What is your privacy strategy for documents and content repositories?
The new General Data Protection Regulation (GDPR) is set to replace the older Data Protection Directive in the EU on May 25, 2018. This new roll out of privacy protections for EU nations has broad and expansive implications for any company within the realm of the EU, or those that process EU citizen information and data. Here is a summary of the major changes:
- GDPR jurisdiction now applies to all organizations that process EU subject personal data, regardless of the
- Breach of GDPR can be fined up to 4% of global turnover or 20M Euros (whichever is larger)
- Consent when providing personal information must be clear and easy to understand.
There are a set of core subject rights that apply, and below is a quick summary:
- Breach Notification – any data breach requires notification within 72 hours.
- Right to Access – subjects can request an electronic copy of all private data at any time.
- Right to be Forgotten – aka Data Erasure, a subject at any time can request to have all private data removed from a controlling organizations systems.
- Data Portability – subjects can request to have their information transferred to another organization at any time. This will go hand in hand with the “right to be forgotten”.
- Privacy by Design – now a legal requirement, organizations must show proof of “…appropriate technical and organizational measures…” within any system or process.
- Data Protection Officers (DPOs) – organizations will now require DPOs. This individual will be responsible for interfacing with EU nations and authorities, and will carry the heavy burden of responsibility for all data protection efforts.
So, with that quick outline, imagine the implications of millions of application documents with personal information that are breached. What about the accidental scan of medical records to an insecure document sync folder? Or the directory of millions of scanned documents that have a few documents with private information?
Organizations need a two-pronged approach to prevent the document minefield. So, to get this under control, and mitigate risk, there are really two types of technologies that need to work hand in hand.
First, a document and content capture technology that works as an ingestion point for new content and existing document-centric processes. This form of enterprise input management can be placed as an non-invasive automation layer to flag/identify suspect content and provide reporting capabilities around private information for compliance. Once again, focused on day forward transactions.
Second, is a solution to crawl existing repositories to classify, extract and identify documents that pose a risk. This technology can work hand in hand with the transactional layer to build machine learning profiles, and establish analytical libraries of document and data profiles so the analytical side can become proactive and preemptive. This can be a critical step in identifying possible legacy documents that house private information that could be subject to GDPR fines.
So, where does Ephesoft fit? We have two products that span the transactional and analytical requirements to help organizations capture, classify, identify and visualize their documents in a broad sense, and comply with GDPR privacy rules.