Tidying up shared drives and old SharePoints
In every organisation of more than 50 staff they are there: shared drives with folders from 2014, SharePoints from projects long closed, ‘archive’ partitions on file servers where nobody has rights any more but where there are still customer records, contracts and HR documents. For the IT staff they are storage costs. For the compliance officer they are unknown risks. This article describes how to clean this environment up systematically.
Where is the shadow administration?
- Shared team folders on file servers (\\fileserver\teams\projects\<projectname-2017>).
- SharePoint team sites created for one project and never tidied up afterwards.
- OneDrive folders of departed employees.
- External USB drives and NAS systems at department level.
- Customer shares with guest access (forgotten to terminate).
- Backup folders with snapshots from old periods.
Estimate: in an average organisation 30-50% of shared storage is in ‘unknown use’ status. That is to say: last opened more than 12 months ago, owner unknown or a former employee.
The clean-up approach
Step 1: inventory
- Scan with PowerShell or a tool such as TreeSize or WinDirStat.
- Per folder: last opened, owner, size, number of files.
- List of the top 50 largest non-active folders.
Step 2: find the owner
- For folders with an identifiable owner: email that person, with a deadline (4 weeks) to decide.
- For folders without an owner: assign ownership to the head of department.
- For folders of departed employees: follow HR archive policy.
Step 3: decide
Three options per folder:
- Keep active: still in use, stays at the current location.
- Archive to cold storage: possibly needed later, to archive storage.
- Remove: no longer needed, no statutory retention period.
Step 4: execute
- Remove via cloud tools (cryptographic erasure).
- Also clean up on-premise backups of removed data.
- Document date and size.
Most organisations that tidy up their shared drives discover that 40-60% of storage can really go. That saves licence costs and compliance risk.
Retention period test
For folders with identifiable content, test against retention periods:
- Project and customer folders: 7 years after end of project for financially relevant items. 2-3 years for the rest. Read the GDPR retention period cheatsheet.
- HR folders: 2 years after leaving for general, 7 years for pay-related.
- Contracts: 7 years after end of agreement.
- Application files: 4 weeks (rejected) to 1 year (with consent).
Cloud deletion versus physical destruction
A delete in SharePoint or OneDrive is a cloud erasure. For most data that suffices under GDPR. Read the details in really deleting cloud data. What does require physical destruction:
- On-premise backups on tape. Read cleaning up backup tapes and LTO.
- USB drives with copies. Read disposing of USB sticks.
- Old HDDs and NAS systems. Read HDD shredding.
Special: departed employees
OneDrive folders of departed employees need separate attention. Microsoft and Google keep them by default for 30-90 days after licence end, after which they are lost. Policy:
- At off-boarding: transfer relevant folders to a successor or team.
- Remove personal materials.
- Forward mailbox for 90 days, then deactivate.
- Back up OneDrive as PST or ZIP for 12 months, then permanently delete.
External parties with guest access
A forgotten consultant from 2019 who still has guest access to a SharePoint is an active GDPR risk. Review monthly who still has rights, and set automatic expiry after X months of inactivity.
Documentation
- Update the processing register.
- Log of cleaned-up folders with date and size.
- Evidence of cryptographic erasure where applicable.
- Destruction certificate for physical copies.
Cloud clean-up done? Do not forget the physical copies.
We destroy the physical leftovers of your shared drives: USB sticks, old HDDs, tapes, NAS disks. With a certificate per job.
Read more for IT MSPsWorking on a file-server clean-up? Email us via desnipperaar.nl about the physical side.