130,000 Privacy Items.
Only 5% Compliant.
A Canadian education sector union with 1,347 users discovered $21.6M in estimated privacy data risk across 21.3 million profiled items — with 95% of all privacy data sitting beyond any reasonable compliance threshold and accumulating at 2,500 new items every month.
Years of unmanaged sensitive data — accumulating quietly, consistently, across every system.
Like most organizations of this scale, the union knew it handled sensitive member and operational data. What it didn’t know was the full extent: 130,000+ privacy items spread across half of all mailboxes, 15% of SharePoint collections, and 40% of OneDrives — with no systematic retention or governance in place.
The privacy data density of 0.62% is consistent across all three content sources, suggesting a systemic pattern rather than isolated incidents. Travel information and recruitment data — both core to union operations — account for nearly 75% of all privacy risk.
Travel data is the single largest risk category
59,573 items containing travel information — 45.6% of all privacy data found. For a union with active member travel programmes, this data is embedded deeply in operational workflows and requires targeted governance.
Only 5% of privacy data meets compliance standards
Approximately 95% of all privacy data is older than 3 months. Without organization-specific retention guidelines, the vast majority of stored sensitive data is outside any defensible compliance window.
2,500 new privacy items added every month
Data is growing at 1.6% per month, creating ~2,500 new at-risk items each month. At $436,940 in new monthly exposure, the annual cost of inaction exceeds $5.2M in additional risk accumulation.
Significant historical data exposure
54,269 items are 3–10 years old, and 2,389 items are over a decade old. The estimated potential fines for data older than 3 years alone reach $9,791,800 — representing a deep legacy liability.
What 21.3 million items revealed
The Data & More Privacy Data Risk Assessment delivered a complete picture of risk across all three content sources — quantifying exposure by location, data type, age, and individual mailbox.
Travel and recruitment data account for 75% of all privacy risk
Both categories align directly with core union operations — member travel programmes and workforce recruitment. The concentration of risk in these two workflows provides a clear, actionable starting point for remediation.
Email is the primary risk surface — by a large margin
$19.9M of the $21.6M total exposure originates in Exchange Online — consistent with an organization where sensitive data flows primarily through email workflows. OneDrive carries a higher density (0.92%) but lower absolute volume.
Key insight: Because 92% of risk is concentrated in Exchange Online, targeted email remediation policies deliver disproportionate impact — making the inbox the highest-leverage starting point for any quick-win programme.
The Top 25.
Maximum impact, manageable scope.
The top 25 mailboxes, SharePoint site collections, and OneDrives represent 39.3% of total privacy data risk. Addressing these accounts first delivers nearly $8.9M in risk reduction within a 2–3 month remediation effort.
Visibility creates the foundation for everything else.
Beyond the risk numbers, the assessment gives the organization a complete, evidence-based picture of its data posture — and a prioritised, sequenced path to compliance that doesn’t require a ‘big bang’ remediation.
A complete data inventory across all M365 systems
For the first time, the organization knows exactly what sensitive data exists, where it lives, who owns it, and how old it is — across every storage location simultaneously, not estimated.
Microsoft Copilot readiness assessment
With 95% of privacy data outside compliance windows, a clear remediation roadmap is required before Copilot can be deployed safely. This assessment establishes that baseline and defines the work.
Sustainable, recurring governance cycles
The recommended approach treats privacy data management as an organizational habit — not a one-time cleanup. Recurring review cycles prevent the accumulation from returning once addressed.
Defensible compliance posture
With documented discovery, review, and remediation cycles in place, the organization can demonstrate active, auditable data stewardship to regulators, auditors, and member stakeholders.
The data is there. The risk is real. The Top 25 provide a manageable Phase 1. Begin as you mean to go on — make privacy data management an organizational habit.
Every organization’s data tells a story.
Find out what yours says.
A Data & More assessment takes weeks, not months — and gives your team the complete picture needed to act with confidence.