The Misunderstanding that Could Spell GDPR Disaster
The GDPR deadline of May 25, 2018 is nearly two weeks away and while I am sure that date is burned in the memory of many by now it’s not without good reason, the impact of the GDPR will indefinitely change the way we all do business with members of the EU. Initially, there was a misconception that the weight of compliance would fall on the IT teams but as the understanding and conversation surrounding the GDPR grew, other teams were brought into the fold with it now being said Digital Marketing would feel the greatest hit.
However, this may have bred a game best described as a “GDPR hot potato” with disparate teams within an organization resisting responsibility by underestimating their current practices in relation to this changing landscape. A glaring issue, as felt by George Parapadakis, Director, Business Solutions Strategy, EMEA at Alfresco exists simply in a misunderstanding of terms: “It’s a very common mistake in the Information Management industry, to use related terms interchangeably. But there are subtle differences between these terms that are very significant. Many companies assume that by implementing Records Management (RM) in their organization, they have effectively solved their Information Governance (IG) or corporate governance problem.”
He expanded on this in a recent article entitled 8 reasons why Records Management is not the same as Information Governance and upon reading it, I had some questions for him on this issue as well as where he felt most organizations sat in their level of security and compliance.
What is the Difference?
To start, I wanted to know worst-case scenario so I inquired with George on what he thought the most detrimental issues were that could come up for an organization that overlooks the importance of having both an effective records management and an internal governance process?
“People mostly think of Information Governance in terms of archiving, searching and storage costs. The reality however is that the risk of losing competitive business information, like intellectual property documents, or making critical decisions based on wrong or outdated information can have a detrimental impact to the business. Lately however, public breeches of personal information and new regulations like GDPR have put privacy front and center on the risk register not only because of potential fines, but because of the huge damage they can cause to a company’s reputation. Good information Governance practices and correct disposition of redundant information are fundamental in reducing those risks.”
He is right to bring up the velocity that data breeches can have in bringing even the most established and secure companies down, making reference to a quote from Clarence Mitchell, spokesman of Cambridge Analytica, the company that has quickly become the household name synonymous with unethical use of personal information: “Despite Cambridge Analytica’s unwavering confidence […] the siege of media coverage has driven away virtually all of the company’s customers and suppliers. As a result it is no longer viable to continue to operate the business”
In his article, George also notes some key similarities and difference for organizations to better understand the two terms:
- Both Information Governance (IG) and Records Management (RM) are business disciplines.The purpose of IG is to define all aspects of how information is being managed. The purpose of RM is to manage some of the aspects of that information. Neither discipline can be “sorted” purely by throwing software tools at the problem, but software helps a lot in maintaining consistency and reducing effort.
- IG is the decision making hub. Underneath that hub are a number of spoke mechanisms that manage different aspects: RM is just one of them; classification, legal holds, privacy & security, archiving, eDiscovery, application decommissioning, storage tiering, location management, etc., are various others.
- IG has full responsibility for a company’s information. According to the Corporate Governance and Oversight Council, the information kept under RM’s control represents less than 20% of the total information managed by an organization. IG has responsibility for 100% of the company’s information, including the 20% managed by RM.
- RM is typically focused on lifecycle management and the protection of unstructured information, mostly documents. IG creates common policies that can apply to both structured and unstructured information.
- RM typically works with a defined and agreed-upon taxonomy and schedule. IG is perpetually juggling with overlapping policies, laws, cases, security, legal holds, costs and business demands.
- IG scope includes all information sources: The RM repositories, other ECM repositories that are not RM platforms, all the SharePoint instances, live email server(s), email archive(s), shared network drives, personal network drives, PST files, the data archive system, notebook C: drives, cloud drives, detachable storage drives, those servers that came with the last acquisition and nobody quite knows what is on them, Jim’s old desktop, etc.
- RM systems tend to accumulate all the information they manage in a centralized, controlled environment. IG tools do not have that luxury – they need to allow for information (including physical archives) to be managed in their native environment.
- RM stakeholders are mostly records managers and/or compliance managers. IG answers to Compliance, Audit, Security, Legal, IT, Finance and Business Operations – a very different audience with often conflicting interests.
Best Practices for Records Management and Information Governance
In light of this and knowing 'the best defense is a good offense', I was curious to know what advice George had on best practices for organizations to prioritize their own security and compliance: “Security ‘by design’, privacy ‘by design’, compliance ‘by design’: People are both busy and lazy. If your organization has specific policies for compliance which require users to perform additional tasks to their core daily job, chances are that these will either be ignored or they will be done haphazardly. The key is to automate as much of the process as possible, taking the onus away from the end-users, and to introduce intelligent compliance controls inside the relevant operational processes. Think of a business process, such as onboarding a new customer or authorizing a new mortgage. While that process is executed, you know exactly what information needs to be controlled, secured, archived, preserved or deleted, based on the context of the particular process. You know exactly who that information belongs to, what it relates to and who should be responsible for it. So, the key is to introduce compliance and security controls inside that process design, and not make it an afterthought. If you wait until that process is complete, the context has been lost and automating information management becomes significantly more complex and expensive.”
It is interesting to me that he brings up the need to automate this process as much as possible, considering how much automation is occurring in other areas of the business process with information management somehow being left behind. From that more widespread vantage point, George weighed in on where he thinks the majority of organizations sit on this initiative, were they effective or did many lag behind?
“A lot definitely lag behind. Organizations have only recently started consciously looking at ways to improve the holistic governance of information. For many years, companies focused almost exclusively on the management of transactional information that sits on core systems and databases. At the same time, unstructured information has been accumulating in shared drives, content management repositories, cloud drives, obsolete systems and email servers, with virtually no security or governance controls. With the introduction of privacy regulations like GDPR and HIPAA, companies have been forced to realize that this is not a sustainable model and are now looking for tools and techniques to analyze and protect the huge volumes of unmanaged information that has been languishing in their IT environment. Most of them have a long way to go still.”
Is There a Bright Light at the End of the GDPR Tunnel?
Finally, as the GDPR comes into effect with more regulations similar to follow, I asked George what he sees as the most positive outcomes from these that we will see emerging in the business landscape in the future:
“It’s quite ironic, that companies that have been talking for years about ‘customer centricity’ and ‘design thinking’ (putting the customer at the center of solutions design) have paid so little attention to the protection of customers’ and employees’ data privacy. Data Privacy regulations have been in force for quite some time now, but this is the first time that companies are threatened with significant enough consequences, to take it seriously. The next couple of years will see dramatic changes in the way personal data is collected and used. Digital Marketing will probably be the function that is hit the hardest, since it relies almost exclusively on monitoring individual consumer behavior, for segmentation and targeting. With GDPR, that approach is no longer legal, so marketing will need to have a radical re-think of the way they personalize advertising and messaging.
Beyond marketing, most organizations will need to introduce new policies and systems for giving individuals control over their own data, since self-service management of that data will be by far the most cost-effective way of preserving accuracy and consent. Finally, we are already seeing new projects emerging that make use of decentralized methods (like blockchain) to allow individuals to control who accesses their personal information, for what purposes, and how long for. I believe we will get to a point where companies will no longer hold any personal data, they will need to subscribe to services that allows them to request access to that data on-demand, allowing individuals to have full (and exclusive) control.”
It feels like the GDPR is something we have been talking about for ages yet, the fact that the deadline we've all anticipated is just a few short weeks away still seems to have crept up fast. Unfortunately, I think many still adhere to the myth that there will be a grace period following May 25, 2018 for organizations to get up to speed with compliance to the GDPR but unfortunately, the GDPR has been in effect since 2016, with the date above marking the end of any leniency, not the beginning.
The best way it seems for organizations to combat this is to break it out into digestible portions to craft their procedures, as George and others have emphasized, with a ‘by-design’ approach infusing compliance at every stage. Interestingly enough though, a thought process on the rise is really that companies shouldn't be taken aback by what the GDPR is asking of them, since as George points out above, it falls perfectly inline with the 'customer centric, design thinking' approach many businesses say they have. Could be another situation where ideas are proclaimed more than they're practiced but the spotlight placed on security, compliance and the ethics surrounding personal data as of late will force many to ensure they walk the walk.