what data they already hold. \u201cThe first step is to identify who has access to the PII data and whether they are a controller or processor. This is also tied in to where your data is, for instance a cloud-based email system. Next is looking at the risks and security around the data, together with identifying any automated processing. Understanding the laws that affect your business that override GDPR is also important to meet your GDPR obligations correctly.\u201dThe steps to finding unexpected PIIGDPR lists the six lawful reasons for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The reason this is important is that once you have identified the PII you have and where it is, you need to identify the lawful basis for having it or change your processes, so you stop asking for PII you do not need.First, how do you find it? Here are just a few examples of where PII might reside outside core operational systems:Cloud apps, including those not approved by the organizationOnline file-sharing servicesRemoveable mediaPhysical storage (file cabinets)Third-party\/supply chain providersTemporary filesSandbox\/test systemsBackup systemsEmployee devicesIoannou says: \u201cGeneral Data Protection Regulation is really (analog and digital) data protection regulation, so the first thing to do is take a step back at look everywhere stuff is written down, printed, scanned or created, and stored as digital content. Shadow IT could contain lots of personal data that may not be expected to be there, as well as removable USB memory sticks and drives, as well as backups.\u201dStewart says you need to be looking everywhere, quite literally. \u201cWell everywhere\u2026filing cabinets, third-party storage, file servers. The first step is to be clear what personal data is \u2014 information classification is a prerequisite so that you know personal data when you see it. I\u2019ve heard of a number of organizations that effectively had to start their search for personal data again because they hadn\u2019t formalized what they were looking for.\u201dPerhaps after the Cambridge Analytica scandal, he suggests the supply chain too will soon feel the effects: \u201cSupply chain is definitely an important place to look. I would also suggest backup and archive resources. Also bear in mind that GDPR is landing in the middle of the largest migration of human knowledge in history.\u201dStewart is referring to the rapid move from onsite storage to the cloud. "While this isn\u2019t a bad thing per se, the drivers are usually reduced storage costs or move before a disk runs out of space. Therefore, most organizations are doing lift and shift wholesale migrations of content that they don\u2019t fully understand. There will be all sorts of sensitive personal data that has been moved to cloud without realizing it.\u201dNic Miller, now a consulting virtual CISO but previously CISO at European hedge fund management company Brevan Howard, also sees too much real data being used in test systems. He believes unstructured data is going to be the blind spot for many organizations. \u201cShared folders, scratch\/temp drives etc., and there's no simple way to search for personal data...remembering that personal data is a wider net than the better understood PII."\u201cA lot of companies will use third-party services for a number of staff services, payroll, pensions, insurance etc. All these companies will hold large amounts of sensitive data on the majority of your staff,\u201d says Miller. \u201cDon't just look at this through a due diligence lens, though. Consider how that information is being shared. If it's being emailed backwards and forwards with encrypted attachments that's both an accident waiting to happen when it is email to an incorrect address, and it's causing you greater problems with the proliferation of this data internally though email archiving, etc.\u201d\u00a0How do organizations move forward?Ioannou says that process is important; \u201cGDPR talks about implementing \u2018appropriate technical and organizational measures to ensure a level of security appropriate to the risk\u2019 so in order to prove we have the appropriate measures, our IT infrastructure and processes need to be documented and the risks assessed. Shadow IT, retention, rights, sharing and access control needs to be looked at, together with just about every business process and where the GDPR obligations impact these processes.\u201d\u00a0\u201cTwo key activities should be priorities,\u201d stresses Stewart. \u201cFirst, put in place a process to manage project risk and implement \u2018secure by design\u2019. Second, define personal data, run a discovery process to find it in BAU and then perform a high-level risk assessment using a triage process of a core of key controls that you think deliver 80 percent of the safety needed for personal data. For example, access control reviews, logging and monitoring, vulnerability management etc. might be part of a \u2018top ten.\u201dStewart goes onto say that while encryption and pseudonymization technologies are \u201cgreat...they are fairly high fruit on the tree.\u201d Whitfield agrees, adding that it\u2019s good for protecting data and if \u201cnot used correctly can leave you with a false sense of protection.\u201d\u201cMany organizations are still struggling to do the basics,\u201d says Stewart, citing an example of one international bank which doesn\u2019t know \u201chow many servers they have and what they\u2019re being used for. I find it hard to believe claims that they\u2019re \u2018on top of\u2019 GDPR compliance. I\u2019d suggest a landscape view of personal data and risk should be a priority over any particular technical control. The ICO has very much signaled a risk-based approach. To do that credibly you need the landscape view.\u201dNik Whitfield warns about being sucked in by vendor solutions too, also warning of encryption; \u201cBe wary of letting technology vendors guide your strategy. Products that offer 'GDPR compliance' are only giving you solutions to very specific parts of the problem."