Pro audit program · v1.0

PII Data Discovery

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.

General target area
GDPR / ISO 27701 framework
6 controls in this program
Cyentrix Cyentrix Trusted Author

Sign in to run → Back to library

About this program

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.

Risks addressed

Critical Unknown PII stores exposed in a breach
High PII kept past the retention period (GDPR breach)
High Production data copied to test / dev environments

Controls (6)

Discovery tool scans structured + unstructured data
High

Discovery tool scans structured + unstructured data

How to test + evidence

Testing procedure: Tool (Varonis / Microsoft Purview / equivalent) scans file shares, databases, SaaS.

Evidence to collect: Tool inventory + last scan.
Data inventory / RoPA maintained
High

Data inventory / RoPA maintained

How to test + evidence

Testing procedure: Article-30 record of processing activities up to date.

Evidence to collect: RoPA document.
Retention policy + scheduled deletion
High

Retention policy + scheduled deletion

How to test + evidence

Testing procedure: Per data-type retention; automated deletion / archive at end of life.

Evidence to collect: Retention policy + delete jobs.
No production PII in non-prod
Critical

No production PII in non-prod

How to test + evidence

Testing procedure: Test / dev environments use anonymised / synthetic data.

Evidence to collect: Pipeline + masking config.
DSAR process tested
Medium

DSAR process tested

How to test + evidence

Testing procedure: Subject access request workflow tested at least once per year.

Evidence to collect: DSAR test report.
PII access reviewed quarterly
Medium

PII access reviewed quarterly

How to test + evidence

Testing procedure: Access to PII stores recertified by owners every quarter.

Evidence to collect: Recert report.