The Mirage of the GDPR Solution

On April 4, we conducted a webinar on GDPR Compliance. (What? You missed it? No worries, it’s here)

One of the key points I made during this session was that GDPR requirements are so comprehensive, no single technology or solution could possibly meet them all. And as such, any vendor who claims to be selling a GDPR Solution was either over-simplifying the path to GDPR compliance, or they were being dishonest in the marketing. There is no such thing as a GDPR Solution; if you look closely at something that claims to be one, it will vanish upon closer inspection.

“Wait! You claim GlassIG is an Information Governance Platform! How is that any different?”

Guilty as charged. GlassIG was the first technology branded as an Information Governance Platform; we’ve been flying the IG Banner for almost a decade. Our view is that IG means:

  • Defining and centralizing your policies
  • Identifying which of your information assets need to be governed according to those
  • Actively enforcing policy on these information assets

 

 

 

 

 

 

 

 

 

 

The thing is, IG is a marketing term. Not every vendor would agree with our definition of it. Once the label began to get some traction in the marketplace, every technology within shouting distance of IG began to claim it: Records Management, Retention Schedule Management, E-Mail Archiving, E-Discovery, File Analysis, even Electronic Archive Systems identified themselves as Information Governance Solutions. They still do today, and on behalf of the Vendor Community at large, I presume to apologize to the market for the confusion we have caused.

GDPR is different. There is a very clear set of standards, codified and ratified last year by the EU Parliament. GDPR spells out:

  • What is personal data?
  • What rights do individuals have regarding their personal data?
  • What responsibilities do data controllers have regarding personal data?

The answers to these questions touch on Business, Privacy, Security, Risk, IT, Legal, and yes, Records Management. In many ways, I likened this to the E-Discovery Reference Model, in that the spectrum of responsibilities spans almost the entirety of a company’s information management practices. What’s a company to do?

Well, Step 1 is to firmly reject any vendor who tells you they have a technology that will get you in compliance. I’d ask you to be polite about it… we are a Swiss company, and would never advocate rudeness. But firmness is certainly acceptable here.

Step 2 is to assess your risk profile and appetite, and begin with GDPR requirements that most specifically map to your business and potential for costly compliance violations. GlassIG can help with some of these, including:

  • Defining of your information assets should be managed according to GDPR requirements
  • Creating a cross-repository inventory of these information assets
  • Retrieving, exporting, or deleting information assets as required by GDPR and other information management regulations
  • Measuring and Auditing such activity for compliance reporting

 

Behind the scenes, we are working with one of our closest partners to build out an end-to-end GDPR Compliance Model. While I claim that no single technology can meet all your GDPR Requirements, that doesn’t rule out the possibility that a blend of cohesive platforms might do so. Watch this space for a white paper and webinar later this summer, where we will describe a full GDPR Compliance Suite.

Getting Started with GlassIG Fremium Edition

Congratulations, you have signed up for your Free Edition of GlassIG!

Now what? How can this totally free edition help you on your Information Governance Journey? Once you have received your confirmation email, the GlassIG Wizard will walk through the process of getting started.  In just a few simple steps you can begin experiencing the power of GlassIG.

Step 1.  Connect your Infosource

The first step is to define the repository where your information is located.  In GlassIG we call this an Infosource.  With the free edition, you can set up a personal Google Drive or Box account.  Other Infosource types are available with variety of subscription options.  This is great way to test the power of GlassIG without using your protected Corporate content. Simply provide a name and description for the Infosource of your choice. A pop-up box will appear and you will be prompted to enter in your credentials for the selected Infosource, and allow access from GlassIG.

Picture1

Step 2.  Create your Cataloger

Once you have created an Infosource, the next step is tell GlassIG what to do with information that has been identified. In GlassIG, a “Cataloger” applies a specific policy to information in a target folder or location within your Infosource:

  1. Provide a unique name for your Cataloger
  2. Select the targeted folder in your Infosource (I.E. Google Drive Folder)
  3. Assign the Information Policy
  4. Determine the type of assets (content) that you would like to govern:
    1. Unprotected Assets – The content will be catalogued by GlassIG, but will not be immutable. Users will be able to modify and/or delete the content, regardless of the Information Policy that has been applied to the content.
    2. Protected Asset (Immutable) – The content will be cataloged and protected. Depending on the Infosource, users will either be prevented from deleting the content directly in the Repository, or the content will be secured in a preservation center.
  5. Define the frequency of the timer. Define how often that you would like your Cataloger to search for new content (minutes, hours, or days)

Additional Configuration Options

The GlassIG Free Edition comes with a pre-built two level Information Policy structure (Record Classes).  With a few clicks you can modify and/or create your own custom Information Policies.

To create a new Information Policy, navigate to Policies Tab and select the target Information Policies that you could like to edit (I.E. Budgets).

Picture2

  1. Modify Existing Information Policy

Click on the “Edit Policy” button and to update the policy:

  • Modifying the retentioduration, which can be defined by days, weeks, months or years
  • You can assign additional System or Business Attributes (I.E. Vital, Historical)
  • Click on the “Save” button to save your changes
  1. Create New Information Policy
  • Click on the “New Policy” button
  • Enter in a unique Code (I.E. HR for Human Resources) **Important based on where the location of your content will impact what level of the Information Policy will be entered (Level 1, or Level 2)

Picture3

  • In the above example the cursor was highlighted at the “Home” level and the options available to enter in would the top-level category (I.E. Alpha Code, length = 2). If I select the “New Policy” button, while I have an existing Information Policy highlighted, the code required would meet the needs of the lower level Information Policy level (I.E. Numeric, length = 3)

Picture4

  • Notice that new Information Policy has inherited the Parent Information Policy Retention Period of 99 years. This Retention Period can be modified by following the Edit Existing Policy Steps list above.
  • The newly created policy will need to be validated before it can be used in a Cataloger.

Picture5

The GlassIG Free Edition allows users to enter in their custom Retention Schedules, using the Lifecycle Event “File Creation Date”. The ability to use other customized Lifecycle Events is available in our subscription options.

Looking to learn more about how you can get started on your Information Governance Journey? Request a demo or download our IG Assessment Brochure to get a customized plan on how to make your IG Vision a Reality.

Why Redefine Information Governance? 3 of 3

Redefining Information Governance

At GlassIG we aim to redefine how an Information Governance program should be perceived and implemented. We believe that key improvements are needed to accelerate adoption and facilitate deployment. We have leveraged 8 years of Information Governance market trends and customer experiences from all over the world to build solutions that fix today’s challenges and are flexible enough to welcome future requirements and evolutions. The list below is not exclusive, but gives a first level of benefits organizations will have by utilizing our solutions.

 

A shared vocabulary

“Retention schedule”, “lifecycle management”, and “record class” are key words to Information Governance experts but are understood by very few people in a typical organization. For the broad acceptance of any Information Governance program, we need to open up the vocabulary to non-experts. Information Governance cannot be a field that only trained records managers or information management experts can discuss. For collaboration purposes, the language of Information Governance must be easy to understand and accessible to all. Otherwise we cannot adopt an Information Governance program and we cannot recruit the information workers of tomorrow.

 

Setting policies needs agility…

Up to now, information policies have always been created and maintained by a small core of experts within an organization. Most of the time these are based on corporate rules and processes, and focused on the component or function of the business that needs governance. Corporate rules cover only broad questions, such as, “What do we do with all customer files?” (This can be different from industry to industry, of course.) Also centrally defined, are information policies linked to laws and regulations. Typically a policy is approved by an executive decision based on input from the legal department after a risk/value analysis. This needs to be done to identify which laws and regulations require strict compliance to avoid legal cases or litigation.

With the evolution of technologies, and the opportunity to access a large number of cloud based services, any information worker has the potential in the future to create policies. Rather than simply proscribe this facility, companies need a flexible model where policy creation is allowed but is traceable, using an Information Governance solution that keeps track record of who set the policy and why. The solution needs to be able to fit these “local” policies into the organization’s generic global policies, empowering information workers while still allowing oversight, metrics and feedback.

 

And a multi-jurisdictional approach

The model in place to manage all these policies must be agile and it must scale: today’s start up organizations can very quickly expand their business coverage to an international scope, where additional laws and regulations from different jurisdictions will have to be integrated very quickly.

Experience with the implementation of European directives within European member states has taught us that even international regulations have local variants and interpretations. So, it not just about being able to add new policies, but also to be able to link global policies to local ones. Companies cannot afford to change their existing solution in place as they enter new markets. They have to be sure that their current solution is sophisticated enough to answer these new compliance requirements and any future requirements they may encounter.

 

Information is everywhere: a hybrid approach is a must have not a nice to have

From the new challenges organizations are facing today, it is apparent that information is everywhere, from on premise information systems to cloud based drives and repositories. It is simply unrealistic to assume that information can be extracted from all existing and future systems where it is created and consumed, and migrated to a central repository where, out of context, it can still be accessed and correctly interpreted. This means that an Information Governance solution needs to enforce information policies in place, while the organization’s information remains where it is most usefully created, stored, maintained, used and reused.

The adoption of cloud based repositories is growing rapidly in organizational departments, they simply cannot be ignored or managed individually. Global and local policies need to be enforced the same way in the cloud better, because it is more distributed, than they used to be in an entirely on premise repository. Hybrid information governance is the only way to bring consistency and apply the same information policies across the organization irrespective of the information type and format.

 

We are all information managers

Even with these new and more integrated ways of working, information management will not be understood by all. Unfortunately Information Governance solutions in their current form are too complex for many staff, who lack expertise and training; and who, themselves, have very few opportunities to learn and contribute to the information management strategy of their company or organization. We have seen that a first step is to develop and share a simplified vocabulary. Once this is done, the second step to increasing adoption is to transition to easier tools and simplified processes that hide or remove complexity and transform a painful and complicated information management program into one that is logical, simple and easy to understand and apply.

For example, everybody in a company should be able to access its information policies and be able to quickly find corporate and local policies related to any information under governance that they work with on a daily basis. Having identified a relevant policy they should be able to understand it and apply it, or if automated, how and when it is applied. It is by achieving this level of Information Governance adoption through a solution that embodies radical and disruptive approaches that organizations will be able to increase adoption, facilitate the understanding and importance of Information Governance, and raise the contribution by staff towards a successful deployment and ongoing program.

 

The most important success factor

Information Governance will succeed if it is adopted and embraced by every information worker who creates, uses and values information inside your organization. That way you can be sure that your organization is fostering an internal culture of good governance.

It is time to redefine your Information Governance program with GlassIG today.

 

Click here to read part 1 and part 2.