Do you delete inactive users?- Users that no longer work for the business should be deleted. This will reduce the access points for a hacker. Thus, making it harder to get in.
Have you deleted data that is no longer relevant?- All data that a business should hold should be useful or required by law all other data beyond this should be deleted from your system. This will reduce the risk of the business as the less data they hold the easier it is to secure. This will also mean that should a breach occur you don’t have to worry that data has been stolen that you had forgotten about and as a result notification costs will fall as well as remediation costs.
Can you tell them where your data is?- You should know where your data is stored and where you keep your records. This will allow you to protect these places and improve security should it be needed.