There is no doubt that it’s an exciting moment to be involved in Information Governance.
I say that as something of a veteran. In my early career in law firms, I helped clients grapple with complying with the demands of the data protection legislation implemented in Europe in response to the 1995 EU Data Protection Directive.
Now, many years on, that legislation, drafted by people who probably had not yet seen the internet in action, and might not have had access to a personal computer at work or at home, is being replaced by the EU General Data Protection Regulation. A Regulation intended to harmonise laws within the EU more effectively than before, and to ensure that privacy is protected, notwithstanding that, in the words of the Regulation itself, “Rapid technological developments and globalisation have brought new challenges for the protection of personal data.”
With those years behind me of working within the framework of the 1995 Directive, I can say that there is nothing particularly new about the data management requirements in the GDPR. Almost all of them have existed in one form or another around Europe. The big difference is that failure to meet them is backed by a fine that makes everyone sit up and listen.
Back in the early 2000s, in the early days of implementation of the 1995 Directive, there was what seemed to be an insatiable demand for information on legally compliant information governance. However, what struck me at the time was that although from a legal perspective, the requirements were clear, from an IT data management perspective things were far from straightforward. The data management tools available weren’t sophisticated enough to really help IT teams manage their data to the level of granularity required; particularly unstructured data.
It was with some excitement and trepidation that I took on the role as project leader of Veritas’ own GDPR compliance project. However, I think myself fortunate to be tackling this challenge at a time when data management tools are mature enough to provide real value to compliance efforts.
Veritas began its own journey by taking a long hard look at the personal data we hold, interviewing people in the business about what they were doing outside the systems, interviewing people in IT about what was happening inside the systems, and finally the fun bit: using our own long-established tools to solve the new challenge of the GDPR.
We have begun to use the in-built content classification capabilities in Veritas Data Insight and Information Map to quickly identify and tag files in our unstructured data sets that are likely to contain personal data. The output of this will feed our data flow mapping activities as we gain a more solid understanding of where personal data is located, (from both a geographic and IT infrastructure perspective), who has access to it and details around how that data is being used.
We also plan to deploy Veritas Enterprise Vault to store the files that we have found in unstructured data sets in a compliant manner, secure in the knowledge that Enterprise Vault can perform a gated and audited deletion of this data once retention expires.
Finally, we are refining our use of Veritas EDiscovery platform to search across a wide range of content sources to enable us to turbo charge our responses to subject access requests, the new right to be forgotten and the other data subject rights. My experience of the current range of data subjects’ rights is that they can be time consuming and difficult to manage at the best of times, but post May 2018 the fines attached to missing the deadlines are likely to present a real business risk and I’m glad to have the full battery of tools to help me meet them.
And so our journey to compliance continues in earnest. Whether you call it eating your own dog food or drinking your own champagne, there is no place like home if you want a test bed to better understand your customers’ needs. Our journey is their journey too, and it’s good to know we’re all in this together. Anyone for champagne?
