European Union lawmakers proposed a comprehensive update to the bloc’s data protection and privacy rules in 2012. WTF is GDPR?
My Comments appear in side notes. This text has been taken from The Tech Crunch here. This is yet another condensed explanation on key point of GDPR. The aim of this comments is to clarify (once more) the key points important for you (the business owner) to understand.
Their aim: To take account of seismic shifts in the handling of information wrought by the rise of the digital economy in the years since the earlier regime was penned — all the way back in 1995 when Yahoo was the cutting edge of online cool and cookies were still just tasty biscuits.
Here’s the EU’s executive body, the Commission, summing up the goal:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritized. The reform will allow European citizens and businesses to fully benefit from the digital economy.
For an even shorter tl;dr the EC’s theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.
It was actually much more than 3 years.
The General Data Protection Regulation (aka GDPR) was agreed after more than three years of negotiations between the EU’s various institutions.
It’s set to apply across the 28-Member State bloc as of May 25, 2018. That means EU countries are busy transposing it into national law via their own legislative updates (such as the UK’s new Data Protection Bill — yes, despite the fact the country is currently in the process of (br)exiting the EU, the government has nonetheless committed to implementing the regulation because it needs to keep EU-UK data flowing freely in the post-brexit future. Which gives an early indication of the pulling power of GDPR.
What is and will be much more, required are consultants actually solving the technology and logistics hurdles necessary to overcome in order to implement what is this “cottage industry” proposing.
Meanwhile businesses operating in the EU are being bombarded with ads from a freshly energized cottage industry of ‘privacy consultants’ offering to help them get ready for the new regs — in exchange for a service fee. It’s definitely a good time to be a law firm specializing in data protection.
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out. In the meanwhile, here’s our guide to the major changes incoming and some potential impacts.
[Note: this is partially an advertisement, but very informative text on general Office365, encryption and control. It shows the kind of a compliance required by high risk environments, achievable by using third party products and Office365 as a platform]
Continue reading “Office 365: Encryption and control”
Update: This text was compiled almost a year before GDPR was signed. But it cpontains teminology relevant in the GDPR.
Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The (UK) Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 (‘the Act’). Continue reading “Data Protection Guide”
Enterprise Content Management is not Information Governance
Quite a lot is written these days about information management and information governance. Analysts are predicting that effective information management and governance can be a game changer for enterprises.
BUt. Doesn’t this sound a lot like Enterprise Content Management, or ECM? Aren’t there already plenty of successful vendors, ECM installations, and ECM strategies at work across companies at all levels, for many years now?
ECM and IG are not the same
In the world of enterprise content management, everything hangs on one single principle: that each document is unique, serves a defined purpose, and is therefore managed.
ECM is critical to regulated industries such as pharmaceutical, where even the specific revisions of drug labels must be managed and ECM solutions provide reliable, defensible tools. ECM aids companies who regularly develop collaterals, training materials, as well as mundane activities like tracking contracts, document revisions, and so on.
This is not information governance, however – nor is it information management as the world is beginning to understand it. The ECM world already assumes a one-to-one relationship, which is why ECM has never proven to be a solution for information governance.
Information management and governance – the one-to-many conundrum
In the information governance world, the rule of thumb is one-to-many. And this is driven largely by email!
Email by its nature is repetitive: even email archiving systems cannot and should not eliminate duplication.
In cases where an author sends the same document attachment to multiple recipients, logically all copies point back to the same central document. But as that document moves outside the organization, gets multiplied, is commented upon, and becomes the foundation for an email dialogue, the same information will be repeated and multiplied to make the matters worse.
Information governance has to go beyond the notion of identifying a single document or item and then tracking all revisions. In the case of email, these revisions are derivatives in branches – in other words, conversations. An ECM management solution can’t handle this situation, at least not easily.
Managed per content vs. managed per value
Another way to look at ECM is to look at how information is managed. ECM manages based on content: what’s in a document determines how it and any documents that relate to it are managed. This is how revisioning for example works: inside each revision only changed content is stored not the whole document.
In the information governance world, there are simply too many variables. Going beyond mere duplication, there is also the challenge that content simply “comes into” an organization via email and then forms the basis for other content. The process is random.
The key to information governance is understanding the value of content and then applying management.
This is exactly and also is what Big-Data is all about: value of the whole content. Content (aka Information aka Data) Value has been elusive, but think-groups like the Information Governance Initiative have begun to identify how companies are being successful in valuing information, (often by using Big-Data platforms). Often, the mere age of the information is a measure of its value: email is transient by nature, and unless mail refers to a specific subject that is managed differently (example, emails discussing pharma/client relationships at bio-tech institutions), its value decreases as it ages and it ultimately becomes worthless. And toxic as IT Regulators are very keen you don’t store but dump old information. Companies have successfully ascribed any pre-determined aging to such documents and, as they are covered by legal holds or compliance regulations, delete them after a defined period.
Modern enterprise needs both ECM and IG
Is this really true for each and every mid to large Enterprise? The answer is probably yes, but it is easier to answer whether or not they need enterprise content management (ECM) first.
There are a number of ways to handle content within an organization, and solutions regularly overlap. Multi-disciplinary solutions like SAP and Oracle provide content management as well as enterprise resource management, routing, tracking, programmatic responses, and the like. Rarely do they provide information governance for unstructured information like emails, and in cases where they do, that email is often associated with other content.
Information governance (IG), on the other hand, first and foremost requires mature organization with mature and repeatable governance in place.
On the implementation level, IG can be simply an archiving solution: capture and preserve email to satisfy regulations and later search and discovery. At its most granular (read: complex) level, IG implementation can, similar to ECM, play a role in identifying unstructured content, categorizing it, and applying very company and content-specific management rules.
Companies need both for different reasons. Companies usually need ECM platform, because the particular type of information being managed is critical to their business.
Companies need information governance, on the other hand, because there is too much unmanaged and unstructured information flowing throughout their organizations. Without management, they are unable to mine any potential insights from that information. Without management, they are also unable to mitigate any risks that information may pose. And this is one very critical driver becoming obvious as from 2015 Q1. Information can and will become toxic just as any other waste: if dumped anywhere it will develop its toxicity through time. As any “big bank” knows by now, for example. On the other hand if old and stale information, is classified and incinerated it will be safely disposed of.
And make no mistake: informations protection regulators are already here.