Over the course of this IG blog series, we have examined how the IG professional can align their IG program to directly support the mission and vision of their organization. Several case studies helped illustrate how this alignment allows the IG / RIM professional to contribute to the bottom line in meaningful ways. In this post, I am taking a deeper dive into a very specific challenge that most multinational organizations face today: compliance with the soon-to-be-effective GDPR imperative. During our annual roundtable events, we surveyed clients regarding their level of engagement with their organizations’ GDPR initiatives, and learned that a surprising 45% said they had minimal to no involvement at all.
Why is this surprising, if not alarming? If the primary focus of the GDPR is to protect the personal and private data of EU citizens, who is better equipped to assist in this effort than IG professionals? If those who are leading GDPR compliance efforts are undervaluing or unaware of the value that the IG professional can immediately add to these initiatives, I suggest that instead of waiting to be asked to the table, barge in the door and let your legal, privacy and IT security colleagues know exactly how you can help! Let me offer a few suggestions.
First, although the GDPR (and other privacy laws) underscore the need to retain data “no longer than” its business purpose, we all know that some information is required to be retained longer than its operational need in order to satisfy statutory requirements. For example, consider accounts payable files. In the United States, the operational need for accounts payable files is typically satisfied in 2 to 3 years, if not less. However, if these records were to be disposed of after this time, we would be ignoring a very important IRS regulation that requires these types of records to be retained for “6 years following the date of filing” of the relevant return for most organizations.
An organization’s records retention schedule is the vehicle that defines these time periods. It needs to be reviewed in light of these privacy requirements and globalized to ensure all laws for the jurisdictions in which the organization conducts business are covered. These actions are absolutely fundamental to GDPR compliance and clearly areas where the IG professional can lend expertise. Defining a comprehensive methodology for globalizing the records retention schedule, which includes aspects like retention, disposition, handling, custody, media and privacy requirements for those jurisdictions, is clearly within the core competencies of the IG professional.
Next, it is critical to not only define the relevant retention and disposition requirements but also implement these to records, information and data, regardless of media, repository or storage location. Although the GDPR goes into effect on May 25 (less than 90 days away!), it is probably safe to say that 100% compliance will be unlikely for any organization. As I mentioned in a recent interview with Law360, it is important to have a detailed implementation strategy and action plan that addresses riskier areas first. Key questions to ask include the following: which structured data systems contain the greatest amount of personal information that, if breached, would expose private information that is specifically addressed by the GDPR? What about unstructured content residing on network share drives? Could file analysis software tools that are intended to classify duplicate and outdated data be used to augment IT security efforts and identify risky data?
Although some organizations may focus their GDPR activities on the IT function, many studies indicate that privacy breaches are often caused by employee carelessness or ignorance. Many IG professionals already provide training on policies and procedures related to managing records and information, so expanding this training to include protection is another area where the IG professional can offer assistance.
Finally, many IG professionals regularly conduct compliance reviews to identify areas in need of improvements. Expanding these reviews to incorporate broader privacy and protection aspects can help identify hidden areas that pose risk to the organization. To learn more about how to best prepare your organization for the soon-to-be-effective GDPR imperative, contact me for a briefing.