GDPR and Documents: Defining a Strategy

GDPR Strategy

A Document-centric Strategy for GDPR Compliance

With the effective date for the new General Data Protection Regulation (GDPR) fast approaching, now is the time to put in a solid strategy when it comes to documents and images.  Organizations not only need to implement process and procedure for handling private information, but also need a firm evaluation of “current state” to understand high risk areas of their business and their understand their exposure. Below are the four key steps, as outlined by Microsoft’s GDPR Strategy, and how you can incorporate a document-centric view within your plan:


GDPR Document DiscoveryDiscover


Discovery will probably be the most challenging step when it comes to documents and GDPR.  When it comes to the enterprise, the vast majority have a large number of document repositories.  Just think of the modern workplace, and all the locations where documents reside:

  • Network folders
  • Local folders
  • Sync technologies like Box, OneDrive, Dropbox, Google Drive
  • Corporate Enterprise Content Management (ECM) and Document Management (DM) systems
  • Line of Business systems that house documents
  • Email & attachments

The ability to crawl and identify high risk entities within these locations is critical for compliance.  Here is a checklist of required functionality when in comes to a technical solution:

  • Two-phase Identification – most of the technologies on the market just use pattern matching to identify personal information within documents.  This can be problematic, and burden staff with false-positives, and require immense time requirements to validate.  With two-phase identification systems (like Ephesoft), documents are first classified as a  certain type: agreement, application, correspondence, etc.  This classification can be configured for an organization’s specific document requirements, and can immdeiately ID a document as high risk.  The second phase of risk identification is pattern matching, fuzzy DB correlation and key value searching.  This two-phase approach is absolutely required for accuracy and high confidence.
  • Optical Character Recognition (OCR) – images can be a very high risk type of document.  In order to properly evaluate an image for risk, there needs to be a text conversion process.  It goes much further than that, the application also needs a voting and confidence engine.  Images vary in quality, and a fax or “copy of a copy” can be problematic.  With a confidence flag on both the overall document and identified private information, images can be graded on overall quality, and quality of data.
  • Open Architecture – proprietary systems cannot meet all the requirements that will be necessary for GDPR Discovery, and most organizations will need ulitmate flexibility to modify and customize software for their unique needs and requirements.  Using modular and open platforms will guarantee the best solution and fit for your needs.
  • Machine Learning – using a system that gets smarter with each day of use is required in today’s modern world.  A GDPR Machine Learning system can learn new high risk documents, and evolve as an organization changes.


GDPR Document ManagementManage


Once a GDPR document inventory is complete, and an organization understands their areas of document risk and exposure, a plan can be put in place to manage and govern the assets of their data subjects.  This phase or step within your GDPR document strategy can include the following:

  • Migrating high risk documents to a managed repository – if high risk documents exist outside of a governed and managed repository, the same tool that can help in discovery can also help with migration.  As documents are classified, metadata can also be extracted, and the document moved into a new or existing system of record.  You can see an example of contract migration to SharePoint Online here:  Migrating Contracts and Data to SharePoint.
  • Implementing an intelligent document transport layer – creating a repeatable, standardized process for document ingestion and processing can flag new documents as they enter an organization’s digital realm.  This insures proper governance, and placement of high risk assets.


GDPR Document ProtectionProtect


In the protection step, organizations need to put security controls on all documents deemed as high risk.  But the protection step also requires thought on future documents, and protecting new private assets.  As outlined in “Manage”, an effective document transport technology will identify and route newly ingested documents to a protected resting place.  Organizations also need to implement real-time controls for high risk identification and classification.  Here are some examples:

  • Constantly discover – you can protect those documents that are in your managed repository, but what about newly generated personal data?  As new policies and procedures are implemented, organizations need to use their discovery technology to constantly monitor and find new high risk entities.
  • Embed classification technology –  enabling detection in your everyday applications can reduce risk, and insure compliance.  Modern classification platforms have web services enabled in cloud and on premise solutions to help.  You can see an example here:  Real-time GDPR Scanning and Detection in SharePoint


GDPR Reporting ToolReport


The new GDPR standard is all about accurate record keeping, which provides transparency and overall accountability.  Knowing all the document types that can be classified as having personal information, and the processes around them, are critical to insure compliance.  An audit of policies and procedures is sure to require records of document creation, or ingestion, how it was handled, and where it was ultimately placed under management.  All of the technologies mentioned in this article have broad reporting and analytics capabilities.

GDPR Analytics and Reporting
GDPR Dashboard in Ephesoft Insight

With the complexities of GDPR, standard reporting wont suffice in most cases, and the ability to perform deep analytics to track and identify key data and documents will be a requirement.

Just a quick post on strategy for GDPR when it comes to the unstructured content that lives within documents.  Let me know  your thoughts on the topic.