The high number of participants in last week’s ACEDS webinar shows there is a lot of interest for the new legislation that becomes effective end of May this year. The Q&A session also learned people struggle to grasp what they really must do in order to meet the requirements of the new General Data Protection Regulation in May 2018.
With good reason. The General Data Protection Regulation will have great impact on how companies and government organizations manage digital information when dealing with information from citizens in the European Union.
In the webinar (recording is available here) moderated by Mary Mack, Kenneth Rashbaum and Johannes Scholtes discuss what organizations can do to address the most notorious GDPR requirements.
No silver bullet
Despite what some consultants and technology providers claim, there is no one solution to address all GDPR requirements. Complying with all aspects that the new regulation covers, requires a multidisciplinary team to update a wide variety of policies and procedures. It needs a thorough evaluation of all in-house systems and technologies that deal with data. And it includes a detailed revision of your contracts with third-parties that collect, store and manage data on your behalf.
So, no Silver bullet. The new regulation covers too many aspects of data protection, privacy and information rights. But there are many things organizations can do to address at least the most notorious GDPR requirements.
Collecting and storing personal information
Complying with the GDPR does not mean you cannot collect and store personal information for your line of business. In almost every corporate practice there is a valid need to collect and store personal information. To drive targeted customer service and marketing and to simply provide services to individual and business customers for example. It is also needed for regulatory compliance (especially in the US and Canada) and for human resources. Personally Identifiable Information (PII) is the lifeblood of business. It is, as the publication The Economist called it, “the new oil.”
The keyword in storing and collecting PII is “consent”. Users must give clear unambiguous consent for companies to collect and use their data. Controllers and processors can only use it for the purpose defined. For specific types of information, one needs very explicit prior permission. A “click checkbox to agree” is no option for this information. Revoking consent should be equally easy to do as giving it. Users have the right to demand removal of their data all time.
Consent (“prior permission”) content revision and consent management will be some of the greatest challenges under GDPR. Companies are wise to be very selective in what data they collect, be highly transparent in the reasons why the collect that information and to be sure to keep control over that data at all times.
Cleaning-up old archives with PII
So what to do with existing data collections that will not be compliant with the GDPR? The easiest solution would be to throw away such collections. If there is not relevant business information in these archives, that would be no problem.
In reality, few businesses will be ready to destroy their archives. They are not able or willing to make the investments. More often, they are not allowed to destroy the data for retention requirements and other legal and compliance reasons.
A very practical and cost-effective solution is to pseudonymize or anonymize the information after a careful review. ZyLAB’s ONE eDiscovery combines advanced search, text-mining, auto-classification, natural language processing (NLP) and machine learning techniques from the field of Artificial Intelligence to cull the information in the archives to ascertain what information can be destroyed without harming the business, historical or legal need for that data.
Advanced tools for redaction and pseudonymization can be used to clean-up old archives that are often subject to regulatory requests or eDiscovery. Storing them in ZyLAB ONE eDiscovery SaaS solution offers you the best protection available for the most cost-effective pricing.
Secure data storage in different jurisdictions
ZyLAB’s ONE eDiscovery SaaS solution provides optionally GDPR compliant, secure and encrypted data storage. By using the latest security and encryption standards, this storage location of your data will be a much more cost effective alternative for any in-house solution. Not just for data under the GDPR, but also under the US-EU Privacy Shield regulations.
ZyLAB ONE eDiscovery provides data centers in the jurisdiction of your choice. At the same time, you can benefit from the scalability benefits of a SaaS solution, sharing expensive resources and software where this is possible and secure. ZyLAB ONE eDiscovery provides two-factor authentication and encrypted VPN data access, allowing you and your team secure access from any location.
Even when you do not feel comfortable with any SaaS solution, ZyLAB can also provide the exactly the same solutions in an on premises or private cloud environment.
Try it yourself
Sign up for a free eDiscovery software trial account and experience ZyLAB ONE eDiscovery, the most intuitive and sophisticated eDiscovery solution.