Managing the information paradox in the NDB/GDPR era
Article by M-Files Australia and New Zealand alliance and partner director Nicholas Delaveris Recent legislation in Australia and overseas puts more stringent requirements around businesses collecting and retaining personal information.
The Australian government's mandatory notifiable data breaches (NDB) scheme and Europe's General Data Protection Regulation (GDPR) both demand that organisations protect individuals' data and notify the appropriate authorities if a breach happens.
While GDPR is primarily a European law, it applies to any business that interacts with a citizen of the European Union, which means many Australian businesses will be affected. This creates a paradox for businesses who both rely on information and need to protect that information.
Compliance with these new pieces of legislation demands that businesses have unprecedented visibility into the information they collect and store and that they be able to demonstrate how that data has been treated. Businesses need to make information available at the right time on any device so employees can do their jobs.
But they also need to control that information and make sure no unauthorised person can access it.
These two goals have traditionally been somewhat incompatible.
To overcome this issue, businesses need a solution that helps manage compliance and audits, while making it simple for people with the right permissions to access the data they need.
Compliance is mostly about being able to demonstrate control.
It's about being able to identify who has accessed information, whether they've edited or shared it, and when.
Flat file stores are hard to control and, as people leave and join the business, keeping track of access permissions and history gets tangled. Businesses, therefore, need to take a process-based approach to becoming compliant with NDB and GDPR legislation.
That means taking a step back and gaining an overarching view of data including where it resides and what policies apply to it.
Everyone in the organisation should understand how data needs to be managed and be able to comply with those requirements.
This should be an ongoing process.
Privacy-related legislation tends to include requirements around what personal data can be collected and retained and for what purposes, as well as how businesses must respond to requests for that information either from the individual whose information is stored or from third parties. Businesses need to be able to react fast and appropriately when they receive requests for data.
They need to know what data can be shared and what data must never be shared.
If a person requests their own data, the business must be able to provide it immediately.
It's not good enough to say they couldn't find it or they assume it has been destroyed; they need to be able to prove it.
Organisations need a solution that tags the data with information such as whether it contains personal details, how long it needs to be kept for, and why it needs to be kept.
If it shouldn't be kept, the organisation needs to be able to demonstrate that the data has been destroyed.
If the organisation hasn't destroyed the data, it needs to be able to demonstrate that it's keeping the data for legal and legitimate reasons. Managing this process manually is difficult, and businesses can look at automation to simplify these processes.
The cost of trying to maintain compliance without an appropriate, metadata-driven content management tool is prohibitively high.