Conducting Regular Data Audits: Finding and Securing Sensitive Information
Knowing What Data You Have and Where It Lives
A data audit is the process of locating, categorizing, and verifying the security of all stored information. This is especially vital for compliance with Kenya’s Data Protection and Privacy Act, which regulates how personal data is handled.
Steps for an Effective Data Audit
- **Inventory All Data Stores:** Map out every location where data is stored (local server, cloud drives, individual laptops, email archives, physical files).
- **Classify Data:** Categorize every document as public, internal, or highly sensitive (e.g., client National IDs, financial records, employee contracts).
- **Assess Access Controls:** For sensitive data, verify that only authorized personnel (Principle of Least Privilege) can access it. Check permissions for external sharing links and revoke unnecessary access.
- **Review Retention Policy:** Identify sensitive data that is past its legal retention period and securely delete it. Unneeded data is a liability.
- **Document Findings:** Create a formal report listing sensitive data locations, access gaps, and remediation steps needed.
Data audits prevent “data sprawl”—the uncontrolled proliferation of sensitive information across the network, which significantly increases breach risk.