storm cloud on the horizon
Every company doing business in the EU is scrambling to get ready before the GDPR goes into effect next year PHOTO: Timothy Ah Koy

Companies around the globe doing business in the European Union (EU) will need to pay close attention in the coming months to a new regulation that promises to shake up the way they manage data related to EU citizens.

The General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, is intended to protect EU citizens' personally identifiable information (PII). But unlike the Data Protection Directive it replaces, it applies not just to EU-based companies, but any company collecting PII on EU citizens. 

That means if a company based outside of the EU conducts business in the EU, the GDPR will apply to them as well. Organizations that don't take steps to protect personal data face fines of up to €20 million or 4 percent of annual revenue, whichever is larger. 

How companies go about complying with the law, however, is entirely up to them.

While the GDPR is quite clear on the level of protection required for personal data, it doesn’t spell out the processes or technologies companies should use to ensure that protection. One approach worth considering is to employ an enterprise content management (ECM) system that takes advantage of metadata to enforce the security and governance required to protect customer data.

GDPR Carries a High Price for Violation

The EU Parliament approved the GDPR in April 2016 as a replacement for the Data Protection Directive, adopted in 1995. It is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy,” according to the GDPR website. 

With it, citizens have easier access to personal data that companies collect and information on how the data is used, among other benefits.

While the regulation does “harmonize” domestic privacy laws across the EU by essentially replacing a patchwork of country-by-country laws, it also comes with some stringent requirements. Companies must incorporate data protection into the design of any data collection or storage system. Companies should also keep only PII that’s necessary for the specific reason it was collected, a concept the regulation calls “data minimization.”

Any organization processing PII for more than 5,000 people in a 12-month period also needs to appoint a data protection officer (DPO) to ensure the company complies with the law. If companies share customer PII with subcontractors or partners, the company is responsible for ensuring those partners comply as well.

Should companies suffer a data breach involving customer PII, they must report it within 72 hours, although that requirement is waived if the data is encrypted.

Embedding Compliance Into Your Systems

Metadata can play an important role in helping companies comply with the various GDPR requirements. When leveraged within an ECM system, metadata helps companies correctly categorize and manage PII according to GDPR requirements.

For example, contracts and invoices by their nature contain sensitive customer information. An ECM system can treat any file labeled “contract” or “invoice” as PII. More importantly, it is crucial to determine the person whose data is in the file since citizens can now request companies to provide an index of the PII data that the company stores about them.

Once a file or object is labeled as containing PII, the ECM system can automatically initiate other actions to ensure proper treatment and handling of information according to the new regulation, such as:  

  • Encrypting all files and objects that contain PII, both during transmission and while at rest
  • Applying access control and permission management, to ensure only authorized users can access PII. For example, customer service representatives may be able to view customer purchase orders, but not marketing teams
  • Enforcing rules around retention and deleting, to ensure data isn’t kept longer than necessary
  • Preventing files and objects containing PII from being inadvertently or intentionally emailed or otherwise transferred outside of the organization
  • Tracking any modifications to PII files and objects, to show who changed what, and when
  • Providing an audit trail to prove only authorized employees had access to customer PII

Taking such an automated approach to protecting PII brings order, consistency and efficiency to the task, making it faster and easier to comply with GDPR requirements. It largely takes decisions about how to handle PII out of the hands of individual employees and instead applies corporate-level data governance policies.

Given the hefty penalties GDPR imposes for noncompliance, it’s clear organizations doing business with EU countries need to come up with a plan for addressing GDPR requirements. Deploying a metadata-driven ECM system is one step towards meeting requirements and ensuring PII is protected.