Your Best Defense Should Include Some New Approaches
Believe it or not, 2018 is less than 100 days away and it is bringing with it a slew of new regulatory concerns. Data privacy breaches have been in the news again and again this year, eliciting increased concern from regulators and legislative bodies. We can be sure that issues like the Equifax breach and Yahoo’s recent disclosure of the scope of the 2013 breach will remain topics of discussion and litigation for some time to come.
But one of the most important data privacy milestones on the horizon in 2018 has its roots far earlier, and has been of utmost concern to multinational organizations. As this new regulation becomes better understood it is now a growing concern for any enterprise that has contractors, employees, partners, customers or prospects in Europe. The deadline for compliance is right around the corner, and the penalties for non-compliance are potentially large enough to put companies out of business.
General Data Protection Regulation: EU Enforcement Gains Teeth
In 2002, EC Vice President, Commissioner Viviane Reding initially proposed reform to data privacy rules in the European Union. For nearly four years, the European Parliament worked to define what that reform would look like. In December of 2015 an agreement was reached, leading to the adoption of General Data Protection Regulation (GDPR) in April 2016. In May 2018, however, severe penalties for non-compliance go into effect. But more on them later.
Who does it affect?
First, it should be noted that GDPR does not apply only to companies located within the EU. Any organization that processes data about any EU citizen is subject to its jurisdiction. Technologies as simple as cookie tracking, when combined with other personally-identifiable information (PII), can run organizations afoul of this regulation, no matter where they are based.
What do organizations need to do?
In order to comply with GDPR, organizations must implement capabilities to assure a few certain rights of the individuals whose data they control:
- The Right to Be Forgotten - All EU citizens have the right to request the complete deletion of any PII an organization has regarding them
- One-Stop Shops – Organizations must have a defensible process for proving compliance and make that information available to auditors from within a single location
- Data Portability – Organizations must provide a copy of all personal data to the subject of that data upon request
What are the penalties for failure to comply?
Organizations that fail to comply with GDPR risk potentially massive penalties. Fines can be up to €20 Million or 4% global turnover, whichever is greater. In short, this regulation has the potential to put companies out of business.
The Simplest Route to Compliance
Responding to these mandates can seem like a massive effort, especially if your organization has done little to prepare so far. It is not unusual for a company to have upwards of a dozen systems of record, each of which may process personal data for any number of reasons. How can an organization ensure and prove compliance when different departments or divisions may be responsible for each of these systems with no central controls or auditable policy enforcement?
Global Policy Management
Information governance frameworks and retention policies only work insofar as they can be applied to the content you need to manage. In most organizations this information is managed in multiple systems. Tight integration or migration often isn’t cost-effective or feasible. While new platforms like Microsoft’s Advanced Data Governance in Office 365 provides significant benefits, most don’t control content stored in other systems. Also, many of the events that trigger the need for governance are often managed in other systems such as ERP and HR systems. The best way to be sure your policies are being applied to all information that needs to be managed is to implement a global policy solution that extends to every location that houses content.
Classification and tagging are the skeletons that allow your information architecture to stand. The more automation you can achieve in the classification process, the less risk your organization may face due to improper data management. One way to enable this is to enable rule-based classification of content: if a file is of a certain type, or uploaded to a certain location, or some combination thereof, your system should be able to classify and apply compliance policies to that information from the very second it enters your control. This type of classification is especially useful when it comes to providing regulators with one-stop shops for auditing purposes.
By enriching metadata application with machine learning, organizations can work towards a system that maintains itself. Gimmal recently interviewed i2kconnect CEO Reid K. Smith, who said, “[Over the next five years] organizations will be able to use AI [artificial intelligence] to automatically read, tag, summarize, find and analyze documents, and not have to rely on people to do all of that by hand. Also, they will be able to track new documents as they are written inside the organization or as they appear on the internet. A way to look at it is: imagine that your search engine could bring to bear industry and company knowledge to find your documents.
“Then, going farther, imagine that you could analyze the information in your documents with as much ease as you can for the structured data in your databases and applications. I see that being enabled by all of the AI technologies, including natural language and machine learning.”
This paradigm is what organizations should be striving towards now if they want to be able to keep up with increasing regulation.
Compliance Requires a Strong Information Architecture
Consistency, control, and ease of use are the trifecta that will determine your organization’s ability to comply with GDPR. The more consistency you can achieve between systems, and the broader your controls around those systems, the easier your process will be. Without an easy path to compliance, the risk will always be too great.
About the Author: Jude O'Neil is a Marketing Analyst at Gimmal with a strong passion for information governance, content management, and process automation. Day-to-day, he works on the frontlines managing content and systems in addition to writing about the discipline. Prior to joining Gimmal, Jude worked as a content marketing consultant with a focus on the enterprise legal management and compliance software markets. He’s a married father of three boys and enjoys spending time playing with his kids and his guitars when not fighting for intelligent information management.
Make sure you get a copy of the new AIIM eBook -- Information Privacy and Security: GDPR is Just the Tip of the Iceberg.
And don't forget to join us for a very interesting webinar on November 29 at 2 pm eastern -- The Simplest Route to Security and Compliance. We're going to get beyond the usual hype about GDPR and talk about some new research focused on what 6 leading organizations are actually doing about GDPR. You won't want to miss it.