Project Type: Compliance

8 posts

Global. Internal and External. Outsourced or SME friendly.

GDPR explained for small businesses and their advisors

An excellent and succinct text from makers of  beautiful accounting software XERO.

What does GDPR mean?

Although GDPR might seem scary at first, many see it as a positive step forward for data protection. Some of the key areas GDPR covers are:

  • personal data about EU-based people (absolutely all of it)
    This includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
  • how you collect personal data
    You can only collect personal data if you have a legal reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
  • user contracts and terms and conditions (on websites, for example)
    These need to be simple, clear and easy to understand – with no complicated legal text.
  • the right to know
    Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
  • the right to erasure
    Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
  • data portability
    Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
  • data breach
    You’re obliged to report certain types of data breach to the relevant supervisory authority.

The UK government will replicate GDPR into UK law prior to Brexit, so if you’re a UK company, Brexit won’t impact your obligations.

GDPR and data protection

It’s important to understand the spirit of GDPR. The legislation came into existence because of the way personal data has been treated in the past. Many companies treated personal data as a resource they could utilise without regard to the rights of individuals.

For example, some companies sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to adequately protect data against hackers.

GDPR gives control of personal data back to the people who own it, and it requires organisations to make data protection a core part of their operations and processes. Yes, this affects big, data-driven organisations but it also has important implications for small businesses. We’ve set out some steps below to help you get your business in shape.

Does GDPR affect data security?

Data security is a big part of GDPR. If you process personal data of people in the EU you have a duty to keep it safe so it’s important to ensure that any personal data held by you is securely stored.

GDPR also governs where companies store personal data, and what safeguards you must have in place in order to store and process that personal data outside of the EU. For example, if you’re transferring personal data to a US-based company (that will store and process it in the US), you should check that they’re certified with Privacy Shield, which is a mechanism designed to allow data transfers from the EU to the US.

Summary of GDPR for small business

There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – that means treating it as you’d treat something valuable of your own. Some initial practical steps you can take to get GDPR compliant are:

Check products and services

  • Check which of your products or services collect and process personal data.
  • Ensure you have a legal basis for the processing of personal data.
  • Ensure you can comply with the obligations to your customers as set out in the GDPR (such as the right of access and the right of erasure).

Review notices and contracts

  • Update your internal and external notices for GDPR compliance.
  • Ensure your customer contracts are GDPR compliant.

Assign responsibility

  • Make someone in your organisation responsible for data protection and privacy.
  • Consider whether you need to appoint a Data Protection Officer – check out the ICO’s guidance for more info.
  • Provide data protection training for staff.

Take care over security
Ensure systems that collect, process and store personal data are secure.

GDPR resources for small businesses and advisors

You can get useful information on GDPR from:

Also talk to your legal advisers about what you need to do to be GDPR compliant.

WTF is GDPR?

European Union lawmakers proposed a comprehensive update to the bloc’s data protection and privacy rules in 2012. WTF is GDPR?

This text has been taken from The Tech Crunch here.  This is yet another condensed explanation on the key point of GDPR. The aim of this comment is to clarify (once more) the key points important for you (the business owner) to understand.

Their aim: To take account of seismic shifts in the handling of information wrought by the rise of the digital economy in the years since the earlier regime was penned — all the way back in 1995 when Yahoo was the cutting edge of online cool and cookies were still just tasty biscuits.

Here’s the EU’s executive body, the Commission, summing up the goal:

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritized. The reform will allow European citizens and businesses to fully benefit from the digital economy.

For an even shorter tl;dr the EC’s theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.

It was actually much more than 3 years.

The General Data Protection Regulation (aka GDPR) was agreed after more than three years of negotiations between the EU’s various institutions.

It’s set to apply across the 28-Member State bloc as of May 25, 2018. That means EU countries are busy transposing it into national law via their own legislative updates (such as the UK’s new Data Protection Bill — yes, despite the fact the country is currently in the process of (br)exiting the EU, the government has nonetheless committed to implementing the regulation because it needs to keep EU-UK data flowing freely in the post-Brexit future. Which gives an early indication of the pulling power of GDPR.

What is and will be much more, required are consultants actually solving the technology and logistics hurdles necessary to overcome in order to implement what is this “cottage industry” proposing. 

Meanwhile, businesses operating in the EU are being bombarded with ads from a freshly energized cottage industry of ‘privacy consultants’ offering to help them get ready for the new regs — in exchange for a service fee. It’s definitely a good time to be a law firm specializing in data protection.

GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out. In the meanwhile, here’s our guide to the major changes incoming and some potential impacts.[nextpage title=”Data protection + teeth”]

Not just that but every “entity” simply relaying this kind of data has to be fully GDPR compliant. Best example: All the AWS servers of any EU based “data controllers” or “data processors” have to be GDPR compliant. MS Azure too, Google, Apple and the rest too …

A major point of note “right off the bat” is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. Facebook, for example — a US company that handles massive amounts of Europeans’ personal data — is going to have to rework multiple business processes to comply with the new rules. Indeed, it’s been working on this for a long time already.

Last year the company told us it had assembled “the largest cross-functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

Much better example is Office 365. MS has made sure it is fully GDPR compliant all the way from EU located Data Centres , to the comprehensive set of mechanisms available for admins to make every O365 EU user fully GDPR compliant.  No wonder all EU institutions (private including) are using it.

The new EU rules require organizations to appoint a data protection officer if they process sensitive data on a large scale (which Facebook very clearly does). Or are collecting info on many consumers — such as by performing online behavioral tracking. But, really, which online businesses aren’t doing that these days?

The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection — and some legal experts suggest the regulation will force privacy standards to rise outside the EU too.

Sure, some US companies might prefer to swallow the hassle and expense of fragmenting their data handling processes, and treating personal data obtained from different geographies differently, i.e. rather than streamlining everything under a GDPR compliant process. But doing so means managing multiple data regimes. And at very least runs the risk of bad PR if you’re outed as deliberately offering a lower privacy standard to your home users vs customers abroad.

Ultimately, it may be easier (and less risky) for businesses to treat GDPR as the new ‘gold standard’ for how they handle all personal data, regardless of where it comes from.

And while not every company harvests Facebook levels of personal data, almost every company harvests some personal data. So for those with customers in the EU GDPR cannot be ignored. At very least businesses will need to carry out a data audit to understand their risks and liabilities.

Privacy experts suggest that the really big change here is around enforcement. Because while the EU has had long-established data protection standards and rules — and treats privacy as a fundamental right — its regulators have lacked the teeth to command compliance.

But now, under GDPR, financial penalties for data protection violations step up massively.

The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or €20M, whichever is greater). Though data protection agencies will, of course, be able to impose smaller fines too. And, indeed, there’s a tiered system of fines — with a lower level of penalties of up to 2% of global turnover (or €10M).

This really is a massive change. Because while data protection agencies (DPAs) in the different EU Member States can impose financial penalties for breaches of existing data laws these fines are relatively small — especially set against the revenues of the private sector entities that are getting sanctioned.

In the UK, for example, the Information Commissioner’s Office (ICO) can currently impose a maximum fine of just £500,000. Compare that to the annual revenue of tech giant Google (~$90BN) and you can see why a much larger stick is needed to police data processors.

It’s not necessarily the case that individual EU Member States are getting stronger privacy laws as a consequence of GDPR (in some instances countries have arguably had higher standards in their domestic law). But the beefing up of enforcement that’s baked into the new regime means there’s a better opportunity for DPAs to start to bark and bite like proper watchdogs.

GDPR inflating the financial risks around handling personal data should naturally drive up standards — because privacy laws are suddenly a whole lot more costly to ignore.[nextpage title=”More types of personal data that are hot to handle”]

So what is personal data under GDPR? It’s any information relating to an identified or identifiable person (in regulator speak people are known as ‘data subjects’).

While ‘processing’ can mean any operation performed on personal data — from storing it to structuring it to feeding it to your AI models. (GDPR also includes some provisions specifically related to decisions generated as a result of automated data processing but more on that below).

A new provision concerns children’s personal data — with the regulation setting a 16-year-old age limit on kids’ ability to consent to their data being processed. However individual Member States can choose (and some have) to derogate from this by writing a lower age limit into their laws.

GDPR sets a hard cap at 13-years-old — making that the defacto standard for children to be able to sign up to digital services. So the impact on teens’ social media habits seems likely to be relatively limited.

The new rules generally expand the definition of personal data — so it can include information such as location data, online identifiers (such as IP addresses) and other metadata. So again, this means businesses really need to conduct an audit to identify all the types of personal data they hold. Ignorance is not compliance.

GDPR also encourages the use of pseudonymization (such as encrypting personal data and storing the encryption key separately and securely) — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Although pseudonymized data is likely to still be considered personal data; certainly where a risk of reidentification remains. So it does not get a general pass from requirements under the regulation.

Data has to be rendered truly anonymous to be outside the scope of the regulation. (And given how often ‘anonymized’ data-sets have been shown to be re-identifiable, relying on any anonymizing process to be robust enough to have zero risk of re-identification seems, well, risky.)

The incoming data protection rules apply to both data controllers (i.e. entities that determine the purpose and means of processing personal data) and data processors (entities that are responsible for processing data on behalf of a data controller — aka subcontractors).

Indeed, data processors have some direct compliance obligations under GDPR, and can also be held equally responsible for data violations, with individuals able to bring compensation claims directly against them, and DPAs able to hand them fines or other sanctions.

So the intent for the regulation is there be no diminishing in responsibility down the chain of data handling subcontractors. GDPR aims to have every link in the processing chain be a robust one.

For companies that rely on a lot of subcontractors to handle data operations on their behalf there’s clearly a lot of risk assessment work to be done.

As noted above, there is a degree of leeway for EU Member States in how they implement some parts of the regulation (such as with the age of data consent for kids).

Consumer protection groups are calling for the UK government to include an optional GDPR provision on collective data redress to its DP bill, for example — a call the government has so far rebuffed.

But the wider aim is for the regulation to harmonize as much as possible data protection rules across all Member States to reduce the regulatory burden on digital businesses trading around the bloc.

On data redress, European privacy campaigner Max Schrems — most famous for his legal challenge to US government mass surveillance practices that resulted in a 15-year-old data transfer arrangement between the EU and US being struck down in 2015 — is currently running a crowdfunding campaign to set up a not-for-profit privacy enforcement organization to take advantage of the new rules and pursue strategic litigation on commercial privacy issues.

Schrems argues it’s simply not viable for individuals to take big tech giants to court to try to enforce their privacy rights, so thinks there’s a gap in the regulatory landscape for an expert organization to work on EU citizen’s behalf. Not just pursuing strategic litigation in the public interest but also promoting industry best practice.

The proposed data redress body; short for: ‘none of your business’ — is being made possible because GDPR allows for the collective enforcement of individuals’ data rights. And that provision could be crucial in spinning up a centre of enforcement gravity around the law. Because despite the position and role of DPAs being strengthened by GDPR, these bodies will still inevitably have limited resources vs the scope of the oversight task at hand.

Some may also lack the appetite to take on a fully fanged watchdog role. So campaigning consumer and privacy groups could certainly help pick up any slack.[nextpage title=”Privacy by design and privacy by default”]

Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.

This means there’s a requirement on data controllers to minimize processing of personal data — limiting activity to only what’s necessary for a specific purpose, carrying out privacy impact assessments and maintaining up-to-date records to prove their compliance.

Consent requirements for processing personal data are also considerably strengthened under GDPR — meaning lengthy, inscrutable, pre-ticked T&Cs are likely to be unworkable. (And we’ve sure seen a whole lot of those hellish things in tech.) The core idea is that consent should be an ongoing, actively managed process; not a one-off rights grab.

As the UK’s ICO tells it, consent under GDPR for processing personal data means offering individuals “genuine choice and control” (for sensitive personal data the law requires a higher standard still — of explicit consent).

There are other legal bases for processing personal data under GDPR — such as contractual necessity, or compliance with a legal obligation under EU or Member State law, or for tasks carried out in the public interest — so it is not necessary to obtain consent in order to process someone’s personal data. But there must always be an appropriate legal basis for each processing.

Transparency is another major obligation under GDPR, which expands the notion that personal data must be lawfully and fairly processed to include a third principle of accountability. Hence the emphasis on data controllers needing to clearly communicate with data subjects — such as by informing them of the specific purpose of the data processing.

The obligation on data handlers to maintain scrupulous records of what information they hold, what they are doing with it, and how they are legally processing it, is also about being able to demonstrate compliance with GDPR’s data processing principles.

But — on the plus side for data controllers — GDPR removes the requirement to submit notifications to local DPAs about data processing activities. Instead, organizations must maintain detailed internal records — which a supervisory authority can always ask to see.

It’s also worth noting that companies processing data across borders in the EU may face scrutiny from DPAs in different Member States if they have users there (and are processing their personal data). Although the GDPR sets out a so-called ‘one-stop-shop’ principle — that there should be a “lead” DPA to co-ordinate supervision between any “concerned” DPAs — this does not mean that once it applies a cross-EU-border operator like Facebook is only going to be answerable to the concerns of the Irish DPA.

Indeed, Facebook’s tactic of only claiming to be under the jurisdiction of a single EU DPA looks to be on borrowed time. And the one-stop-shop provision in the GDPR seems more about creating a co-operation mechanism to allow multiple DPAs to work together in instances where they have joint concerns. Rather than offering a way for multinationals to go ‘forum shopping’ — which the regulation does not permit (per WP29 guidance).

Another change: Privacy policies that contain vague phrases like ‘We may use your personal data to develop new services’ or ‘We may use your personal data for research purposes’ will not pass muster under the new regime. So a wholesale rewriting of vague and/or confusingly worded T&Cs is something Europeans can look forward to this year.

Add to that, any changes to privacy policies must be clearly communicated to the user on an ongoing basis. This means no more references in the privacy statement telling users to ‘regularly check for changes or updates’ — that just won’t be workable.

The onus is firmly on the data controller to keep the data subject fully informed of what is being done with their information. (Which almost implies that good data protection practice could end up tasting a bit like spam, from a user PoV.)

The overall intent behind GDPR is to inculcate an industry-wide shift in perspective regarding who ‘owns’ user data — disabusing companies of the notion that other people’s personal information belongs to them just because it happens to be sitting on their servers.

“Organizations should acknowledge they don’t exist to process personal data but they process personal data to do business,” is how analyst Gartner research director Bart Willemsen sums this up. “Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.”

The data protection officer (DPO) role that GDPR brings in as a requirement for many data handlers is intended to help them ensure compliance.

This officer, who must report to the highest level of management, is intended to operate independently within the organization, with warnings to avoid an internal appointment that could generate a conflict of interests.

Which types of organizations face the greatest liability risks under GDPR? “Those who deliberately seem to think privacy protection rights is inferior to business interest,” says Willemsen, adding: “A recent example would be Uber, regulated by the FTC and sanctioned to undergo 20 years of auditing. That may hurt perhaps similar, or even more, than a one-time financial sanction.”

“Eventually, the GDPR is like a speed limit: There not to make money off of those who speed, but to prevent people from speeding excessively as that prevents (privacy) accidents from happening,” he adds.

Another right to be forgotten

Under GDPR, people who have consented to their personal data being processed also have a suite of associated rights — including the right to access data held about them (a copy of the data must be provided to them free of charge, typically within a month of a request); the right to request rectification of incomplete or inaccurate personal data; the right to have their data deleted(another so-called ‘right to be forgotten’ — with some exemptions, such as for exercising freedom of expression and freedom of information); the right to restrict processing; the right to data portability (where relevant, a data subject’s personal data must be provided free of charge and in a structured, commonly used and machine-readable form).

All these rights make it essential for organizations that process personal data to have systems in place which enable them to identify, access, edit and delete individual user data — and be able to perform these operations quickly, with a general 30-day time-limit for responding to individual rights requests.

GDPR also gives people who have consented to their data being processed the right to withdraw consent at any time. Let that one sink in.

Data controllers are also required to inform users about this right — and offer easy ways for them to withdraw consent. So no, you can’t bury a ‘revoke consent’ option in tiny lettering, five sub-menus deep. Nor can WhatsApp offer any more time-limit opt-outs for sharing user data with its parent multinational, Facebook. Users will have the right to change their minds whenever they like.

The EU lawmakers’ hope is that this suite of rights for consenting consumers will encourage respectful use of their data — given that, well, if you annoy consumers they can just tell you to sling yer hook and ask for a copy of their data to plug into your rival service to boot. So we’re back to that fostering trust idea.

Add in the ability for third-party organizations to use GDPR’s provision for the collective enforcement of individual data rights and there’s potential for bad actors and bad practice to become the target for some creative PR stunts that harness the power of collective action — like, say, a sudden flood of requests for a company to delete user data.

Data rights and privacy issues are certainly going to be in the news a whole lot more.[nextpage title=” Getting serious about data breaches”]

But wait, there’s more! Another major change under GDPR relates to security incidents — aka data breaches (something else we’ve seen an awful, awful lot of in recent years) — with the regulation doing what the US still hasn’t been able to: Bringing in a universal standard for data breach disclosures.

GDPR requires that data controllers report any security incidents where personal data has been lost, stolen or otherwise accessed by unauthorized third parties to their DPA within 72 hours of them becoming aware of it. Yes, 72 hours. Not the best part of a year, like er Uber.

If a data breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also implies you should ‘fess up even sooner than that — without “undue delay”.

Only in instances where a data controller assesses that a breach is unlikely to result in a risk to the rights and freedoms of “natural persons” are they exempt from the breach disclosure requirement (though they still need to document the incident internally, and record their reason for not informing a DPA in a document that DPAs can always ask to see).

“You should ensure you have robust breach detection, investigation and internal reporting procedures in place,” is the ICO’s guidance on this. “This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.”

The new rules generally put a strong emphasis on data security and on the need for data controllers to ensure that personal data is only processed in a manner that ensures it so safeguarded.

Here again, GDPR’s requirements are backed up by the risk of supersized fines. So suddenly sloppy security could cost your business big — not only in reputation terms, as now, but on the bottom line too. So this has to be a C-suite concern now.

Nor is subcontracting a way to shirk your data security obligations. Quite the opposite. Having a written contract in place between a data controller and a data processor was a requirement before GDPR but contract requirements are wider now and there are some specific terms that must be included in the contract, as a minimum.

Breach reporting requirements must also be set out in the contract between the processor and controller. If a data controller is using a data processor and it’s the processor that suffers a breach, they’re required to inform the controller as soon as they become aware. The controller then has the same disclosure obligations as per usual.

Essentially, data controllers remain liable for their own compliance with GDPR. And the ICO warns they must only appoint processors who can provide “sufficient guarantees” that the regulatory requirements will be met and the rights of data subjects protected.

tl;dr, be careful who and how you subcontract.

Right to human review for some AI decisions

Article 22 of GDPR places certain restrictions on entirely automated decisions based on profiling individuals — but only in instances where these human-less acts have a legal or similarly significant effect on the people involved.

There are also some exemptions to the restrictions — where automated processing is necessary for entering into (or performance of) a contract between an organization and the individual; or where it’s authorized by law (e.g. for the purposes of detecting fraud or tax evasion); or where an individual has explicitly consented to the processing.

In its guidance, the ICO specifies that the restriction only applies where the decision has a “serious negative impact on an individual”.

Suggested examples of the types of AI-only decisions that will face restrictions are automatic refusal of an online credit application or an e-recruiting practices without human intervention.

Having a provision on automated decisions is not a new right, having been brought over from the 1995 data protection directive. But it has attracted fresh attention — given the rampant rise of machine learning technology — as a potential route for GDPR to place a check on the power of AI black boxes to determine the trajectory of humankind.

The real-world impact will probably be rather more prosaic, though. And experts suggest it does not seem likely that the regulation, as drafted, equates to a right for people to be given detailed explanations of how algorithms work.

Though as AI proliferates and touches more and more decisions, and as its impacts on people and society become more evident, pressure may well grow for proper regulatory oversight of algorithmic black boxes.

In the meanwhile, what GDPR does in instances where restrictions apply to automated decisions is require data controllers to provide some information to individuals about the logic of an automated decision.

They are also obliged to take steps to prevent errors, bias, and discrimination. So there’s a whiff of algorithmic accountability. Though it may well take the court and regulatory judgments to determine how stiff those steps need to be in practice.

Individuals do also have a right to challenge and request a (human) review of an automated decision in the restricted class.

Here again, the intention is to help people understand how their data is being used. And to offer a degree of protection (in the form of a manual review) if a person feels unfairly and harmfully judged by an AI process.

The regulation also places some restrictions on the practice of using data to profile individuals if the data itself is sensitive data — e.g. health data, political belief, religious affiliation, etc — requiring explicit consent for doing so. Or else that the processing is necessary for substantial public interest reasons and lies within EU or Member State law.

While profiling based on other types of personal data does not require obtaining consent from the individuals concerned, there is still a transparency requirement — which means service providers will need to inform users they are being profiled, and explain what it means for them.

Natasha Lomas

gdpr + eu flag

Office 365: Encryption and control

[Note: this is partially an advertisement, but very informative text on general Office365, encryption and control. It shows the kind of a compliance required by high risk environments, achievable by using third party products and Office365 as a platform]
Continue reading

Data Protection Guide

Update: This text was compiled almost a year before GDPR was signed. But it cpontains teminology relevant in the GDPR.

Overview

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The (UK) Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000. This Guide explains what you should know about data protection under the Data Protection Act 1998 (‘the Act’). Continue reading

Enterprise Content Management is not Information Governance

Enterprise Content Management is not Information Governance

Quite a lot is written these days about information management and information governance. Analysts are predicting that effective information management and governance can be a game changer for enterprises.

BUt. Doesn’t this sound a lot like Enterprise Content Management, or ECM?  Aren’t there already plenty of successful vendors, ECM installations, and ECM strategies at work across companies at all levels, for many years now?

ECM and IG are not the same

In the world of enterprise content management, everything hangs on one single principle: that each document is unique, serves a defined purpose, and is therefore managed.

ECM is critical to regulated industries such as pharmaceutical, where even the specific revisions of drug labels must be managed and ECM solutions provide reliable, defensible tools.  ECM aids companies who regularly develop collaterals, training materials, as well as mundane activities like tracking contracts, document revisions, and so on.

This is not information governance, however – nor is it information management as the world is beginning to understand it.   The ECM world already assumes a one-to-one relationship, which is why ECM has never proven to be a solution for information governance.

Information management and governance – the one-to-many conundrum

One to Many
One to Many

In the information governance world, the rule of thumb is one-to-many.  And this is driven largely by email!

Email by its nature is repetitive:  even email archiving systems cannot and should not eliminate duplication.

In cases where an author sends the same document attachment to multiple recipients, logically all copies point back to the same central document. But as that document moves outside the organization, gets multiplied, is commented upon, and becomes the foundation for an email dialogue, the same information will be repeated and multiplied to make the matters worse.

Information governance has to go beyond the notion of identifying a single document or item and then tracking all revisions.  In the case of email, these revisions are derivatives in branches – in other words, conversations.  An ECM management solution can’t handle this situation, at least not easily.

Managed per content vs. managed per value

Another way to look at ECM is to look at how information is managed. ECM manages based on content:  what’s in a document determines how it and any documents that relate to it are managed. This is how revisioning for example works: inside each revision only changed content is stored not the whole document.

In the information governance world, there are simply too many variables.  Going beyond mere duplication, there is also the challenge that content simply “comes into” an organization via email and then forms the basis for other content.  The process is random.

The key to information governance is understanding the value of content and then applying management.

This is exactly and also is what Big-Data is all about: value of the whole content. Content (aka Information aka Data)  Value has been elusive, but think-groups like the Information Governance Initiative have begun to identify how companies are being successful in valuing information, (often by using Big-Data platforms).  Often, the mere age of the information is a measure of its value:  email is transient by nature, and unless mail refers to a specific subject that is managed differently (example, emails discussing pharma/client relationships at bio-tech institutions), its value decreases as it ages and it ultimately becomes worthless. And toxic as IT Regulators are very keen you don’t store but dump old information.  Companies have successfully ascribed any pre-determined aging to such documents and, as they are covered by legal holds or compliance regulations, delete them after a defined period.

Modern enterprise needs both ECM and IG

Is this really true for each and every mid to large Enterprise? The answer is probably yes, but it is easier to answer whether or not they need enterprise content management (ECM) first.

There are a number of ways to handle content within an organization, and solutions regularly overlap.  Multi-disciplinary solutions like SAP and Oracle provide content management as well as enterprise resource management, routing, tracking, programmatic responses, and the like.  Rarely do they provide information governance for unstructured information like emails, and in cases where they do, that email is often associated with other content.

Information governance (IG), on the other hand, first and foremost requires mature organization with mature and repeatable governance in place.

On the implementation level, IG can be simply an archiving solution:  capture and preserve email to satisfy regulations and later search and discovery.  At its most granular (read: complex) level, IG implementation can, similar to ECM, play a role in identifying unstructured content, categorizing it, and applying very company and content-specific management rules.

Companies need both for different reasons.  Companies usually need ECM platform, because the particular type of information being managed is critical to their business.

Companies need information governance, on the other hand, because there is too much unmanaged and unstructured information flowing throughout their organizations.  Without management, they are unable to mine any potential insights from that information.  Without management, they are also unable to mitigate any risks that information may pose. And this is one very critical driver becoming obvious as from 2015 Q1.  Information can and will become toxic just as any other waste: if dumped anywhere it will develop its toxicity through time. As any “big bank” knows by now, for example. On the other hand if old and stale information, is classified and incinerated it will be safely disposed of.

And make no mistake: informations protection regulators are already here.

[In part inspired by an article published February 2, 2015 By Dave Hunt ]