We’ve all heard of the European Union (EU)’s pending General Data Protection Regulation (GDPR) and know it will have a major impact on how businesses around the world handle private data. What will this mean for Records and Knowledge Managers? In our second of a series of posts on GDPR we touch on some of the key preparation steps.
The Countdown is now on; the European Union adopted the General Data Protection Regulation in 2016 and It will come into force in May 2018–now is the time to prepare. How ready is your organization?
GDPR Regulation aims to protect the rights of European citizens, giving them better control and security over their personal data. Despite the regulation coming into force there is increasing evidence that companies across the world are worryingly unprepared. Furthermore, in some cases, they are alarmingly dismissive of the impact the legislation will have.
For example, some businesses in the UK assume Brexit means they can ignore the GDPR requirements altogether. The fact of the matter is GDPR applies to any company dealing with EU data subjects. This means the breadth of organizations that will have to comply is global.
Below are basic steps any organization should be taking to prepare for GDPR:
1. Begin with an Information audit. If you don’t know what data you have in the business and where it is, you have no chance. Both paper and electronic files like email will be included under the regulation which will cause companies some serious problems. If you don’t audit you have no chance of fully complying.
2. Decide what data to keep. The idea of keeping every record ‘just in case’ is no longer valid. A vital part of good data governance is knowing which data is useful and which is likely to have no value–or many even end up costing your money. It’s a familiar concept to RIM practitioners: if the data is not germane to your business and you’re not obliged to store it, why expose your organization to additional risk and complexity by keeping it?
3. Securely destroy unnecessary data. Very few businesses come out with perfect scores following a data audit so there will be remedial work to do. Companies may need to securely destroy unnecessary data stored on paper–for instance data that is no longer needed or has been kept beyond the retention policy date.
4. Set a budget for a Data Protection Officer and oversee the appointment. This will be a key appointment for larger companies but also for many smaller ones that handle a high volume of personal records. For the latter it may be necessary to outsource the role–and we may well see specialized DPOs covering several clients. Either way it will incur a cost and needs to be budgeted for and driven forward.
5. Begin staff training and review your information governance framework. Staff training will be crucial to meet the requirements of the GDPR–and to avoid data breaches. With most data breaches stemming from individual error or bad process design the focus should be on ensuring every employee, at every level of the business, understands the importance of data protection. All employees need to be aware, trained and act as responsible information owners.
The move to Office 365 & SharePoint creates enormous possibilities in terms of how your organization captures and stores information, giving you new options for how you comply with GDPR.
On April 23 we’re co-hosting a webinar with MVP Robert Bogue to share how to apply Microsoft’s game-changing records management capabilities for Office 365—including labels—that are transforming how SharePoint works as a records and knowledge repository.
Register now to attend live or to receive the video recording on demand after the broadcast.
Microsoft has generated a wealth of tools, services, and frameworks for organizations that run Office 365 and Azure. These are great resources for anyone wanting to learn more about preparing for GDPR and how to leverage their existing technology investments. Here are a few of our favorites:
- Microsoft GDPR Assessment Toolkit. A short, free online assessment that will help you understand where your organization is today and what next steps should be.
- Microsoft GDPR Compliance Manager. “Control management, integrated task assignment, evidence collection, and audit-ready reporting tools to streamline your compliance workflow”
- Microsoft Webcast: Thriving in the GDPR era: How to accelerate your journey to compliance. This on-demand webinar gives a great overview of how Microsoft’s cloud technology supports your path to GDPR compliance.