Behind on Preparing for GDPR? Three Things to Prioritize
The May 25, 2018 GDPR deadline is quickly approaching, requiring businesses to comply and prove compliance to the stringent new regulations or face potentially devastating financial penalties.
Businesses that have not yet finalized a GDPR strategy are now in a major time-crunch; it was reported in December 2017 that 60 percent of organizations are not ready for the regulation. It’s important now to define an approach that prioritizes addressing the aspects that will make the biggest impact in the shortest amount of time. For many businesses, this requires taking a step back and thinking through a holistic, process-based approach that is also sustainable long-term.
One characteristic of GDPR that many businesses should consider is that the rules should be approached from two angles: compliance along with the processes to support it, and the ability to identify and process the Personally Identifiable Information (PII) that GDPR strives to regulate. When creating a GDPR strategy, businesses will need to consider both.
Given the impending May deadline, business that are struggling to finalize their GDPR strategy should focus on the three aspects below.
Establish Roles, Responsibilities and Processes
A data privacy team needs to be established, and members must be trained and educated on their responsibilities associated with supporting the overall GDPR strategy. In the UK, research from
M-Files found that more than half, 56 percent, of local authorities have not appointed a Data Privacy Officer, a requirement of GDPR. Similarly, in the broader EU, the Association for Intelligent Information Management (AIIM) found that 44 percent of the companies surveyed have yet to fill this role.
Once roles are assigned, data privacy team members must first identify and document where personal information is stored within the organization. Then, they must document the process or processes to be followed in the event of an information request. This includes details such as who handles the request and who approves it.
Avoid Spreadsheet Chaos
Once a company identifies where its customers’ PII information is stored, most do not have a process for aggregating and pulling large quantities of information. Also, how will a company prove that this information is not stored elsewhere in a different repository? Many businesses resort to documenting this information in a series of Excel spreadsheets. It can be hard to understand and keep track of the underlying relationships between data that is saved in multiple spreadsheets and, as versions proliferate, companies will be challenged to efficiently provide the proof that they have correctly followed the regulation if audited. While many companies view spreadsheets as a quick solution to establish a process for compliance before May 25, it is not a sustainable long-term practice.
The ability to identify data stored in multiple systems and locations, and then to apply artificial intelligence (AI) to it to automatically discern where PII is stored, is now possible. Once a data privacy team’s processes are defined, tools are available that can quickly and intelligently identify and control where information is being stored by adopting a repository-neutral approach to information management that enables managing information across systems based on context. For example, companies using such technology can simply search a customer’s name and quickly identify all documents and/or date, stored in any location, that are related to that customer; and more specifically, documents that include certain types of PII, such as email addresses, phone numbers, addresses, account numbers, etc. Using AI in the PII management and control process helps remove significant manual burden in both the initial GDPR compliance and ongoing inquiries.
Build a System to Prove Compliance
If an organization is audited, they need to easily and efficiently prove compliance or risk facing a significant financial penalty. When companies are building their GDPR strategy, they need to ensure that the solution they choose provides the necessary reporting capabilities. When researching tools to ease the manual discovery of PII, find a tool that also provides automated audit support.
The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations approach quality management processes. The May 25 deadline is daunting, but organizations must strive to implement a GDPR strategy that is sustainable to ensure compliance can be achieved on time and maintained in years to come.
About the author: Mika Javanainen is the vice president of product management at M-Files. Mika is in charge of managing and developing the M-Files product portfolio, roadmaps, and pricing globally. As Director of the M-Files Product Management Unit, he leads and supervises M-Files Product Managers and works closely with the Product Development and Marketing teams to design and develop new products and features. Mika holds an executive MBA Diploma in International Business and Marketing.