For the last couple of months, not a day passes by that I do not see yet another article, blog post or email on GDPR (the new EU General Data Protection Regulation).
It seems that every vendor in the Information Management industry – regardless of technical discipline – has an opinion on the subject. However, most articles provide little more than another iteration of the key GDPR requirements and the fact that the regulation deadline is imminent (25 May 2018), its scope is extending beyond the EU boundaries, and that the potential penalties are severe ($20m or 4% of global annual turnover).
Very few of these posts, offer any practical solutions that help an organisation to address GDPR holistically.
GDPR, at its core, is the archetypal Information Governance problem: understand what personal information an organisation has, understand why it is being held, who is responsible for it, secure it, and manage its use appropriately, in order to protect the individual it relates to. Any realistic GDPR implementation needs to service three key requirements:
Manage GDPR information: Identify what information is subject to GDPR, profile that information with metadata that describe its origin, its purpose, its locality, the justification and consents associated with it, apply appropriate security and protection from internal and external risks, and manage its complete lifecycle from acquisition, through processing, to disposition. Including a complete audit trail for its access.
Manage GDPR processes: From capturing explicit consent when requesting personal information, to servicing Subject Access requests, to data portability and purging personal data on-request. GDPR controlled processes need to be performed in a disciplined and controlled way in order to ensure compliance, and they need to provide complete transparency, auditability and reporting to regulators. Increasing process automation will reduce the GDPR overheads for the organisation.
Align to business discipline: GDPR sensitive information will be accessed and processed by different business departments in the context of various business operations: HR, Marketing, Operations, Finance, etc., all need to control and process personal information. It is therefore imperative that any GDPR sensitive information is accessed through a set of controlled services that ensure that information is protected and only used for the purpose it was intended, nothing else. That means that GDPR-sensitive information should only be accessed through a set of open GDPR-aware services that transcend roles, organisational structures, and systems, to ensure regulatory compliance is observed consistently.
In other words, GDPR compliance requires a services based Digital Business Platform that secures information, controls and automates compliance processes and can seamlessly integrate into every part of the business that requires access to GDPR-sensitive information. It needs to be built on a modern architecture and be able to be deployed and grow either on-premises or in the cloud, supporting both existing infrastructures and future deployment roadmaps. And it needs to be delivered in virtually zero-time, because the GDPR compliance deadline of 25 May 2018 is closer than most IT delivery projects can accommodate.
If you would like to hear how Alfresco’s GDPR Governance Services can accelerate your GDPR implementation plan, please get in touch with me at: George.Parapadakis@Alfresco.com