GDPR and the State of Employee Data Privacy

Written by

Managing data isn’t much fun anymore. Information governance initiatives have barely begun, and already, new privacy regulations such as GDPR are adding to the challenge. Additionally, analytics are taking off, but that too poses new conflicts in both governance and compliance.

If you're like many in the industry wondering how to reconcile these complexities and seeming contradictions, it may help to take ten paces back and examine the underlying issues.
 
Unstructured and Unknown 
At the top of the list for many organizations is the management of unstructured data—data created by humans for humans, such as emails, documents found in file shares, and SharePoint. Embedded in its description is a key point: unstructured data communicates intent to those able to access it. 
 
If a company were able to harness all unstructured enterprise data, it follows that they would be able to form a complete picture of the processes, decisions, and minds that make a business run. Who knows what? Who are the subject experts? Who are the go-to people? How was a particular consequential decision made? The answers to these questions and so many more are sitting out there, but piecing them together is easier said than done.
 
By its very nature, this data often contains large amounts of personal information which adds a layer of uncertainty to managing and processing it. ZL Technologies and Osterman Research recently conducted a study which demonstrated significant variance in organizational confidence regarding the management of employee personal data.

Only 23% of the 258 surveyed IT influencers and decision makers were “very confident” their own personal data privacy was properly managed, with the rest being “reasonably confident,” “only somewhat confident,” or worse.
  
The Silo Problem
GDPR is climbing to the top of enterprise priorities, but much of the buzz fails to capture even a fraction of the technical challenges ahead. In essence, much of it comes down to one fundamental problem: GDPR respects no silos, yet the world’s data architecture is overwhelmingly silo-based. Data silos raise a myriad of questions: 
 

  • Are organizations going to search data silos individually for personal data, each silo with its own search engine limitations? 
  • What happens once they find that disparate data?
  • Can they delete data with confidence that it’s not being used for other legal, regulatory or business purposes? 

Seemingly simple processes quickly become complicated when a document and its duplicates could be found across dozens (or even hundreds) of repositories. Bridging data silos and managing enterprise-wide content to satisfy GDPR requirements is one of the most daunting challenges IT has ever faced.
 
Solving for Privacy
To solve such issues, some large organizations are leveraging unified information governance functions—already firmly embedded in RIM methodologies—on an enterprise scale. By unifying all unstructured content in a single repository and applying the sort of classifications and policies previously applied only to records, organizations can begin getting a grasp on personal data. 
 
Within this unified system there is a single copy of each document, each of which points to its respective duplicates that lie across enterprise silos. With such a system, you can determine how data is being used, where it’s stored, and which governance functions operate on it (e.g. should it be deleted for GDPR or kept for eDiscovery or records) all in one place. Even more crucially, you can be confident that, when it’s deleted centrally, it’s deleted everywhere.
 
Needless to say, this approach defies the current paradigm, however, once implemented, each component of governance becomes much more manageable. The beauty of it is that, because you already have all enterprise data in one spot, indexed, classified, and governed, the legwork for successful analytics initiatives is already done. 
 
Rather than trying to fix each problem individually, it’s helpful to step back and ask: what is the best way to truly control information? With that question answered, everything else follows.

What’s hot on Infosecurity Magazine?