Many organisations rely on their information and document management applications to help comply with the European Union’s General Data Protection Regulation (GDPR). Since client data typically resides in these applications, this is a logical approach and a good step toward meeting compliance goals, writes Shawn Misquitta, pictured, VP of Product Management, at work product management company iManage.
Just because you’ve implemented these systems, however, doesn’t necessarily mean you can call it a day. Ensuring GDPR compliance for these information management applications is more complex than it might first appear. For example: if an organisation’s document management system stores documents within the boundaries of the European Union (EU), but performs a service like full text indexing outside of the EU – and the organisation hasn’t informed their clients that this is taking place – then that organisation is breaching GDPR.
Clearly, then, organisations need to be asking their information and document management application providers a number of questions to ensure their solutions – whether they’re on-premises or in the cloud – are robustly facilitating GDPR compliance. Consider the following a practical checklist of key questions that organisations should ask of their solutions providers:
Question 1: Where Does Data Reside Throughout Its Lifecycle?
As alluded to above, it’s no longer enough to ask your vendor where your information is stored at rest and where it’s backed up. You need to know where the data resides at all stages, including when auxiliary services – ranging from indexing, to search, to optical character recognition (OCR) – are performed.
Systems with geo-isolation capabilities ensure that data storage – and all services performed on that data – occurs within the proper geographical location and stays properly domiciled.
This capability is very difficult to retrofit into an information management solution. Products that have incorporated an understanding of these compliance challenges into their solution from the ground up will not only comply but perform better.
Question 2: Is There Full Transparency Around Data Transfer and Processing?
This question is closely related to the previous one. Can your information management vendor confirm it offers full transparency of data transfer to other parties/destinations (particularly outside of the EU)? Does any of its functionality require processing by a third party or sub‐processor – and if so, can it also confirm that all agreed terms of your Data Processing Agreement will be included in any sub processor agreements?
Question 3: How is Information Protected Against Breaches?
GDPR requires organisations to notify the relevant supervisory authority within 72 hours of a breach occurring. Given these strict notification requirements, an ounce of prevention is worth a pound of cure. And one of the best ways a system can protect against these types of confidentiality breaches is through a Zero Trust architecture. In most traditional enterprise IT environments and many legacy cloud vendors, people and resources are automatically assumed to be trustworthy.
Zero Trust architecture, by contrast, is founded on the basis that all networks, people, and hosts are hostile. This fundamentally different approach – which, like geo-isolation, is difficult to introduce into a system after the fact – greatly reduces the opportunity for data breaches perpetrated by hackers, insider threats, and other bad actors.
Question 4: Does the System Facilitate Proper Information Disposal?
For proper GDPR compliance, you need to do more than just manage and protect information: you need to properly dispose of it at the end of its lifecycle. That’s because one of the core data protection principles within GDPR is around data storage: specifically, that data collected should be kept no longer than is necessary for the purposes for which processed.
From a practical perspective, this means that a document or information management system should have the ability to set retention periods at a document, matter, or folder level, as well as the ability to align electronic and paper records.
The ability to set and enforce retention policies on this information ensures that it is properly disposed of – either by being destroyed, returned to the client, or otherwise handled – when no longer needed, aiding with a critical aspect of GDPR compliance.
Question 5: Does the Vendor Have a Data Protection Officer?
GDPR mandates the hiring of a Data Protection Officer (DPO) for companies that process large amounts of special categories of data. There is some leeway for what constitutes those criteria, so before you entrust your data to an information management application, ask if that supplier has appointed a DPO or equivalent. Best practice is for businesses that are on the cusp of meeting those criteria or are unsure if they do to appoint a DPO. This person oversees the company’s data protection strategy and its implementation to ensure compliance with GDPR requirements.
To date, enterprises’ focus for GDPR compliance has primarily been on appropriately storing data in accordance with the regulation and data protection laws. GDPR compliance is more complex, however, than simply parking data within an enterprise information management system.
The complexity of GDPR compliance will only continue to increase in the future – witness the recent actions of the United Kingdom’s Information Commissioner’s Office (ICO), which is currently updating its data sharing code of practice to keep pace with events like Brexit and the evolving nature of this regulation.
Fortunately, by asking key questions of their information management solutions providers, companies can face the task of GDPR compliance with confidence. While the questions above are hardly an exhaustive list, they provide a solid starting point for helping to ensure GDPR compliance and avoiding potential problems down the road.
