If you didn’t already know, the General Data Protection Regulation (GDPR) is set to come into effect May 2018, and it is one of the most far-reaching pieces of legislation to ever hit the modern digital age. The good news is that this regulation was created to protect the rights of individual people and it is a huge step forward in terms of giving people more insight and control into the personal data that organizations collect and track. However, this regulation has large implications for any organizations that plan on doing business with European citizens.
Let’s talk about what the GDPR entails. The regulation was created and enacted by the European Union. While this may lead some to falsely believe that the regulation only affects European organizations, the legislation was built with “increased territorial scope” in mind. What it specifically states is that any organisation that interacts with European Union citizens must abide by the GDPR’s requirements. The purpose of the GDPR is to define a set of rights for EU citizens rather than a set of requirements for EU organizations. This means that any business that plans on collecting personal information about an EU citizen must also implement a system that allows those citizens to gain some measure of control over that information.
The GDPR states that EU citizens have several rights regarding their personal data:
1. The right to breach notification.
Organizations must provide citizens or customers notice within 72 hours if any data leak has occurred that potentially involves their personal information.
2. The right to access.
Upon request, any government or business group must be prepared to provide a copy of all known personal information held by that organisation and the purpose behind the collection of said information.
3. The right to be forgotten.
Any person can request data erasure and organizations must comply as soon as possible if there are no implications to “the public interest in the availability of the data”.
4. The right to data portability.
Any personal information must be shared in a format that is easily understood and easily consumed.
5. Privacy by design.
This implies that organizations that plan to collect personal information will need to invest in robust security and recordkeeping practices.
How will GDPR Affect Business and Government Groups?
This is a huge change to how organizations have treated personal data in the past, especially when it comes to information collection, the right to access, and the right to be forgotten. Personally, I think the right to be forgotten is probably the most important section of the regulation, because it finally gives people some control over the increasingly scary reality that our personal information is being collected extremely frequently and we have no ability to stop or minimise this. This regulation means that organizations not only have to justify why they are collecting information such as your date of birth, gender, or e-mail address, but also organizations must comply with your request to destroy that information as soon as possible.
GDPR poses a distinct challenge for organizations that may not have the systems in place to handle these personal data requests or the appropriate technology to manage not only the proper order and protection of the these items, but the ability to efficiently search, dispose and/or export the content for the data subjects.
For groups that do not comply, GDPR sanctions are severe from warnings and being subject to regular audits to fines that can go up to €20 Million or 4% of annual worldwide turnover (whichever is greater).
How does GDPR Affect Records Managers and Data Protection Officers?
The phrase “destroy as soon as possible” is a very important one to keep in mind, because it is at the heart of the issue from a records management perspective. The right to be forgotten comes with the major caveat that this right does not supersede existing legal requirements to retain data. To give a concrete example, if an individual requested the destruction of information that was only half-way through its 10-year retention, the request can only be complied with after the full retention period. However, once the information has fulfilled its full legal retention period, it must be immediately destroyed, essentially being “pre-approved” for disposition. As we all know, it is not uncommon for some retention periods to be a combination of both the legal retention period as well as an extension based on business retention. The GDPR, however, does supersede any business retention needs, meaning that as soon as the organization is no longer legally required to keep the data, it must be destroyed.
Even from a retention schedule-building perspective this is an interesting facet because it requires organizations to make a clear distinction between the legal retention period and any additional time added by business retention. This is not something that is currently considered since traditional wisdom has been that the legal retention period is the minimum the records must be kept, not the maximum as well. It simply indicates that Collabware’s decision to represent retention schedules as workflows with branching paths was fully in line with where records management was eventually heading.
There are other things that organizations will have to do in to fulfill this regulation that relate more to the information governance side of things as well. Since they must provide personal data to EU citizens upon request, they must have very strong control of that data, including proper classification, organization, metadata availability, and exportability. These requirements speak to a robust data management system, which is an investment that all organizations should be making regardless.
In the end, this legislation should result in two major wins: increased privacy protection for individuals and increased information governance for organizations. Because the legislation is so far-reaching, many organizations based in both Canada and the United States will have to develop systems to comply, along with all of Europe. My hope is that Canada will step up and adopt similar regulations for our own citizens. If they do, then we can all look forward to a brighter future that invests more time and money into information governance, not just to comply with legal regulations, but also because of the benefits it will bring to organizations in terms of information control, retrieval, and disposition.
For more information and advice on how to manage and adapt your operations to comply with GDPR standards, please email us at firstname.lastname@example.org