We’ve all heard of the European Union (EU)’s pending General Data Protection Regulation (GDPR) and know it will have a major impact on how businesses around the world handle private data. What will this mean for Records and Knowledge Managers? In our first of a series of posts on GDPR we explain the key points for RIM practitioners, with a focus on the criticality of capturing content metadata to enable timely search and retrieval.
The EU’s General Data Protection Regulation is designed to replace the patchwork of data protection regulatory authorities in the 28 EU member states with a single regime that will apply across the Union. The regulations will apply also to any non-EU businesses that handle the data of EU citizens in Union, which means that even the biggest global cloud and social media companies such as Google, Facebook, Twitter, Microsoft and Apple, are putting plans in place to comply with the regulations. The first draft of this regulation was published by the European Commission in 2012, and since then the proposals have been grinding through the legislative process and were finally approved. GDPR will now come into force on 25th May 2018.
What are the Key Points of the GDPR?
- Consent: One big change for any business that handles personal data is that it will have to seek clear consent from customers, staff and suppliers for use of their data. That applies both to data gathered after the implementation of the regulation and—crucially—data that’s already held.
Impact: All existing data will have to be audited to make sure it complies with the new standard. This could mean that every person your organization holds data on will have to be contacted to upgrade their existing consent. And every consent will have to be available to the Information Commissioners Office for inspection on request. For many firms, this means a huge auditing and compliance exercise will take place.
- Disclosure: The current draft of the regulation requires any organization suffering a breach to notify Data Protection Authorities within 72 hours to the Data Protection Authority (DPA) and anyone affected by a breach.
Impact: Firms will need to establish clear processes to follow in the event of a breach to ensure rapid response. Consider what happened in the well-known Ashley Madison breach: hackers claimed to have stolen the customer database of the website that facilitates extramarital hook-ups. The hackers then posted that database online: it contained the details of some 30 million users. Although Ashley Madison is an American business, many of its users are EU citizens, and as such Ashley Madison would, under the GDPR, have been required to notify the DPA and EU users within 72 hours of the breach being discovered.
- The right to be forgotten: Businesses handling the data of EU citizens will have to erase data “without undue delay” if the individual asks them to do so, if the data was unlawfully processed or if they’re required to do so by law. There are some caveats to that—freedom of expression and information and the public interest or scientific and historical archiving requirements may trump the right to be forgotten.
Impact: With so much data held in the cloud and moving through enterprise, partner and customer networks, it is much harder for organizations to implement systems that will enable them to identify and erase personally identifiable information on request. Businesses will have to implement processes for responding to “right to be forgotten” requests in a timely fashion. It will be necessary for organization to find the balance between the capture the information, storing the information and erasing the information without proper processes, systems and policies in place.
- Penalties: There is some good news for businesses! The original proposal was for penalties for non-compliance to be up to 5% of global turnover, or up to €100 million. That has been watered down and the current proposal is for fines of up to €20 million or 4% of global turnover whichever is higher, depending on the seriousness of the infraction. For many businesses, however, this is still a catastrophic figure.
Impact: Under the current regime in the UK, fines have been a maximum of £500,000, which might not seem much to a business turning over millions or even billions of pounds or euros. The UK’s Carphone Warehouse, which had 90,000 credit card details stolen in a hack, might not feel a fine of that magnitude, but the fine of £200,000 levied on British Pregnancy Advisory Service (BPAS) after thousands of people’s details were stolen by a hacker was a much bigger financial blow. One key finding by the UK Deputy Commissioner and Director of Data Protection was that the BPAS was not aware of what information it was holding, nor that that data was not sufficiently secure and hence the punitive size of the fine. Businesses affected by the GDPR will have to take steps ahead of its implementation to ensure that they know what information they’re holding—a huge auditing and compliance exercise.
Preparing for the General Data Protection Regulation
In order to comply with the GDPR regulations, there is a need to safeguard personal data, notify authorities within 72 hours, and have clear visibility and management into the data records. One essential step is for organizations to have the ability to discover and control what personal data the companies hold and where it resides.
Radicati predicts that by 2021 almost 320 billion emails will be sent and received on a daily basis. With email often containing important data it’s imperative organizations have policies and measures in place to ensure that their organizations’ emails are easily discoverable and secure. To do this organizations should consider implementing the use of automated systems and machine-assisted insights to help find, classify, set policies and take action to manage the lifecycle of the data to prevent any potential breach resulting in potential high fines to the organization.
To do this they can use technologies such as Colligo to ensure that emails are captured and tagged with metadata in SharePoint, even when employees are on-the-go. The same technology can help identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents. The good news for many RIM practitioners is that the foundations of sound records and knowledge management will be indispensable in the GDPR era.
The move to Office 365 & SharePoint creates enormous possibilities in terms of how your organization captures and stores information, giving you new options for how you comply with GDPR.
On April 23 we’re co-hosting a webinar with MVP Robert Bogue to share how to apply Microsoft’s game-changing records management capabilities for Office 365—including labels—that are transforming how SharePoint works as a records and knowledge repository.
Register now to attend live or to receive the video recording on demand after the broadcast.
Microsoft has generated a wealth of tools, services, and frameworks for organizations that run Office 365 and Azure. These are great resources for anyone wanting to learn more about preparing for GDPR and how to leverage their existing technology investments. Here are a few of our favorites:
- Microsoft GDPR Assessment Toolkit. A short, free online assessment that will help you understand where your organization is today and what next steps should be.
- Microsoft GDPR Compliance Manager. “Control management, integrated task assignment, evidence collection, and audit-ready reporting tools to streamline your compliance workflow”
- Microsoft Webcast: Thriving in the GDPR era: How to accelerate your journey to compliance. This on-demand webinar gives a great overview of how Microsoft’s cloud technology supports your path to GDPR compliance.
Would you like to learn more about how Colligo can help? Contact us today to speak to a SharePoint expert.