May 25, 2018 will go down in the history of the European Union as the General Data Protection Regulation (GDPR) will come into enforcement. This regulation, which will harmonize data privacy tenets across Europe, will protect and empower the data privacy needs of all EU citizens. GDPR will place demands on organizations across the globe to protect the data privacy needs of their EU customers. A hefty penalty of 4% of revenue or €20M awaits organizations that dare to defer compliance with GDPR. As per article 28, not having records in order, withholding notification of data breach or not conducting impact assessment will attract a fine of 2%. Consent conditions have been fortified favoring consent giving and withdrawal in terms of clarity and simplicity.
Given these implications, following are the top 3 GDPR changes that an Enterprise Content Management System (ECM) can effectively address to ensure easy compliance.
- Data Subject Rights of Processing, Portability, and Erasure
GDPR empowers EU people with right to find out the why, what, where, and how their personal data is processed and used and a get copy of the same free of cost. Similarly, article 17, which gives the right to be forgotten ensures the data subjects to withdraw consent, or limit storage, processing, and dissemination of their personal data, once the designated purpose of data use has been fulfilled. Portability of personal data from one controller to another is possible as well. To enable all these, enterprises must conduct data discovery of personally identifiable information. Data capture, collection, data flows, processing, and storage practices must be reviewed. Enterprises will also be required to review how they seek, record, and manage consent. Business processes must be updated to accommodate these new and enhanced rights of individuals to their personal data. ECM systems enable the capture and categorization of such critical and personal information. In other words, an ECM system brings in a method to the chaotic processes of information lifecycle from data discovery through management.
- Data Privacy by Design
Data privacy by design, which is becoming a part of the legal requirement with the GDPR, calls for inclusion of data protection inherently during system design rather than as an afterthought addition later post system implementation. Specifically, as per Article 23, data holding and processing should be limited to what is absolutely required for completion of purpose of data collection (data minimization) and limiting access to only those who absolutely need the data for processing. Records management, an essential component of ECM, easily tackles data minimization by streamlining and automating data retention and disposition. Enterprises need to act on updating their privacy notices and other internal and external policies to align them with GDPR requirements. Likewise, data privacy requirements must be addressed in vendor/third party service provider agreements and contracts as well.
- Data Breach Protection – the ECM Way
An ECM offers multi-layer protection along with encryption for your sensitive and confidential data. Rightly configured workflow rules in an ECM system help alert stakeholders about internal data security breaches thereby meeting the GDPR requirement of breach notification within 72 hours. With a robust taxonomy, and a standardized ECM repository, unsecured content can be protected and secured by auto-classification. Further, access can be protected for content where required (R&D, HR) and open access works for public and shareable information (product information). ECM also ensures only those personnel with the right security authorizations can access critical data. An ECM system’s safety net extends beyond an organization’s confinements enabling location and device agnostic safe remote access. Besides being aware of all these, this is the right time for enterprises to revisit their breach response processes, including breach notification.
To conclude, the success of an enterprise’s GDPR readiness program depends not just on technology deployment, but on fortifying their data management, privacy, and security processes. Last but not the least, communicating and coaching people dealing with data will help approach the GDPR deadline with greater confidence.