As multinational companies begin to implement General Data Protection Regulation (GDPR) standards before the May 25, 2018, deadline, it’s worth examining the historical context which led to GDPR and the contrast between the European Union (EU) and the U.S.
The origins of GDPR can be traced back to 1974 when the European Parliament enacted the Health and Safety at Work act (HSW). At its core, HWS put the responsibility on employers to ensure the health, safety and welfare of all their employees at work. Similarly, GDPR applies accountability to anyone who collects, stores, or processes personal data, with the objective of ensuring it's done responsibly and legally.
Over the past 40 years, European entities have continuously improved data privacy rights, creating a culture of governance and security within every organization. That cultural alignment gradual, progressive implementation help explain why the EU is prepared for GDPR and why U.S. companies have been sprinting to catch up with these regulations.
And the race won’t end there. Concerned about the growing number of serious data breaches at U.S. companies, a total of 48 state governments have enacted security breach notification laws, with regulations covering additional provisions similar to those in GDPR almost certain to follow. And it’s not just Europe and the U.S., either; as reported in Bloomberg BNA, fifteen jurisdictions in the Western Hemisphere have now enacted similar laws.
The announcement of the data breach at Equifax on September 7, 2017, was probably the straw that broke the camel’s back. It jeoparded the most private and permanent information of half of the U.S. population, and its effects will be felt for decades to come, if not entire lifetimes.
Meeting the standards for compliance with the impending data privacy regulations is likely to be a challenge, particularly for organizations which don’t have proper information governance practices in place. But organizations stand a better chance of success if they address the larger issue: information governance.
I would contend that the answer to these compliance challenges isn’t simply more security, but also putting in place better information governance controls and practices. Properly managing and tracking data, keeping only what you need, and isolating and protecting your most important information is the foundation for compliance with both GDPR and with the future regulations U.S. legislatures enact to address data security and privacy. (See Jim Polka’s “How to Make It Easier to Comply with GDPR.”) Forward-thinking organizations have been assessing their information governance capabilities and are best positioned to lead their peers as these regulations come into effect.
Taking steps to improve your information governance involves three areas of focus. Honestly assessing each of these areas will provide a good indication of the level of effort required to enhance the information governance practices at your organization:
- Discover and Identify: Do you have a data map? Do you know your complete technology landscape? Do you know how information flows throughout your organization?
- Evaluate and Plan: Do you have internal resources available to address compliance? Are new tools needed? Who owns data privacy in your organization?
- Implement and Operationalize: How resistant is your organization to change? Are your policies in line with your processes? What does your third-party exposure look like?
Depending on the answers to the above questions, there can be a lot of work an organization will need to do within each of these three buckets. Addressing any of these aspects, or the entire information governance ecosystem, often requires breaking the challenge up into manageable chunks.
Doculabs specializes in doing precisely that, helping organizations of all sizes, in all industries, to understand the nature of their structured and unstructured content, reducing the volume of what needs to be retained and helping to define security requirements for that content, going forward. Think of it as applying GDPR governance efforts to content across the organization, not just a subset of it.
To learn more about our information Security and Information Governance practices, click here. And check out our white paper Information Management: The Weakest Link in the Kill Chain, which provides details on how effective information management is a critical part of any strategy to improve information security.