On April 4, we conducted a webinar on GDPR Compliance. (What? You missed it? No worries, it’s here)
One of the key points I made during this session was that GDPR requirements are so comprehensive, no single technology or solution could possibly meet them all. And as such, any vendor who claims to be selling a GDPR Solution was either over-simplifying the path to GDPR compliance, or they were being dishonest in the marketing. There is no such thing as a GDPR Solution; if you look closely at something that claims to be one, it will vanish upon closer inspection.
“Wait! You claim GlassIG is an Information Governance Platform! How is that any different?”
Guilty as charged. GlassIG was the first technology branded as an Information Governance Platform; we’ve been flying the IG Banner for almost a decade. Our view is that IG means:
- Defining and centralizing your policies
- Identifying which of your information assets need to be governed according to those
- Actively enforcing policy on these information assets
The thing is, IG is a marketing term. Not every vendor would agree with our definition of it. Once the label began to get some traction in the marketplace, every technology within shouting distance of IG began to claim it: Records Management, Retention Schedule Management, E-Mail Archiving, E-Discovery, File Analysis, even Electronic Archive Systems identified themselves as Information Governance Solutions. They still do today, and on behalf of the Vendor Community at large, I presume to apologize to the market for the confusion we have caused.
GDPR is different. There is a very clear set of standards, codified and ratified last year by the EU Parliament. GDPR spells out:
- What is personal data?
- What rights do individuals have regarding their personal data?
- What responsibilities do data controllers have regarding personal data?
The answers to these questions touch on Business, Privacy, Security, Risk, IT, Legal, and yes, Records Management. In many ways, I likened this to the E-Discovery Reference Model, in that the spectrum of responsibilities spans almost the entirety of a company’s information management practices. What’s a company to do?
Well, Step 1 is to firmly reject any vendor who tells you they have a technology that will get you in compliance. I’d ask you to be polite about it… we are a Swiss company, and would never advocate rudeness. But firmness is certainly acceptable here.
Step 2 is to assess your risk profile and appetite, and begin with GDPR requirements that most specifically map to your business and potential for costly compliance violations. GlassIG can help with some of these, including:
- Defining of your information assets should be managed according to GDPR requirements
- Creating a cross-repository inventory of these information assets
- Retrieving, exporting, or deleting information assets as required by GDPR and other information management regulations
- Measuring and Auditing such activity for compliance reporting
Behind the scenes, we are working with one of our closest partners to build out an end-to-end GDPR Compliance Model. While I claim that no single technology can meet all your GDPR Requirements, that doesn’t rule out the possibility that a blend of cohesive platforms might do so. Watch this space for a white paper and webinar later this summer, where we will describe a full GDPR Compliance Suite.