The Mirage of the GDPR Solution

On April 4, we conducted a webinar on GDPR Compliance. (What? You missed it? No worries, it’s here)

One of the key points I made during this session was that GDPR requirements are so comprehensive, no single technology or solution could possibly meet them all. And as such, any vendor who claims to be selling a GDPR Solution was either over-simplifying the path to GDPR compliance, or they were being dishonest in the marketing. There is no such thing as a GDPR Solution; if you look closely at something that claims to be one, it will vanish upon closer inspection.

“Wait! You claim GlassIG is an Information Governance Platform! How is that any different?”

Guilty as charged. GlassIG was the first technology branded as an Information Governance Platform; we’ve been flying the IG Banner for almost a decade. Our view is that IG means:

  • Defining and centralizing your policies
  • Identifying which of your information assets need to be governed according to those
  • Actively enforcing policy on these information assets

 

 

 

 

 

 

 

 

 

 

The thing is, IG is a marketing term. Not every vendor would agree with our definition of it. Once the label began to get some traction in the marketplace, every technology within shouting distance of IG began to claim it: Records Management, Retention Schedule Management, E-Mail Archiving, E-Discovery, File Analysis, even Electronic Archive Systems identified themselves as Information Governance Solutions. They still do today, and on behalf of the Vendor Community at large, I presume to apologize to the market for the confusion we have caused.

GDPR is different. There is a very clear set of standards, codified and ratified last year by the EU Parliament. GDPR spells out:

  • What is personal data?
  • What rights do individuals have regarding their personal data?
  • What responsibilities do data controllers have regarding personal data?

The answers to these questions touch on Business, Privacy, Security, Risk, IT, Legal, and yes, Records Management. In many ways, I likened this to the E-Discovery Reference Model, in that the spectrum of responsibilities spans almost the entirety of a company’s information management practices. What’s a company to do?

Well, Step 1 is to firmly reject any vendor who tells you they have a technology that will get you in compliance. I’d ask you to be polite about it… we are a Swiss company, and would never advocate rudeness. But firmness is certainly acceptable here.

Step 2 is to assess your risk profile and appetite, and begin with GDPR requirements that most specifically map to your business and potential for costly compliance violations. GlassIG can help with some of these, including:

  • Defining of your information assets should be managed according to GDPR requirements
  • Creating a cross-repository inventory of these information assets
  • Retrieving, exporting, or deleting information assets as required by GDPR and other information management regulations
  • Measuring and Auditing such activity for compliance reporting

 

Behind the scenes, we are working with one of our closest partners to build out an end-to-end GDPR Compliance Model. While I claim that no single technology can meet all your GDPR Requirements, that doesn’t rule out the possibility that a blend of cohesive platforms might do so. Watch this space for a white paper and webinar later this summer, where we will describe a full GDPR Compliance Suite.

Working for an Organization is not the same as working for yourself

Personality

Are you a neat person or a messy person in your Information Governance habits? Chances are that if you look around your house you will be able to find some evidence that will help you.

Do you have a box file containing all your utility bills in chronological order? Or are they scattered around in different drawers, some unopened, half of them kept for no reason while half have been thrown away, also for no reason?

Do you have all your receipts in a neat pile ready for you to make out your next expenses claim? Or are they jammed into your wallet, loose in your pockets, left in the bottom of your briefcase, or will you have to check through the drawers in your desk, just in case you left them there?

Do you keep a logbook of your car’s mileage and petrol consumption? Or is it all you can do just to reach a pump on the last gasp of fumes in the tank and pay to fill it up each time it is running on empty?

By now you are probably getting the idea that people who practice good personal discipline are, by and large, more likely to adopt good Information Governance habits in the workplace. This is not necessarily universally true, but from our experience we think it a reasonably reliable indicator.

Now you might also be thinking, therefore, that this is an article about how Information Governance Officers are slightly more anally retentive, or slightly more likely to suffer from OCD, than the average person in the population. But actually that is not what this blog post is about at all. You see, when you are organizing or dis-organizing your personal life that is up to you. But when you work as an employee of an organization you are a contracted information professional.

Professionalism

No one pays you to mow your lawn or clean your house. You do it, if you do it, for your own convenience, whether motivated by your conscience, your pride, a sense of duty or responsibility to your family, conditions of your tenancy, genuine interest, concerns about health and cleanliness, because that is how you were raised, or one of a number of other reasons that only have meaning to you.

In the workplace, however, you are not working purely for yourself. You have a duty to the organization, and a responsibility to your subordinates, your colleagues, other team members, and of course to your managers. This duty of care extends to your behavior around Information Governance.

It is simply not good enough to mismanage your email, for example, if your job requires that you ensure that all evidence about a particular matter is captured and made available to everyone working on the project team. If you are away one day and another team member gets a phone call but cannot respond to it because you have not declared or catalogued the relevant item of information, then you are no longer just harming yourself, you are cause harm as well to the organization itself.

That is why we stress that good Information Governance hygiene is as valuable a personal and professional trait as speaking politely to your clients, filling in a leave form before you take your holidays or making sure that the board papers are correctly collated.

A better employment contract

One final point for Information Governance Officers; what does your organization’s standard employment contract template say about Information Governance? This is well worth following up with your HR department. Make sure that you have a clause in the duty statement for every position in the organization that specifically states that one of the duties of this position is to implement and put into practice the organization’s Information Governance program.

In our experience, most employers ensure that their employees specifically sign up to the organization’s information security policies; including misuse of the Internet, taking unencrypted information out of the office, and so on. But very few employers ensure that their employees sign up to taking specific and personal responsibility for adopting the organization’s Information Governance program.