When it comes to cybersecurity and privacy legislation, many organizations around the world are playing catch-up. A recent survey in advance of the May 2018 deadline for the European Union’s General Data Protection Regulation (GDPR), from the law firm McDermott Will & Emery and the Ponemon Institute, revealed that only 52 percent of respondents said they would meet the deadline. What’s worse, some 40 percent said their companies wouldn’t make the compliance deadline, and the last eight percent were not sure when their organization would ever be compliant.
In the ensuing months, those numbers may have improved, but the larger picture is this: organizations around the world are struggling to rework their internal systems in order to stay out in front of evolving cybersecurity and digital privacy legislation.
And if you think this is just a problem for companies doing business in the EU, you’re wrong. All 50 U.S. states have now passed data breach notification laws, with Alabama being the last to go into effect on June 1, 2018. In fact, at least 35 U.S. states, as well as the District of Columbia and Puerto Rico, have introduced or considered more than 265 bills or resolutions related to cybersecurity just this year alone. What that means is that companies must look at each international, national, state or regional requirement as a separate case and identify and implement the needed steps to ensure legal compliance in the event of a cybersecurity incident or data breach or just to meet published standards.
Fortunately, achieving compliance – while not the easiest task – isn’t the Gordian Knot that some enterprises may think it is. Developing an understanding of basic data security and information governance strategies will provide most organizations with a solid foundation for a workable security policy that can drive compliance. In many cases, a straightforward approach is the most effective, and the following seven principles can serve as a useful roadmap to implementing your own information governance strategy and enterprise-wide security policy that is both effective and legally compliant.
1. Create a data map
The first step is to create a data map designed to pinpoint the systems that store content with personally identifiable information (PII). PII is a regular target for hackers and falls under the majority of data breach notification and privacy laws that are now in force at the state level. Potentially vulnerable PII exists nearly everywhere in the modern enterprise, including within human resources, accounting, and customer relationship management systems, as well as marketing and line of business applications, ECM repositories and SharePoint sites. A clear data map will give IT and executive management a much better view of their own “data universe,” enabling faster response to data requests from various constituents, and will provide a roadmap and guideline for triage when it comes to establishing priorities for implementation of information governance schemes.
2. Manage records in place
Managing records in place is another effective approach to streamlining information governance, enabling an overlay of data management and security policies atop existing data without physically moving content from one server to another in order to manage it. Often, companies have many years’ worth of processes built out on legacy systems, and it is very difficult to arbitrarily migrate newly-regulated content into a centralized records management system, because it will be highly disruptive to business operations. By managing information in place, users will still be allowed to find their information and to leverage existing workflows and business processes without any interference.
3. Delete data in a defensible way
Many cybersecurity and consumer data privacy regulations include a data disposal provision which requires proof of compliance. Therefore, it is imperative that your approach to deleting files, including those with PII, is legally defensible. This is where the concept of automated records management comes in, and by using configurable disposition schedules, IT organizations can automate and log the deletion of regulated content. This ensures timely disposal of stale data and provides proof of compliance when needed.
4. Build in process automation
As part of the new era of data regulation, companies will also need to respond to consumers’ requests for information on how their personal data is being used. Given the potential for receiving these requests in very high volume, building in process automation is another step to streamlining data governance. Automated digital processes are much more efficient than email or spreadsheets, particularly when it comes to managing compliance and reporting, and enterprise content management platforms can be utilized to oversee these consumer responses by integrating process, content and governance services. Process automation enables enterprises to reduce the administrative burden of compliance while enhancing traceability and reducing legal exposure.
5. Use advanced security controls
Increasingly strict privacy regulations also underscore the need for advanced security controls that classify and protect data automatically. Software that automatically identifies and redacts PII limits the disclosure of sensitive information such as names and social security numbers and can be critical in reducing the workload on IT while helping drive information governance. With the ability to limit access to documents and information at a highly granular level, these solutions go well beyond basic access controls when it comes to protecting consumer privacy by restricting content access.
6. Auto-classify content
Like advanced security controls, automatic classification of content also helps reduce IT’s workload compliance workload. The massive growth in digital documents means that it has become critical for organizations to quickly identify, and then differently manage, files that contain consumer information. Auto-classification technology enables the discovery and tagging of PII amidst terabytes of unstructured content, helping ensure compliance. The benefit to auto-classification is that it is fast and consistent and works across a range of systems and formats.
7. Consider the cloud
A final consideration for streamlining compliance is to leverage the cloud. Numerous vendors offer turnkey solutions for storage that can dynamically scale compute power and storage at the click of a mouse – as well as provide world-class security – at a fraction of the cost of in-house solutions. It can be fairly said that data is more secure in the cloud than it is in an on-premise data center, and today’s cloud vendors are relentlessly enhancing their offerings with added features that support today’s agile, DevOps-centric world. Cloud also has an advantage from a security perspective, because when a hacker hits an application in the cloud, the breach will likely be contained to that app. Conversely, if a corporate data center is broken into, the intruder can attack any system on the network, often with disastrous results. Not only does cloud offer on-demand and pay-as-you-go infrastructure, it provides the critical ability to free up IT resources to focus on issues like governance.
Information governance has never been more important – or challenging – but it doesn’t have to be impossible. Adopting a straightforward and simplified approach to systems and practices for governance is critical to becoming compliant with cybersecurity and consumer privacy laws and minimizing corporate risk. A streamlined approach has the power to break through organizational inertia to get started and “catch up” with compliance requirements and offers the ability to develop a proactive stance for the future.