The Francis Crick Institute Uses Rubrik Sonar to Manage Sensitive Data Risk and GDPR Compliance

Overview

Francis Crick Institute is a biomedical research center in London that opened in 2015. The institute is a partnership between six of the world’s leading biomedical research organizations - Cancer Research UK, Imperial College London, King’s College London (KCL), the Medical Research Council, University College London (UCL), and the Wellcome Trust. The institute has over 1,500 scientists and staff to understand why disease develops and to find new ways to diagnose, prevent, and treat a range of illnesses − such as cancer, heart disease, stroke, infections, and neurodegenerative diseases.

Gareth Butler, Senior Infrastructure Architect, and Paul Hajisavvi, Senior Systems Administrator, at Francis Crick Institute are responsible for IT infrastructure and support the underlying technology that drives the business. That includes helping manage sensitive data risk. “The General Data Protection Regulation (GDPR) formalized a lot of requirements previously under the UK’s Data Protection Act and gave users more rights over their own personally identifiable information (PII),” said Butler. “Thus, our organization needed to establish a baseline of what PII data we had and where it was located. With Rubrik Sonar, we get that clarity and can now provide management – with confidence – the information needed for audits or regulatory bodies.

Solutions

Increasing confidence in compliance by eliminating manual processes

Prior to deploying Sonar, Francis Crick did not have a solution in place to discover and classify what types of PII data it had. “It was a manual approach. It would be very difficult to gather the same information we see today with Sonar. We had a number of audits over the years and could say where we expected PII data on particular systems, such as HR systems. However, with Sonar, we can now automate a lot of those processes,” said Butler. “Prior to Sonar, we would have to wade through lots of documents to find the specific data we wanted. With Sonar, we now have both the macro and micro view of our sensitive data and can pinpoint a specific location within a file without wasting time sifting through hundreds of documents.”

Francis Crick Institute is using Sonar’s pre-defined templates and analyzers to scan for UK PII data. They have seen success in identifying locations with sensitive data, such as national insurance numbers, patents, and passport numbers. “Sonar highlighted areas where we knew we had PII data, giving us confidence in the baseline we have already established and in the product’s performance. Moving forward, it will flag anything that may be unauthorized so that we can investigate and remediate,” said Butler.

“One example is Sonar showed that a web server used for uploading documents, such those used in procurement, was holding on to those documents in an upload folder. That was an alarm bell and highlighted thousands of documents that might be at risk. We were able to recommend mitigation steps to the server owner in order to minimize that exposure risk,” said Hajisavvi.