By: John Mancini on August 8th, 2018
How Do IIM Technologies Fit into the GDPR Puzzle?
Privacy | Information Security | GDPR
The GDPR’s May 25, 2018 deadline resulted in a mad compliance and security scramble not only for European companies but also for any company doing business in Europe or with European customers.
We just published a new market research report on GDPR. The purpose of this survey of 262 executives was to quantify – as close to the May 25th deadline as possible – the following three key issues related to GDPR:
- How do organizations view the emerging challenges tied to information privacy and security, and who have they charged with this task?
- At the deadline, where are organizations in their GDPR journey, and how much did they spend to get there? How do they assess their progress in meeting the core requirements of GDPR?
- What kinds of special pain points do unstructured information (i.e., content) raise in GDPR compliance efforts, and which core IIM technologies do organizations see as critical to their efforts?
For organizations at a significant scale – most of those in our survey – GDPR poses challenges that seem not that difficult on the surface but are actually quite complex. As an example, consider the right of customers to be provided a machine-readable version of ALL of the information handled by a company. For relatively small companies, this is likely a process that could be handled manually if necessary; the volume of requests is likely to be small, as is the number of systems in which personal information is likely to be contained.
But at scale, consider the number of places that data and content about a fictional “Mary Smith” are likely to be found. Consider how disconnected most of these systems are – the challenges most organizations have with relatively simple case management provide a good example of the complications created by disparate and disconnected systems.
Now consider how many unique ways “Mary Smith” is likely to be identified in these systems. Sometimes “Mary Smith.” Sometimes by her maiden name, “Mary Jones.” Sometimes by her email address, in all likelihood, multiple email addresses. Sometimes by her account number. Sometimes by a variation of her name like “M. Elizabeth Smith.” The potential complications associated with what seems a relatively simple task on the surface are mind-boggling.
Now consider how many of these kinds of requests an organization at a significant scale is likely to get in the course of a year. There is some speculation that individuals with a grievance against a particular company might use social media to “flood” a company with requests – somewhat akin to a denial of service attack.
Lastly, as those in the content space know, there are well-known challenges associated with finding and managing personal information within the vast troves of unstructured information that are much more complex than those on the structured data side of the house.
Key Findings
- 20-30% of organizations have little or only marginal confidence in their ability to meet core GDPR compliance requirements. Particularly problematic are requirements dealing with 1) proving compliance in an audit context, 2) generating clean and auditable records of processing activities, 3) meeting the 72-hour regulator breach notification requirement, and 4) cross border transfers.
- 20-30% of organizations also have little or only marginal confidence in their ability to respond to the new customer rights created by the GDPR. Particularly problematic are: 1) the right to be forgotten; 2) the right to data portability and be provided a machine-reading file of all personal information, and 3) the right to object to the processing of data.
- Over 30% of organizations have little or only marginal confidence that the personal information in their core content systems is under control. Shared drives, SharePoint repositories, and content lodged in third-party SaaS applications are particularly challenging.
- With regard to the right to be forgotten, only 40% of organizations have automated processes in place to delete personal information within these systems.
- 39% of organizations have no idea how much it will cost to find all of the information they have about a particular individual (to meet the right to data portability). For those who DO know, 48% believe this seemingly simple right will cost more than €5,000 per request.
- On average, companies expect 60.1 GDPR data requests in the first 12 months, with an average cost of €4,604 EACH. This means an average operating cost of over €276,700 simply to meet the core GDPR rights tied to identifying and accessing personal information.
- 60% of organizations believe the GDPR core requirements relative to website content and processes are under control – which means 40% either believe they are not or have no idea. [Author’s note: Even the 60% is likely to prove an overly optimistic number once organizations experience the complexities that are involved.]
- Organizations see the following IIM technologies as most important in their GDPR compliance efforts:
- Electronic records management and digital preservation
- Data recognition, extraction, and standardization
- Business process management
- Cloud content management
- Artificial intelligence, content analytics, and semantics
- Automated document classification and PII identification
About John Mancini
John Mancini is the President of Content Results, LLC and the Past President of AIIM. He is a well-known author, speaker, and advisor on information management, digital transformation and intelligent automation. John is a frequent keynote speaker and author of more than 30 eBooks on a variety of topics. He can be found on Twitter, LinkedIn and Facebook as jmancini77. Recent keynote topics include: The Stairway to Digital Transformation Navigating Disruptive Waters — 4 Things You Need to Know to Build Your Digital Transformation Strategy Getting Ahead of the Digital Transformation Curve Viewing Information Management Through a New Lens Digital Disruption: 6 Strategies to Avoid Being “Blockbustered” Specialties: Keynote speaker and writer on AI, RPA, intelligent Information Management, Intelligent Automation and Digital Transformation. Consensus-building with Boards to create strategic focus, action, and accountability. Extensive public speaking and public relations work Conversant and experienced in major technology issues and trends. Expert on inbound and content marketing, particularly in an association environment and on the Hubspot platform. John is a Phi Beta Kappa graduate of the College of William and Mary, and holds an M.A. in Public Policy from the Woodrow Wilson School at Princeton University.