Expert Insight: Mark James on Data Seeding

How to conveniently detect data loss

Privacy consultant Mark James has a wealth of experience working with a range of organisations to help them achieve GDPR (General Data Protection Regulation) compliance.

He’s also trained in Cyber Essentials and ISO 27001, giving him detailed knowledge of the security aspects of compliance.

Mark has worked as a DPO (data protection officer) for various organisations, including Longleat Safari Park and the Salvation Army. As DPO, he undertook gap analyses, supported with documentation, conducted DPIAs (data protection impact assessments), and more.

Previously, we interviewed him about voice cloning. He kindly agreed to a new interview about data seeding.

What have you been asked about lately?

I had an interesting conversation with a penetration testing colleague from IT Governance [our sister company].

His team had been discussing how IT staff and teams can implement tracking on users’ machines to detect accidental or intentional exfiltration of sensitive data and files, among other potentially malicious activity.

However, that then raised questions around informing staff and other users – to what extent they must be informed, if at all – and the best methods of tracking.

What is an unintrusive way of detecting whether data has been exfiltrated?

Data seeding seems like an obvious answer.

That involves planting synthetic details called ‘sleepers’ or ‘asset seeds’ into a database. These then allow organisations – specifically, data controllers – to monitor how that data is used, and when it might be lost or stolen.

Even though many people have never heard of data seeding, it’s becoming more common.

In fact, in some industries, such as commercial data providers and recruitment agencies, data seeding, used as a simple data loss identification tool, is already seen as a best practice.

Those organisations recognise that they must protect the data they’re responsible for, and that data seeding offers a useful early detection mechanism. The earlier you become aware of a data breach, the easier and cheaper it’ll be to mitigate the damage.

What other scenarios can data seeding be used for?

The uses of data seeding always come down to detecting unauthorised use, accidentally or otherwise. Suppliers are an obvious specific scenario.

If you’re working with a data processor, you [the data controller] are responsible for keeping that data secure. The ECJ [European Court of Justice] ruling from last December made that very clear.

By planting sleepers into the data shared with suppliers, and letting them know about it, you’re both:

  • Incentivising them to stick to the contract; and
  • Giving yourself an effective means of becoming aware of unexpected uses of your data.

By the same logic, data seeding can also be a good way of preventing data misuse after an employee leaves the organisation. Or to become aware of an employee accidentally releasing personal data.

How much should organisations tell employees?

Organisations certainly need to make clear to employees that customer data is an asset they’re managing on behalf of their employer. The employee doesn’t ‘own’ the data.

Letting staff know that the data contains sleepers warns that they can be easily caught and prosecuted if they deliberately misuse the data.

Another good thing about this type of monitoring is that it’s fairly unintrusive. You’re not, to give an extreme example, logging keystrokes.

Data seeding doesn’t invade general workflows or job duties, and staff don’t feel constantly watched. That builds better relationships between employers and employees.

In terms of privacy considerations around higher-risk monitoring, my colleague Louise Brooks laid those out in a recent interview.

How disruptive is data seeding to organisations? And are there any downsides or risks to data seeding?

Not at all. Our data seeding solutions supply unique profiles to add to the customer’s database.

After completing this, we’re ready to track and report on the use of that data.

As to risks – it’s hard to think of any. Again, data seeding monitors the use of the data only – nothing else.

So, if an organisation wanted to monitor its employees further, it’d have to look at a solution other than data seeding.

Why should organisations choose DQM GRC’s data seeding solutions?

Data seeding is a simple, effective and long-term data tracking solution. Our data seeding customers are generally with us for years, because once implemented, the solution looks after itself.

We alert our customers to any untoward use of their data, leaving them to focus on other privacy or compliance matters, if not the day-to-day running of their business.

We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back after Easter, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where Group CEO Alan Calder gave us his expert insights into recent updates around ISO 27001.


Add a Comment

Your email address will not be published. Required fields are marked *