As we enter the final quarter of the year (did someone mention Christmas, it’s only Halloween!), we're all turning our attention to the most important up and coming 2018 Regulation to act on. During April 2016, the General Data Protection Regulation (GDPR) was passed in the European Union (EU) and will be enforced from May 2018. The intention of the regulation is to strengthen and unify data protection for individuals within the EU. This reflects the modern world, where the value of personal information to both organisations and individuals is only likely to keep increasing. As with most regulations of this type, the impact extends beyond EU based businesses to any company transacting with an EU organisation. In short, GDPR will have an international impact on how businesses manage and protect their information and data assets.
Preparation is key in any situation, especially when it comes to regulatory compliance. Research conducted by AIIM (an advocate and supporter of information professionals for over 70 years) found that 31% of respondents to a 2017 survey reported data loss or exposure happening within the last twelve months. The primary reason cited translated to staff negligence or bad practices, not technology or hacking. 16% of the respondents reported internal or HR incidents due to unauthorized access. The result of these breaches has been the exposure or loss of Personally Identifiable Information (PII) relating to employees, customers, or the general public.
Businesses must continually be concerned with data privacy and protection, they have a responsibility to protect the data entrusted to them. The GDPR is intended to unify and simplify data protection practices for businesses within the European Union (EU). So what’s so scary about that?
In order to sufficiently meet GDPR requirements organisations will need to implement a solid Information Governance (IG) framework and policies that align with and support the GDPR. This framework typically would include, but is not limited to policies (outlining use and security measures), processes, people, technologies, training, and monitoring.
For those who are not concerned or are thinking about it, this is a reminder, the clock is ticking…. Fear not there is still time to prepare.
Arrgghhh… where do we start?
AIIM have highlighted the following factors which you need to consider as we embark on this path to regulatory compliance:
· Know what PII you possess; identify what PII data is being captured, in what forms, where and how it is captured, by whom and how it is being used. Limit this data to the minimum for specific and legitimate purposes.
· Create a “Helicopter” view; connect your data across systems within the organisation to obtain a clear view of what information is being used, and by who. This enables stricter controls over security, portability, transit monitoring and disposition.
· Maximize metadata use; automated metadata application via auto-classification assists to ensure privacy-by-design and compliance-by-default, alongside enabling improved retention management to limit storage.
· Apply encryption technologies; use of encryption safeguards data in both transit and storage protecting the integrity and confidentiality of your critical information.
· Control and monitor; utilise access control lists to grant permissions and audit trails to trace activity within information systems. Know when and how PII is being accessed and who is doing the accessing.
Change brings with it issues and the implications of GDPR, while challenging, could be seen as similar to those of other regulatory requirements and information management initiatives. Yes, GDPR is the driving force to move businesses toward stronger data protection practices, but it should be seen as a positive motivator and an opportunity to do what must be done—and what should have been done all along. It is also an opportunity to evaluate how technology will support your IG initiatives and align your business to comply with GDPR to strengthen your practices.
Restore to the Rescue!
Paper documents can be ambiguous as you don’t know what they hold. To help companies ensure their records don’t fall foul of the Regulation, we have a team of experienced business consultants and digital specialists on hand to help you fully understand the impact of the fast approaching GDPR and UK Data Protection Bill upon your organisation.
We will help you identify gaps and formulate a roadmap for compliance that will not just remove the uncertainty around the changes, but enable you to deliver better outcomes, build trust with your customers and significantly reduce any associated risks.
Mitigate the risk of reputational damage, penalties from the ICO and compensation claims by contacting Restore:
firstname.lastname@example.org | 0808 278 3679
Step out of the digital darkness and into the light
AIIM Insights: Understanding GDPR Readiness in 2017
Restore Document Management; GDPR Guide