Companies are also responsible for ensuring any “sub-processors” they hire to help manage or process PII are also in compliance with the GDPR. That may apply to not only third-party data processing companies, but any supply chain partners with which a company needs to share customer PII.
As mentioned above, the regulation also requires companies to report any security breaches that are likely to involve compromise of PII within 72 hours of learning of the breach. However, the GDPR does not require notification of a breach for data that is encrypted or “otherwise protected.”
Companies will face stiff penalties for not adhering to the GDPR, with fines of up to 20 million euros (about $21 million) or 4% of annual revenue, whichever is larger, for the most egregious offenses.
And while its intent and requirements are clear, the law makes no mention of which technologies or specific processes companies must employ to meet those requirements, providing only general guidelines. That means individual companies are left to devise their own plans for ensuring compliance with the GDPR.
ECM, Metadata, and GDPR Compliance
At its core, the GDPR is all about protecting content—more specifically, personal information about individuals. With this in mind, it stands to reason that an ECM system, particularly a metadata-based ECM solution, can play a pivotal role in helping companies comply with the GDPR.
Metadata, often described as “data about data,” generally takes the form of attributes that describe the data file or object. A Word document, for example, will include metadata that denotes its file type, size, author, date created, and date modified, all of which are important data points that help individuals quickly find and access specific documents and information objects.
A metadata-driven ECM solution enables companies to add more descriptive tags that are useful from a content management perspective and for ensuring compliance with laws such as GDPR.
Consider the most basic task associated with GDPR: identifying files or objects that contain PII. Some of this can be done using text analytics tools and by applying metadata for the records. Moreover, the ability to manually tag PII data is important because some PII data is stored in file formats such as images that cannot be analyzed and indexed as well as text documents.
Additionally, certain categories of files can be treated as PII by default. Contracts and invoices, for example, by their nature contain sensitive customer information that should be protected. So, within the ECM system, any file labeled “contract” or “invoice” would be treated as PII. More importantly, it is crucial to determine the person whose data is in the file since citizens can now request companies to provide an index of the PII data that the company stores about them.
Once it’s determined that a given file or object contains PII, the next challenge is ensuring it is treated as such. Here again, a metadata-driven ECM system can play a key role by automating what happens to this class of information.
This can take several forms. For starters, a company may determine that all PII should be properly encrypted both in transit and at rest and that it should be purged as soon as possible after the mandatory retention period for the data passes. These policies help companies mitigate the risks of data breaches and therefore better protect customers’ data sovereignty. While all data in an ECM system should be encrypted, applying data destruction policies is a more complex task because there are numerous types of records with different retention policies. Modern ECM solutions can ease this task by providing a dynamic way to manage records with metadata-driven file plans.
A metadata-based ECM solution will also support automated access control and permissions management capabilities to ensure compliance with the GDPR requirement that only those who need to act on data should have access to it. Organizations can set access permissions that apply to entire classes of documents—such as “invoices” for files that have been assigned a “customer data” metadata attribute—and enforce access controls that provide different levels of access to various users or groups of users. The finance manager, for example, may be able to view any invoice while financial analysts assigned to certain regions are allowed to view only invoices from companies within those regions.
A key benefit to this kind of setup is that it’s relatively easy to manage because it’s based on employee roles, not individuals. If the finance manager leaves or moves to a different position, a simple title change in the corporate user directory is all that’s required to change access rights within the ECM system.
Similarly, a metadata-driven ECM system can help companies ensure they are storing PII appropriately. For example, the GDPR says companies shouldn’t keep PII for longer than is necessary.
Get Your GDPR House in Order
Whether viewed as a welcome remedy for the tangled web of country-by-country laws on personal data or just another onerous regulation that must be followed, the GDPR is the law of the land in the EU— and far beyond. Given the stringent penalties for non-compliance, organizations must take stock of their current data protection strategies and practices, and ensure they are taking appropriate steps to protect PII.
For more articles on data security, download the CyberSecurity Sourcebook 2017