úterý 19. září 2017

GDPR: a strategic business and information management challenge

GDPR: a strategic business and information management challenge (interview)
Článek z portálu https://www.i-scoop.eu.
Najdete ho na adrese:  http://tinyurl.com/ycaxgdws
Úvod: "In this interview we dive deeper in some strategic, enterprise information management (EIM) and Enterprise Content Management (ECM) aspects with EIM expert Rick Gruijters."
Hlavní myšlenky z odpovědí Ricka Gruijterse
A) With a strategic plan that looks at the highest risks first, the impact of your GDPR actions in turn will be the highest"
B) In a risk analysis you identify all the gaps and build a matrix with a specific degree of risk for each missing piece"
C) The 3 stages in the end-to-end GDPR approach of IRIS Group
1. An awareness stage to empower your people and users, the weakest link in any ECM and security project.
2. An assessment and methodology stage to detect the risks and make a plan to solve them.
3. An implementation stage: rolling out, monitoring and improving.
D) Privacy by design requires your organization to move from an ‘open unless’ to a ‘closed unless’ security approach on the ECM application level"
E) The right of erasure: GDPR, retention schemes and records management
F) Metadata are a must for the GDPR and a retention scheme. Yet, users don’t like the hassle. Automation of metadata classification is the solution."
G) Automatic classification beyond ECM: documents, data and PII across the full information landscape
Cituji z úvodu:
"If you are only in the GDPR awareness stage (more about that below) when you read this, you’ll pretty likely be “too late” to become GDPR compliant by May 25th, 2018. Yet, that date is not the end. After reading this interview you’ll understand why, what you need to do and why in reality you can’t really be fully “GDPR-ready”"
Obsah - názvy částí interview
- Why the GDPR is a business challenge and a GDPR strategy is essential
- A strategic GDPR plan prioritizes the highest risks and delivers the highest impact of your GDPR projects
- GDPR awareness as a strategic quick win that shows you act
- Risk analysis: from awareness and gaps to demonstrable GDPR action
- Privacy by design and information management in the GDPR: from ‘open unless to closed unless’
- Taking information management to the next GDPR compliance level: automatic classification
Stránka obsahuje i video: 4 EIM solutions that help organizations prepare for GDPR.
Cituji z obsahu odpovědí:
"There are several reasons why the GDPR is first and foremost a strategic business challenge. One of them is that, despite the fact we’re an information management and IT company, we always start from business challenges. And that corresponds with the market reality: today most challenges de facto come from the business instead of from IT. A project needs a solid business case and as a company you try to respond to it with partners and solutions.
"If you don’t have an overall strategy to begin with, you can’t demonstrably prove that you tried to do what you had to and have a plan of action going forward."
"What management needs to do, however, is make sure that all employees are aware of the GDPR and what it means for their work: explaining what the GDPR is, what is coming their way as a consequence, how they are supposed to deal with it and, importantly, that they are not alone in all of it."
"Iven if it’s just the first step, the awareness stage is very important."
"In that second stage, assessment and methodology, you first conduct a thorough risk analysis and look at everything: your people, your information management and other processes, your technologies and so forth."
"On top of the fact that you started a project you can now show that 1) your staff has been educated and has started thinking about how to deal with information and 2) you have a documented plan that shows you know where you are, where you go and which actions you took and will take."
"The third and final stage is the implementation stage where you effectively start the projects which you found in your analysis and defined in your plan. This also means that you’ll need to monitor and evaluate if what you wanted to achieve has been achieved, how you can optimize the project if needed and move on with the next project."
"Privacy by design is indeed a key element of the GDPR and the regulation also says that systems and new applicators by default need to support it. In practice this means that your platforms, information management systems and others, at least need to be able to support a security model whereby only people who really need access to personal data, get it do their job."
"You need to map your entire system and authorization structure and ask yourself if you know who has access to a specific folder today."
"That brings us to records management. According to the GDPR, you shouldn’t retain information longer than necessary so that means you need to have a retention plan."
"The right of erasure requires records management and the design of retention schemes to delete personal information"
"Automatic classification of your full information landscape, including the identification of PII on the deepest level, brings you close to GDPR complian"