The privacy leak nobody saw coming

On a Monday morning an IT manager gets an email from an intern: “I happened across this folder on the shared drive. Are those really the salary details of the whole company?” That’s when the penny drops. Not that the systems were hacked. Not that someone meant harm. Just: a folder set up at some point by someone for “the salary harmonisation project team” and never closed again. By now half the organisation has access to it — including people who haven’t worked here for ages.

This is the pattern we see in almost every organisation. Network drives set up “just temporarily” once upon a time. SharePoint sites created by every project and never tidied up. Mailboxes of departed staff still open, just in case. Scans of ID documents in an HR folder from 2014. A citizen service number that ended up in a client file by accident. The common denominator: the organisation no longer knows what’s there, who can reach it, and whether it’s allowed to be there at all. And that’s not an abstract risk; shortcomings in the security of personal data fall under a maximum fine of €10 million or 2% of worldwide annual turnover, whichever is higher. In 2024 the Dutch Data Protection Authority (AP) recorded a record number of close to 38,000 data-breach notifications, and according to the AP’s 2024 data-breach report the average financial damage from a cyber attack came in at around €104,000. Or, as the AP itself puts it: “What you no longer have, can’t leak.”

The Data Protection Officer then asks the logical question: give me an overview of where we store personal data, who has access, and whether the retention period is still running. Silence. That overview doesn’t exist. There’s a register of processing activities, but it says nothing about the 40 TB of loose files on a file server. IT can see which permissions are set on which folder, but not what is inside those files. The classic solution — an external agency clicking through folders with a hundred people — is expensive, slow and incomplete. People going through tens of thousands of files by hand miss things. Always.

We turn it around. Before you decide what needs to happen, you need to know what you have. The platform scans file shares, SharePoint and DMS systems, makes old scans searchable with OCR, and automatically identifies documents with personal data, citizen service numbers, medical or financial information, and commercially confidential material. More importantly: that content analysis is joined to the access control lists. So a single view doesn’t show an abstract heatmap, it shows: “This folder contains 3,400 documents with personal data and 287 employees have access — 42 of whom no longer work here.” Then the clean-up, driven by business rules — which documents can go based on retention periods, which must be moved, where access needs to be revoked — with a full audit trail. Because when the AP calls, that’s exactly the story you need to be able to tell.

The real outcome isn’t a report. It’s calm. The DPO can demonstrate to the regulator that the organisation knows what it has, where it sits, and who has access. The organisation moves from reactive — waiting for something to surface — to demonstrably in control. No more emails from interns. And if one does come in, the answer is: “We already know. And it’s been dealt with.”