Create a sound information governance strategy now.

Peter-BaumannBy: Peter Baumann, CEO

“To be prepared is half the victory.”- Cervantes

The deadline for GDPR compliance is approaching – fast. In May of this year, the new law goes into effect. If you’re like many companies that will feel its impact, GDPR has been on your company radar for months, maybe longer. You’ve discussed why it’s important to your business. You’ve agreed that your company must take action.

Why, then, are so many companies still in a mad scramble to get compliant?

In my last post, we talked about the 5 key myths that keep organizations from creating and executing on a sound GDPR strategy. Let’s say you have addressed those myths, solved those challenges and are ready to move forward. How, exactly, do you do that? What constitutes a sound GDPR strategy?

After working for over a decade with corporate and government clients on information governance, we’ve learned, refined and honed the best practices that help companies like BAE Systems, Pandora, Rio Tinto and others get control of their data.  Here are a few key steps you can take to get started on your road to GDPR compliance.

Make GDPR Compliance a Company Priority

This must start at the CEO level. If GDPR compliance is not a priority for you, the rest of your company won’t prioritize it, either. Yes, you’ve got a business to run, and everyone has a job to do. Consider that the cost of doing nothing will stop your business in its tracks when, not if, you run up against GDPR compliance issues. Think your business isn’t vulnerable because you are not doing business in Europe? Think again. Anyone who has customers that interact with your company online could be at risk. Here are the facts:

  • “The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process EU residents’ personal data, even if they’re not EU citizens.” https://www.itgovernance.eu/eu-general-data-protection-regulation-gdpr
  • Or, as the Forbes Technology Council puts it: “Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do.”
  • One recent poll shows that GDPR fines will affect 80% of US based firms.

Gather your key stakeholders – ideally heads of departments, together and communicate the reasons for undertaking GDPR. Emphasize the risks of ignoring it, and make it clear that this is a top priority. There are plenty of resources detailing the potential risks and costs of non-compliance. Designate someone to lead this effort and build a team to address it. The leader should be an executive with the cross-departmental authority to drive action. This is not a job to delegate to your IT department, although they should absolutely be involved. Get your CIO involved, your Privacy and Compliance Officer, your CISO, your General Counsel, your CFO and other C-Level executives to make sure everyone understands the urgency of the GDPR mission.

While the costs and risks of non-compliance should be more than enough to get their attention, don’t forget the upside. Rather than take an “everyone else is behind, too” approach, think about how you can use GDPR compliance to outmaneuver your competitors. Not only will your company run leaner and faster with a sound information governance strategy, you will be able to add GDPR compliance to a list of reasons why customers should do business with your company.

Find Out Where You Stand

This is where many GDPR efforts stall. The reason: it’s an overwhelming task to even think about sifting through your company’s file stores to find and remediate sensitive data. Years of poor information governance practices and a “keep everything forever” mentality have likely added up to terabytes, even petabytes of data and files stored throughout your company on any number of file shares, individual hard drives, cloud applications and network drives. Research shows that even (sometimes especially) in large corporations with tight security policies, that haystack of files includes unsecured personally identifiable data, intellectual property, financial data, legal documents and other sensitive data.

Add to this challenge the fact that most company data is not stored neatly in searchable databases. Research shows the vast majority of corporate data is unstructured – in the form of emails, written documents, PowerPoint decks and other text-based forms of communication. There is simply no way for even a mid-sized company to manually sort through all those files and decide what to keep and what to delete. It is certainly not feasible if you hope to bring your company into compliance in time for the upcoming May GDPR deadline.

This is where automation can play a critical role. There are file analysis solutions on the market that can make this job much faster and easier, and at lower cost. Your employees have jobs to do, and while making GDPR a priority is a must, you certainly can’t halt your business operations to deal with it. If you haven’t already, invest now in a system that can do the heavy lifting for you. The ROI on a good file analysis solution cannot be underestimated. In our next post, we’ll talk about some of the key requirements of an enterprise-grade file analysis solution.

Categorize, Clean and Organize

Once you’ve decided on a file analysis solution, work with your technology partner on a plan to  categorize and organize your company’s files. The right partner should have the best practices and knowledge from dozens, if not hundreds, of implementations to help guide you through the process. They will understand the challenges and have methodologies and processes in place to help you streamline your company’s data, defensibly delete information that no longer serves your business, and make what remains more useful and actionable.

Think about this as the corporate version of the wildly popular book by Japanese author Marie Kondo, The Life Changing Magic of Tidying Up. With an experienced partner to guide you, the results can be life-changing for your organization.

Create Policies for Lasting Change

It may be hard to believe now, but you will arrive at a point where the information you have left after all your efforts to categorize, clean and organize is now under control, and in compliance with the new GDPR regulations. Phew! It’s a big effort, but so worth it. Now, how do you ensure you remain in compliance? No matter how many times you organize, label and prune, once you start throwing things into that “junk drawer” again, it doesn’t take long for things to get messy. To ensure this doesn’t happen, appoint someone on your team as the ongoing leader for information governance. Data Protection Officers are already a GDPR requirement for organizations with more than 250 employees. Collaborate with each department to create policies and procedures for everyone in your company to follow. Then, make sure they are followed. Schedule regular reviews to make sure individuals and departments are not slipping out of compliance. Develop processes and systems that help you quickly identify and address situations that may arise. Again, a good partner can help guide you through this process and advise you on best practices.

Where Technology Can Help

People and technology are what got us into this information mess.The good news: people and technology can also help us get back on track. Data is being created at ever faster rates, and technology makes it easy to create, store, duplicate and share information. The cloud applications, thumb drives, file shares, and hard drives we use every day contain more information than we could possibly consume in our lifetimes. That is why it is useless to try and address the GDPR compliance challenge through manual efforts alone. It’s simply not possible.

In our next post, we’ll talk about the key requirements and capabilities of a good file analysis solution.