Believe it or not, 2018 is less than 100 days away, and it is bringing with it a slew of new regulatory concerns. Data privacy breaches have been in the news again and again this year, eliciting increased concern from regulators and legislative bodies. We can be sure that issues like the Equifax breach and Yahoo’s recent disclosure of the scope of the 2013 breach will remain topics of discussion and litigation for some time to come.
But one of the most important data privacy milestones on the horizon in 2018 has its roots far earlier and has been of utmost concern to multinational organizations. As this new regulation becomes better understood, it is now a growing concern for any enterprise that has contractors, employees, partners, customers, or prospects in Europe. The deadline for compliance is right around the corner, and the penalties for non-compliance are potentially large enough to put companies out of business.
In 2002, EC Vice President, Commissioner Viviane Reding, initially proposed reform to data privacy rules in the European Union. For nearly four years, the European Parliament worked to define what that reform would look like. In December of 2015, an agreement was reached, leading to the adoption of the General Data Protection Regulation (GDPR) in April 2016. In May 2018, however, severe penalties for non-compliance go into effect. But more on them later.
First, it should be noted that GDPR does not apply only to companies located within the EU. Any organization that processes data about any EU citizen is subject to its jurisdiction. Technologies as simple as cookie tracking, when combined with other personally identifiable information (PII), can run organizations afoul of this regulation, no matter where they are based.
In order to comply with GDPR, organizations must implement capabilities to assure a few certain rights of the individuals whose data they control:
Organizations that fail to comply with GDPR risk potentially massive penalties. Fines can be up to €20 Million or 4% global turnover, whichever is greater. In short, this regulation has the potential to put companies out of business.
Responding to these mandates can seem like a massive effort, especially if your organization has done little to prepare so far. It is not unusual for a company to have upwards of a dozen systems of record, each of which may process personal data for any number of reasons. How can an organization ensure and prove compliance when different departments or divisions may be responsible for each of these systems with no central controls or auditable policy enforcement?
Information governance frameworks and retention policies only work insofar as they can be applied to the content you need to manage. In most organizations, this information is managed in multiple systems. Tight integration or migration often isn’t cost-effective or feasible. While new platforms like Microsoft’s Advanced Data Governance in Office 365 provides significant benefits, most don’t control content stored in other systems. Also, many of the events that trigger the need for governance are often managed in other systems such as ERP and HR systems. The best way to be sure your policies are being applied to all information that needs to be managed is to implement a global policy solution that extends to every location that houses content.
Classification and tagging are the skeletons that allow your information architecture to stand. The more automation you can achieve in the classification process, the less risk your organization may face due to improper data management. One way to enable this is to enable rule-based classification of content: if a file is of a certain type, or uploaded to a certain location, or some combination thereof, your system should be able to classify and apply compliance policies to that information from the very second it enters your control. This type of classification is especially useful when it comes to providing regulators with one-stop shops for auditing purposes.
By enriching metadata application with machine learning, organizations can work towards a system that maintains itself. Gimmal recently interviewed i2kconnect CEO Reid K. Smith, who said, “[Over the next five years] organizations will be able to use AI [artificial intelligence] to automatically read, tag, summarize, find and analyze documents, and not have to rely on people to do all of that by hand. Also, they will be able to track new documents as they are written inside the organization or as they appear on the internet. A way to look at it is: imagine that your search engine could bring to bear industry and company knowledge to find your documents.
“Then, going farther, imagine that you could analyze the information in your documents with as much ease as you can for the structured data in your databases and applications. I see that being enabled by all of the AI technologies, including natural language and machine learning.”
This paradigm is what organizations should be striving towards now if they want to be able to keep up with increasing regulation.
Consistency, control, and ease of use are the trifecta that will determine your organization’s ability to comply with GDPR. The more consistency you can achieve between systems, and the broader your controls around those systems, the easier your process will be. Without an easy path to compliance, the risk will always be too great.