Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, GDPR budgets have topped $10 million for 40% of businesses, as revealed by a recent PricewaterhouseCoopers report. Companies not just in Europe but around the world are doing their due diligence to avoid significant fines; however, even the biggest players, such as Google and Facebook, have been shown signs of non-compliance.
After one year under GDPR, business leaders have a renewed opportunity to evaluate their privacy and consent strategy when managing personally identifiable information (PII) to ensure compliance. Whereas last year was all about the race to achieve GDPR compliance before the deadline, the theme for this year is maintaining compliance. Here are three steps for doing so:
1. Know where your customer’s PII data resides
When a customer invokes GDPR’s right to be forgotten, organizations need to have proper procedures in place to remove all saved documentation of that customer within the allotted 30-day timeframe. Unfortunately, many organizations are ill equipped to perform such tasks without copious manual labor and time spent.
According to the Global Intelligent Information Management Benchmark Report, 96 percent of all employees face some difficulty when looking for the most recent version of a document or file. Much of the difficulty stems from workers storing and filing documents improperly, compounded by data spread throughout multiple repositories across the organization. Furthermore, workers can even get lost in the most organized folder hierarchies if they are missing the context they need to find a particular file. Data migration causes complications as well, as PII data (and/or knowledge of its location) can easily get lost in transit. All this, in turn, creates data silos and multiple versions of documents, resulting in information overload and chaos.
Visibility is key here, and one way to establish clear lines of sight across all enterprise information, especially PII data, is to implement an Information Management solution with external connectors to all repositories and systems, including document management systems, CRM solutions and more. These connectors allow users to access the same, up-to-date information from a variety of vantage points, eliminating the need for data migration or creating multiple copies of the same document. Organizations will thus have a single source of truth for their PII data, instead of having to dig through old repositories to ensure that older, incorrect, or duplicate versions of a document have been deleted.
2. Build automation around defining PII data
The amount of data a typical employee works with doubles every 18 months, and the amount of PII data grows with it. While it’s still possible for workers to flag and categorize PII data manually, it’s becoming increasingly unproductive or nearly impossible to do so. In order to stay ahead of information overload, businesses need to start employing process automation to handle simple, routine tasks, such as distinguishing between PII and non-PII data.
Another method of establishing visibility and increasing productivity is to establish context to PII data that goes beyond the location in which it’s stored. PII data comes in a variety of shapes and forms; for example, a document in a network folder may contain the same PII as a customer profile in a CRM system, albeit in different formats. Additionally, one piece of PII can be used in multiple workflows, depending on which departments are involved. And so, having a uniform method of defining and categorizing PII data is paramount to ensuring that workers can access it when they need it.
Intelligent services that use text analytics (such as natural language processing and understanding) and metadata are more than capable of connecting the dots between how PII is being used across multiple departments and within various workflows. When it comes to maintaining GDPR compliance, this AI-powered classification of data automatically flags documents that potentially contain PII data, saving workers valuable time and effort.
3. Automate workflows involving PII data
When customers invoke GDPR’s right to erasure (right to be forgotten), companies are under a 30-day time crunch to comply. This essentially is a true test of how compliant a company is with GDPR, as a company’s processes can range from routine automated workflows to a time-critical fire drill.
In order to fully streamline GDPR compliance procedures, organizations need to know not only where their PII data is and what it consists of, but also have automated workflows to manage that data. For example, these automated workflows go beyond automatically flagging documents that contain PII data, by adding processes that redact and destroy documents with PII data as necessary. Different departments within the organization can have the same visibility into these workflows and will receive notifications when certain actions are needed.
With all these pieces in place, GDPR compliance truly shifts from a painstaking, organization-wide project to a simple, automated workflow.
Conclusion
After a year of GDPR, companies have had time to create structured solutions and built-in automation. However, as more emphasis is placed on personal data with further regulations, companies will need to adapt and evolve their compliance solutions accordingly. The name of the game is work smarter in order to establish compliance, maintain good standing with customers, and avoid hefty fines.
Frank Taliano leads the Product Marketing Business Solutions team at M-Files. The team builds and manages solutions, products and materials that promote and drive the use of M-Files for specific use cases and industries. M-Files provides a next-generation intelligent information management platform that improves business performance by helping people find and use information more effectively.
