Jason Petrucci explains why European Union General Data Protection Regulation (GDPR) compliance signposts a new era of data discovery and data value that will enable firms to unlock invaluable Intellectual Property.
Professional services organisations sell knowledge. Information is, without doubt, the most valuable asset for any firm, but how will the changing regulatory landscape affect attitudes to that information?
Facing up to the demands of the forthcoming EU GDPR – and punitive fines for failure to comply – it’s fair to suggest that firms are set to adopt a compliance-first attitude to data processing, retention, retrieval and destruction. Yet, while there are clear operational demands and technology overheads associated with achieving GDPR compliance, there are also significant commercial wins for those firms adopting a proactive approach.
In a market increasingly concerned about data security and privacy, firms risk becoming the weak link and rising target for cyber criminals. As such, the ability to demonstrate strong data governance policies is becoming something of a commercial imperative. In addition, the technologies now being deployed to support GDPR compliance, including Artificial Intelligence and machine learning, are set to play a transformative role in unlocking data value.
GDPR: The Implications
With the May 2018 deadline looming, the GDPR should be focusing the attentions of any professional services organisation. This marks a new era for organisations that have traditionally relied on self-regulation, with fines for any proven non-compliance totalling up to €20 million (or 4% of global annual turnover) being mentioned.
The regulation’s emphasis on the safeguarding of personal information creates new requirements for professional services firms (for example, the ability to respond to Data Subject Access Requests within 30 days, as well as the creation and enforcement of robust policies for information retention, redaction and destruction).
The essential challenge for CISOs and CIOs, then, in assessing the current risk level will be to determine data sources, data location and the risk profile of that data. Where is data stored across the organisation? What data retention and destruction policies have been in place to date? Have they been enforced?
Step Two of the Information Commissioner’s Office’s 12-Step Guide to preparing for the EU GDPR outlines a company’s duty to document all personal data held, its source and any way in which it has been shared. That document also recommends an information audit to ascertain what data’s currently controlled.
However, with the volume of data retained by companies growing exponentially and typically being scattered across ECM and paper storage, desktops and the cloud, this is far from straightforward. Standard enterprise search technologies have limitations. They cannot identify data within PDFs without the assistance of third party applications, while data located in e-mails, file shares – both on premise and in the cloud – as well as CRM applications and client portals can also be hard to identify using traditional techniques.
Given the limitations of traditional search technologies, what are the options? Throwing bodies at the problem isn’t realistic. It would be impossible for a human to evaluate, assess and review Terabytes or even Petabytes of data without the assistance of some form of technology. Even if the function could be outsourced to thousands of humans, it just wouldn’t scale. This is where Artificial Intelligence and machine learning could play a significant part in achieving and sustaining GDPR compliance.
These increasingly mainstream technologies can help to analyse both structured and unstructured content. Natural language processing may be used to identify entities of specific interest, extract metadata and understand the intent or purpose of specific clauses, paragraphs or sections of documents and e-mails.
However, this is no silver bullet. While Artificial Intelligence and other ‘intelligent’ solutions can take care of the heavy lifting, so to speak, for the foreseeable future human interaction will still be required to interpret and contextualise content.
The good news for those firms that already have well-documented and defined data retention/destruction policies in place is that nothing should change with the introduction of the GDPR, although it’s worth noting that the Government’s data protection minister has announced that the Data Protection Act 1998 will have to be amended to ensure consistency with the GDPR.
On that basis, there will be a need to review policies, tweak clauses or even change workflow processes to ensure compliance. Overall, though, those organisations that have invested the time, effort and capital to manage and control the tagging and disposition of content should be well positioned for the GDPR.
What about those organisations that have failed to implement stringent records management policies? How are they going to be able to comply with the GDPR by May 2018?
There are certainly many CISO/CIOs using the EU’s GDPR in the Boardroom as the catalyst for change and investment for reasons that extend far beyond the immediate compliance requirement.
In an era of escalating security risk, sensitive information – both personal and commercial in nature – is increasingly making professional services firms high-value cyber security targets when other organisations, such as finance and accounting, are already subject to far more stringent regulation. Improving risk profiles through better information knowledge and control is key to minimising the risk. Those organisations taking a proactive approach to GDPR compliance and who are able to demonstrate strong data governance processes to clients are therefore likely to gain considerable ‘first mover’ advantage.
In addition, the bi-product of GDPR compliance – or good data management practice – is the ability to unearth gems from existing information resources. From being able to analyse the data in order to understand what work is being completed and by whom through to cost analysis and modelling, and even on to curating it to inform new areas of service innovation, those firms that can confidently identify information resources and put in place the ability to intelligently interrogate, categorise and mine information will gain a significant commercial advantage.
GDPR compliance is without doubt a massive incentive to improve the accessibility and management of documentation and data as well as the flow of information around the business. The new regulatory landscape, and punitive fines, in tandem with the rising cyber security threat, ultimately mean the risks associated with poor information practices are, generally speaking, far too great.
Improving data management offers measurable commercial benefits, from increasing client confidence to unlocking business value. Secure, policy-driven access to information for all not only underpins compliance requirements, but also delivers effective cost control and drives business agility and efficiency by encouraging collaborative working.
The incentive may be regulatory, but the benefits extend far beyond ticking the box. Achieving compliance will significantly reinforce the value of a firm’s information resources.
Jason Petrucci is Chief Executive Officer of Phoenix Business Solutions