If you’ve been keeping an eye on current trends in Enterprise Content Management, and more specifically around regulations, you may have come across an article or two about GDPR – the upcoming General Data Protection Regulation, which pertains specifically to the handling of personal information on European Union citizens. The GDPR will go into effect on May 25th, 2018, although the law was approved nearly two years ago. So why the current increase in coverage, workshops, webinars, etc. from cloud services and software vendors? Because the impact of not being compliant can be catastrophic for enterprises. Companies in violation will face fines up to 4% of annual global turnover, or €20 Million (whichever is greater). For many businesses, a fine of such magnitude could potentially put them out of business – so there is definitely a reason to worry about GDPR, with time running out to get into compliance.
However, given the breadth and depth of the General Data Protection Regulation, the recent marketing efforts from cloud services and software vendors should be examined critically. When you look at the requirements of GPDR (and other similar data protection regulations), not all of them can be solved completely with a cloud service and a piece of software. Many of the GDPR’s regulations are around processes, safeguards, acts of conducts, governance, and other aspects of data management where software can be a piece – perhaps an essential piece, but only a piece – of a much larger puzzle. To give this some more context, let’s dig a little bit into the core requirements of the GDPR and identify the pieces you can and cannot cover with software or cloud services.
The General Data Protection Regulation mandates that in obtaining consent for data use, organizations cannot use indecipherable terms and conditions filled with legalese. It must also be as easy to withdraw consent as it was to give. One of the many things businesses will need to do in advance of the May 25 deadline is to confirm that their terms and conditions are both comprehensive and comprehensible. That is not something that software or cloud services can help you with – although you can and should then use technology to present your terms and conditions to users, allowing them quickly to say yes or no as well as change their consent at any given time.
In the event of a data breach, data processors must notify their controllers and customers of any risk within 72 hours. Software and cloud services help identify and even prevent breaches, but the process of notification is not something that should be automated. Dealing with the fallout of a breach is something that an organization needs to be prepared to handle thoughtfully.
The GPDR doesn’t stop at the boundaries of Office 365 or Box – it is mandatory for all data, no matter where it resides.
Right to Access
Data subjects have the right to obtain confirmation from the data controller of whether their personal data is being processed. The data controller should provide an electronic copy of the personal data for free to data subjects.
Right to be Forgotten
When data is no longer relevant to its original purpose, data subjects can have the data controller to erase their personal data and cease its dissemination.
This allows individuals to obtain and reuse their personal data for their own purposes by transferring it to different IT environments.
The above three regulations rely on the ability to classify, delete and export personal and sensitive data. This is exactly where data classification, data loss prevention, and eDiscovery software vendors enter General Data Protection Regulation compliance. These tools are essential in this situation. It is almost impossible for these functions to be performed manually. It is important to fully understand what they can do for you, but equally as important is what they can’t do for you. Can your eDiscovery tool search over multiple content management systems? Can your data classification system identify personal data over vendors like Dropbox, Box, or Google? If you’re not asking yourself these questions, you should be! The GPDR doesn’t stop at the boundaries of Office 365 or Box – it is mandatory for all data, no matter where it resides.
Privacy by design means that from now on, each service, each application, needs to be designed with data protection in mind.
Data Protection Officers must be appointed to public authorities, or organizations that engage in large-scale systematic monitoring or processing of sensitive data. DPOs or similar profiles need to be included in the strategy of any organization; the impact of General Data Protection Regulation is too severe to take this lightly. Again, this has nothing to do with technology – this is a process and management-driven part of the regulation.
So, is GDPR the Sword of Damocles? Absolutely – if you are not taking the appropriate steps to be compliant, it can mean the end of your organization. However, Cloud Services and Software Vendors alone are not going to bring you into compliance. The GDPR requires all hands on deck and a combination of the right process and management, augmented by the right and tools. You need a specialist on your side that can bridge the technology with the regulation.
And remember to ask yourself when it comes to your software and services: Do these tools protect ALL of my data, across all of my Cloud Services, ECM platforms, and other content repositories? Or am I just GPDR compliant in one?
Learn more about how to extend the reach of your eDiscovery, data classification, loss prevention and other tools to your entire content ecosystem in our upcoming webinar: “How to Leverage Compliance & Governance Tools Across Multiple Content Management Systems.” Register now to join us at 3 p.m. ET, Monday, Feb. 26.