What is the GDPR?
Despite the many advantages that digitalization brings, there’s a big elephant in the room that can’t be ignored any longer: digital data and the (im)proper use of it.
Digital data is within anyone’s reach and privacy regulations have been almost non-existent so far. The Data Protection Directive authored by the European Union from 1995 is hopelessly outdated as technology and marketing have evolved rapidly. Driven by several data leaks and privacy scandals, Europe’s revised answer is ready: The General Data Protection Regulation.
The recently introduced General Data Protection Regulation (GDPR) is a new and very tight regulation with the goal to improve private persons’ protection and unify it for all EU member states. The GDPR is all about the regulation of Personally Identifiable Information (PII).
PII is any information relating to an identified or identifiable natural person directly or indirectly by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that person. PII can be hidden in any kind of document, in any form, and allows one to trace back to the individual whose data is in the document.
You are risking tough penalties
To enforce the GDPR, the European Union founded a committee to which member states need to report in case of non-compliance. This law spans the whole Union and will not be made into a national law by the individual member states. The GDPR is taken very seriously, and rightfully so. Protection of the individual is something that needs to be ensured at all times. Companies who fail to comply with the GDPR by 25 May 2018 risk serious consequences. The minimum fine for violating the new regulation amounts to 20 million Euros. This can reach up to 4% of the company’s revenue, if this number happens to be greater than the minimum fine.
You probably have documents containing PII which are used in line of your business applications. These can easily be identified and processed to be in accordance with the GDPR. However, the same volume, if not more, PII infected documents are hidden away in legacy systems, fileshares, emails, databases, archives and more. These also need to be treated correctly, even if no one in your organization uses them actively and their existence is long forgotten. After all, suppose people with wrong intentions get into your system and are able to access these documents. History has shown how damaging this can be to an organization, directly to your finances but also very much to your reputation and credibility.
How to treat risky documents in a proper way
Complying to GDPR takes some serious preparation and effort. Not only are all your databases, clouds, shared folders, content management systems and repositories in the scope of this regulation, it also requires advanced expertise in security, policy management (eg. defining and maintaining your data breach policy), etc. which is best managed by a dedicated Privacy Officer. After all, how many databases, clouds, shared folders, content management systems and more does a company have, and how many users, internal and external systems have access? Spending your own valuable in house resources trying to make your data legit can be quite onerous. Documents containing PII can be hidden everywhere and a fast and easy solution imposes itself.
SCIO uses dedicated software to scan all of your systems. Risky documents at every location get correctly identified as such and treated accordingly. This treatment can be done in multiple ways, depending on your preferences. If you are certain the documents are superfluous, they can be immediately deleted. This means they can never end up in the wrong hands and you should no longer worry about their existence creating a potential problem. A less drastic option would be to keep the documents, but remove all PII contained in them. This way, the content of the documents can never be associated with the individual the document is about. A third option would be to encrypt the documents and keep them at the location they were stored before. Only a few people, those with appropriate access rights, can view the data. Even if the documents were to fall into the wrong hands they would be useless as the documents are encrypted. This again will take considerable effort for a dedicated Privacy Officer in setting up and maintaining these policies. The main advantage to this method is that no data is removed or deleted, should it become relevant again. Evidently, the disadvantage is the management of encryption keys and passwords over time.
Your most profitable option
Last but not least you have the possibility to move all PII infected documents to a secure location. The documents do not get sanitized or deleted, instead they get encrypted together in a single secure location. Whatever option you, as an organization, choose is entirely up to you, but we at SCIO believe this option to be the most profitable. To use it to its full potential, support with EMC’s InfoArchive is offered. For each relocated document, an XML-file is generated. This file contains all metadata about the document, including the original location and which PII is hidden inside.
This way of ensuring compliance with the GDPR, offers several benefits that the first three options can’t guarantee: maintaining the information but in a compliant way. This is of course useful for an organization’s changing strategy and old information that may become relevant once more. A custom search can easily be created to check all XML files so the documents of interest are quickly found.
Let’s not forget the GDPR requirement “the right to be forgotten”: this stipulates that a person can request your organization to locate and sanitize his or her PII. The processing of these requests is foreseen in SCIO’s fourth option, where this process can be managed and automated from request to report back to the user listing the information found and cleaned. This is an important benefit of this solution as it complies with GDPR whilst providing automation so you can concentrate on your business.
The GDPR promotes the use of data
Another important benefit of the remediation option explained in the previous paragraph is the undiscovered knowledge hidden in a large number of documents. Big data is an emerging science with lots of potential. Having all these documents in their original form in one single secure location allows for detection of patterns and insights which could greatly improve your operations, your business or even the world.
The GDPR acknowledges this potential and does not want to spoil the party. You are in compliance with the GDPR when you use PII infected documents for scientific, historic or statistical research purposes. These definitions are kept vague on purpose. As long as the PII is protected from prying eyes and the research purpose has no direct remunerative intentions, you are good to go. Having all data securely locked away at the same location is very advantageous for performing research, all while being fully compliant with the GDPR.
A cost-effective infrastructure
Setting up a GDPR compliant infrastructure is one thing, maintaining it cost-effectively is just as important. There’s no reason to worry, as all your data gets scanned at periodic, pre-defined time intervals. All documents that are inactive for a certain time period get classified as legacy documents and get treated accordingly. Even if archived documents get reactivated, they will once again be detected and relocated as soon as the intended purpose is complete. You shouldn’t worry about documents and where they’re legally allowed to be located because the relocation solution secures everything for you. All your resources can be spent focusing on your organization’s goals, which is after all the only thing that truly matters.
With the GDPR, Europe has made a strong statement in the protection of personal private data. The fines associated with violation will oblige organizations to take action before May 2018. Getting and staying compliant with the GDPR should be high on any organization’s legal, risk and IT priority list.
SCIO provides specialized services and solutions which allow to integrate painlessly into your organization’s data stores and manage PII infected documents in a GDPR compliant way. Additionally, the GDRP requirements around “the right to be forgotten” are integrated in automated processes so that you can focus on what you do best and embrace the strict digital privacy future!
So as time is running out, prepare yourself for what is coming and have a chat with one of our experts on what you can do to comply to the regulations. You can reach out to us through firstname.lastname@example.org or fill in the contact form on our website so we can contact you as soon as possible.