The new EU General Data Protection Regulation (GDPR) is gaining more and more traction and as the deadline looms closer, industry experts and influencers are keen to share their views and opinions. However, most articles provide little more than another iteration of the key requirements and facts, such as the severe fines ($20m or 4 per cent of global annual turnover), rather than guidance on how to achieve compliance. As a result, confusion exists amongst business leaders, with many unsure about what the ‘Data’ in ‘Data Protection’ refers to. They mistakenly assume that it is limited to data within a database, rather than personal information that can be contained within documents, spreadsheets, and recorded phone calls. There is very little guidance and a severe lack of practical solutions to help an organisation address GDPR holistically.
GDPR, at its core, is the archetypal information governance problem. Every organisation needs to understand what personal information they hold (both for customers and employees), why it is being held, what regulations apply to it, and who is responsible ensuring it is in the correct format and reliably delete it. In addition, content must be secured and appropriately managed, in order to protect the individual it relates to. Where the content is and how it is used, is revolutionising the way companies create, share, and secure files as they face myriad challenges. These include flexible mobile working styles, new mobile and connected devices, lenient BYOD policies, and the surge of cloud and mobile productivity apps. Companies must be forward-looking and aim to design a mechanism to sustain GDPR compliance organically and consistently, across the whole organisation.
Another challenge is scattered content as a result of Shadow IT that can pose a risk to ensuring compliance. Employees turn to their own methods to complete their tasks when IT departments are not able to respond to requests in a satisfactory manner. This results in an organisation’s data becoming saved in multiple sites. And without policies or tracking by IT departments, these rogue files become mines. The use of shadow IT has run unrestrained, especially when it comes to collaboration, within and outside of organisations. In order to preserve workflow and encourage seamless collaboration, there should be a controlled GDPR register of information. But this becomes a challenge without the existence of centralised management or visibility given the splintered content stored on various unauthorised devices, shared drives, collaboration sites and laptop hard disks.
Any realistic GDPR implementation needs to service three key requirements:
Manage GDPR information
The process starts with identifying what information in your organisation is subject to GDPR. This sounds like a simple task but as mentioned above, this information can exist in a range of locations and formats. Once identified, this content must then be profiled with metadata that describes its origin, purpose and locality. In addition, the justification and any explicit consent information should also be associated with it, so there is no question as to why it is being held and how long for. Once this is complete, the appropriate security can then be applied to protect this content from internal and external risks, as well as manage its complete lifecycle from acquisition, through processing, to disposition.
Finally it is crucial that a complete audit trail for its access is put in place. With regards to data portability, there are certain barriers that exist for companies. This can be as simple as knowing for certain which data the right to portability applies to, and having the right tools in place to assemble a coherent set, in an agreed format to deliver to a customer or a third-party. As GDPR does not advise an exact or universal format for transferring personal data, businesses should choose software that can automatically encrypt content to add a layer of protection.
Manage GDPR processes
GDPR-controlled processes need to be performed in a disciplined and regulated way in order to ensure compliance. It is essential that there is complete transparency, auditability and reporting to regulators. Businesses must be certain that all PII customer data has been thoroughly removed from all content that they hold without any undue delay, in accordance to the ‘right to be forgotten’. In addition, a business must be able to prove, beyond reasonable doubt, that the data has been eradicated. Implementing automation where appropriate will reduce overheads, eliminate human error and improve processes such as capturing explicit consent when requesting personal information, servicing Subject Access requests, data portability and purging personal data on-request. Customers also need controlled processes, in order to respond fast to exceptional GDPR events, such as Breach Notifications or Information Risk Assessments.
Align to business discipline
GDPR sensitive information will be accessed and processed by different business departments in the context of various business operations, including HR, Marketing, Operations, Finance, etc., as they all need to control and process personal information. It is therefore imperative that any GDPR sensitive information is accessed through a set of controlled services that ensure information is protected and only used for the purpose it was intended. This should be a set of open GDPR-aware services that transcend roles, organisational structures, and systems, to ensure regulatory compliance is observed consistently.
In order to satisfy these requirements, GDPR compliance requires a services-based platform that secures information, controls and automates compliance processes and can seamlessly integrate into every part of the business that requires access to GDPR-sensitive information. It needs to be built on a modern architecture which complements the way employees work. As well as be able to be deployed and grown either on-premises or in the cloud, supporting both existing infrastructures and future deployment roadmaps.
This can be achieved with an open, modular system, which is designed around information governance, and integrates and extends for fast time to value and true digital transformation. Once a business correctly identifies all of the content they possess, (removing files that are obsolete to prevent unnecessary data hoarding), they can apply processes and governance through such a platform. This also ensures compliance with regulations, without disrupting seamless and effective workflow. And it needs to be delivered quickly, because the GDPR compliance deadline of 25 May 2018 is closer than most IT delivery projects can accommodate.
George Parapadakis, Director of Business Solutions Strategy, Alfresco
Image source: Shutterstock/Wright Studio