Written by
- Tim Dunn, CEO Founder, eSpyder
- Matt Garrett, Technical Director, Cloud Business

In eSpyder’s last blog Digital Transformation? - Only if you clean up your data we explored why effective cleansing, streamlining and on-going management of your corporate data is a critical component of any digital transformation initiative. There are many business benefits and competitive advantages in ensuring your valuable corporate data is optimised to support your business model. These include:

  • Reduced Cost and greater operational efficiency
  • Improved customer service resulting in higher revenues and greater customer loyalty.
  • Greater business agility and resilience
  • Lower risk of regulatory non-compliance and exposure


In this blog Matt Garrett, Technical Director at Technology and Cloud transformation specialists CloudBusiness joins us to highlight the main steps required during your data management journey and the key considerations along the way.

Digital Transformation was already high on CIOs’ priority list, but the Covid-19 pandemic has highlighted it as an existential requirement for organisations to achieve the agility they will need in future.

I asked Matt for his perspective on the following questions facing transformation teams:

  • Where should you start your transformation journey?
  • What are the key considerations and Priorities?
  • How can you measure / assess progress?
  • What are the potential pitfalls?

Where should you start your transformation journey?

The first step in any digital transformation project is to set out what you want to achieve and have a clear business case for the cloud migration. With this in mind, we then embark on a discovery stage to explore the existing environment and understand exactly what you are migrating from. A significant part of this exercise is data discovery. Understanding what data you currently have, and what data needs to be part of the migration.

What are the key considerations and priorities?

The major consideration is whether your data should be in the cloud at all. Any data that’s moved to the cloud is going to cost you money. As part of the data discovery we look at things like ‘DROT’. Duplicate, Redundant, Obsolete and Trivial data. From this we can assess the data and identify what shouldn’t be migrated. This can then be deleted, archived or managed on an on-premise server, and not form part of the transformation project.

How can I measure / assess progress?

There are a myriad of data management and governance maturity models and tools to help you assess your maturity. At the heart is having a comprehensive strategy to collect, aggregate, and process data. It also includes having the appropriate technologies to manage and draw insights from data. This means ensuring that the people within your organisation who need that data can access it in a meaningful way, and that people who don’t need it can’t access it. A good indication of your maturity is that you’re able to proactively use data to drive transformation within your business. Ultimately it boils down to knowing what data you have, where it is, who has access to it, and why you’re processing it.



What are the potential pitfalls?

The most common pitfall we see is where organisations move data to the cloud without knowing what they’re migrating. They move one mess from on premise to create another mess in the cloud. This can have several implications such as cost but also compliance. If you don’t know what data you’re migrating, you could be moving PII to the cloud and fall foul of data protection regulations.


Digital Transformation has become a business imperative. Executed well, it will deliver a significant competitive advantage through these challenging trading conditions. Data is the life blood of an effective business and data management should be a cornerstone of a digital transformation programme.

For more information please email –

Here at eSpyder, we are immensely proud of our Privacy Operations and eDiscovery Platform. We believe that our newly released Version 3 of eSpyder provides industry leading support for organisations of all sizes that take privacy compliance seriously.

If you wish to register your interest in the programme, then please register here:

The eSpyder solution has evolved over the last 4 years based on customer feedback and the increasing demands for global privacy compliance regulations.

eSpyder has been designed from the ground up to support Data Processing Officers (DPOs) in their roles, ensuring company compliance with Privacy Regulations such as the GDPR and best business practice.

eSpyder allows DPOs to respond to Data Subject Access Requests (SARs) easily and quickly. It also allows you to track your progress in terms of SARs processing and corporate data storage and retention.

As part of our ongoing drive to provide the best privacy and eDiscovery solution available for companies, we have created a Trial Programme open to a limited number of organisations across various industry sectors and company sizes. In return the participating companies will receive a ninety-day eSpyder licence and associated support.

Designed to be invisible and seamless for users on one hand, but fully configurable for administrators and regulations consultants on the other hand. While supporting efficient and highly flexible Search & Indexing configuration and deployment options, eSpyder easily blends into existing IT environments without the need for additional server infrastructure.

Based on the industry leading eSpyder Enterprise PII identification engine, eSpyder is able to rapidly identify Personal Identifiable Information across a company’s estate no matter if on servers, clients, visible or hidden.


For companies and individuals to qualify for the trial programme, they must meet the following critieria:

  • Provide feedback on the deployment and user experience with the eSpyder Platform.

  • Provide full details of the Use Cases being supported with solution.

  • Be responsible for the Privacy Management within your organisation, or the agreement / buy-in of that executive.


If you wish to register your interest in the programme, then please register here:  


Additional resources:

 Photo by Jan Kopřiva from Pexels

The Rise of Digital Transformation

The trend for companies to transform their legacy IT infrastructure into next generation digital platforms was growing even prior to the Covid-19 crisis. Throughout the pandemic companies were forced to adapt to new working practices and fundamentally evaluate how to be more agile and competitive in the future.

Being a technology leader is clearly a critical success factor for businesses in challenging times. According to McKinsey, the most successful organisations that dealt with the pandemic reported a variety of technology-related capabilities. 67% said they were more advanced in using technology than their peers before the crisis, and 56% said they were the first movers in experimenting with digital technologies during the crisis.    

Many organisations are now looking at how best to enable an omni-channel customer engagement strategy as well as leveraging the cloud to enable more flexible and adaptable business models and operational processes.

89% of enterprises are planning to adopt or have already adopted a digital business strategy - IDC

Good Corporate Data is a Competitive Advantage

At the heart of an effective digital transformation programme is how corporate data the life blood of the business will help drive the business forward. It is essential that companies don’t simply “lift and shift” the data they currently hold, but instead review what information will be critical to feed the business decisions and strategy in the new business model. First step in this journey is to identify what data you hold, who can access it and how it is processed.


Streamlining the data your company holds and understanding exactly how it is processed and why, delivers huge business advantages in terms of:
    • Reduced Cost and greater operation efficiency.
    • Lower regulatory non-compliance risk and exposure.
    • Improved go-to-market execution and customer service and therefore higher revenues and greater customer loyalty.


eSpyder’s platform is helping organisations gain visibility of the sensitive and valuable data they hold. This enables them to define effective digital migrations and ensure strong information management and security.

Traditionally, addressing the challenge of effective data management has been daunting. IT systems and business applications have often had siloed data repositories and user data stores. These have grown organically and divergently over time to span corporate servers, Laptops / desktops, cloud stores and even mobile devices. This has also meant that complying with privacy regulations such as GDPR, CCPA, HIPAA etc. has been an expensive and time-consuming challenge.


Taking Advantage of the Opportunity

Digital transformation programmes give us an opportunity to start with a “clean sheet of paper”. Streamlining and cleaning your business data will deliver significant ROI. Therefore, companies need to refrain from deprioritising good data management / governance during these severe trading circumstances. Indeed, they must make it a critical business objective.

If you’d like to explore how eSpyder can help you with your Data Management and what the next steps should be, feel free to contact me at

With the General Data Protection Regulation (GDPR) recently passing its two-year anniversary of coming into force, there has been a lot written on what progress has been made when it comes to the protection of individuals’ personal data against misuse by companies. The Information Commissioner’s Office (ICO) has certainly come under significant scrutiny and pressure for its track record when it comes to enforcing GDPR so far.

At the time of writing this blog, there has only been one monetary penalty enforced under GDPR – Doorstep Dispensaree Limited for £275,000. This is despite receiving 38,514 complaints under GDPR in just the last year. The two largest headline cases have been Marriott and British Airway, where the ICO issued “Intents to Fine” of £99M and £183M respectively - ICO British Airways Notification, ICO Marriott Notification. Both fines were supposed to be enforced within 6 months of the intent notices being served, but a year on and both fines have been delayed with an expectation that they will be significantly reduced. Indeed, BA’s owners, IAG, have set aside a “Settlement provision” of only €22M for the fine in their latest financial report; a 90% decrease on the actual liability - IAG Six Month Interim Management Report to 30th June 2020



The ICO gave itself an “Adequate” rating in an internal audit. However, it is clear that the ICO is not only failing to uphold action on major companies, but also failing to address the more typical infringements by smaller companies. The internal audit cites the ICO’s “relaxed enforcement” stance during the Covid-19 crisis as a factor in their underperformance, but this does not explain the previous 18 months in which GDPR should have been regulated more robustly.

 It is clear that the GDPR gives regulators significant regulatory “teeth” and should have ushered in a new era of data privacy. Putting Covid-19 aside for a moment, there may be a couple of other major factors which result in the ICO’s lack of success.

 Firstly, is the scope of the ICO’s responsibilities too broad? They are currently accountable for:

  • Data Protection (the GDPR)
  • Freedom of Information Act
  • Privacy and Electronic Communications Regulations (PECR)
  • Environmental Information Regulations
  • INSPIRE Regulations
  • The re-use of Public Sector Information Regulations

 Secondly, resourcing and funding are not in line with the challenge the ICO face when aiming to enforce GDPR.

 The internal ICO audit highlighted “Managing the ICO’s reputation” as one of the primary risks for the organisation. Currently citizens believe the ICO lacks teeth and is too biased towards the interests of business. Businesses believe the ICO is poor at providing proactive support and clear guidance and IT industry commentators such as Wired, report that the ICO has “given up” on enforcement all together and is using Covid-19 as a cover.

 It is clear, even to the ICO themselves, that they need to improve on effectively policing GDPR. Standing strong on the Marriott and BA fines would be a good start, but there has to be a broader strategy and plan if confidence in data privacy protection is to be ensured in the UK. An American consultant has reportedly been brought into the ICO to consider their powers in light of a Parliamentary enquiry last year that concluded - The GDPR should offer a substantial level of protection for people’s personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and DPA in relation to how internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator (Paragraph 105) - Parliamentary Enquiry into Data Protection and ICO enforcement


Our customers include a number of the UK’s leading pub and restaurant management companies and we have been discussing with them how they can most effectively support the UK’s Government’s data retention requirements for Covid-19 track and trace - Government Track and Trace Data Retention Guidance.

The Government stipulates that you should “keep a temporary record of your customers and visitors for 21 days, in a way that is manageable for your organisation”. This may be a simple requirement for single venue pubs and restaurants, but how do you ensure this data is appropriately stored, protected and deleted when you have 100’s of establishments across the country (and beyond)? Given this type of personal data is covered by the General Data Privacy Regulation (GDPR) and the implications of mismanaging this data is significant.

I thought it would be useful to share some of the considerations and measures being taken to ensure the data is effectively managed.

There are already many instances of misuse of the track and trace data either through employee ignorance of the privacy regulations, or outright wilful abuse. Whether its companies using the data for marketing purposes, or serving staff personally contacting female customers through their contact details, there needs to be better control of this data.

It is important to remember that you not only have to gain consent to store data, but also state the specific purpose it will be used. The tweet above illustrates a pretty minor infringement, but we need the ICO to demonstrate a less passive and ineffectual approach to building awareness and policing businesses’ obligations under GDPR.

The ideal approach to meeting this Government requirement is for the data to be stored and managed centrally. This will enable appropriate encryption, access control and automated deletion processes. Whilst there is nothing that says the data can’t be held in a local paper-based bookings calendar (as traditionally has been the case for smaller businesses), deleting and restricting access to the data is difficult in these circumstances. Indeed, a corporate Data Protection Officer (DPO) would find it difficult to ensure compliance with GDPR.

The Government’s requirement for companies to store this data should be seen as an opportunity rather than an overhead. Leveraging strong data privacy practices as a company differentiator and demonstrating transparency with your customers on how their data is treated will be a great selling point at a time when the trading environment is extremely challenging.

Our customers, just by the very nature that they use eSpyder to manage their GDPR compliance are among the very best companies in the UK for effectively managing personal data and minimising the cost of managing and reporting on compliance. Incorporating this temporary data retention requirement into their on-going operations is easier than for a majority of companies. That said now is the ideal time to get your Data Privacy operations fit for the most challenging trading environment in living memory.

Agility is going to be the key to survival and this albeit minor requirement, highlights how effectively managing the customer data you hold will be a critical success factor. Managing personal data can be time-consuming, costly and frankly, not a core business activity. Reducing those costs and resource commitments whilst enhancing your company’s reputation with customers will greatly benefit the company’s business growth and profitability.
I would love to hear your thoughts or discuss your company’s situation. Please feel free to start reach out to me at Chat .

The General Data Protection Regulation (GDPR) came into force in May 2018 and in the subsequent 2 years, UK companies have not only had to ensure they are compliant with GDPR, but also prepare for Brexit and more recently adapt their businesses to working under Covid-19 restrictions.

It’s fair to say that many organisations of all sizes were not ready to manage their obligations under GDPR by the May 24th 2018 deadline and whilst most companies reviewed their data processing policies and business processes, there was still a huge challenge in terms of identifying where personally identifiable information (PII) resided in their systems. Which limited the effectiveness of the compliance measures they were trying to establish. Further-more a majority of companies still struggle to track and protect PII on an on-going basis.

One major barrier to gaining visibility to sensitive data is that there are a myriad of IT and business systems with their own individual data stores. Also, many users transfer data to their local machines from secure corporate data stores, often with the best intentions of working efficiently offline or from remote locations such as their homes.

Another major challenge is that the Data Owners and Data Protection Officer (DPO) are typically business executives rather than IT and whilst they are the people who need to ask questions of what Data is being held and where, for example in response to a data Subject Access Request (DSAR), they are wholly reliant on IT staff to provide the results. This is costly and time-consuming for both the business stakeholders and the IT department. It also significantly hampers business agility, which has been crucial for companies in the current Covid-19 crisis where businesses had to develop new business practices to continue trading.

Understanding with confidence where the companies’ sensitive data is stored and who can access it, is the foundation and starting point for an effective Data Protection capability. When adopting a maturity model as below, you cannot progress beyond level 1 without completing the initial discovery and then implementing an ongoing tracking and search capability.


Once a company knows where their data resides and can ensure it is appropriately controlled and protected, they will gain significant business benefits beyond just GDPR compliance.

  • It greatly reduces costs associated with managing data protection and management.
  • It saves time and limits the resource required to gain visibility and control over data.
  • It increases business agility through both the time-savings and the reduction of risk in implementing new business models and services.
  • Improves customer service and brand reputation through rapid responsiveness to DSARs and demonstrable care and respect for customer’s data and privacy.