Is the Symbiosis Between Records Management and Privacy the Key to GDPR Readiness?
Is the Symbiosis Between Records Management and Privacy the Key to GDPR Readiness?
Published On May 25, 2018
How can you leverage your existing records management program to improve the maturity of your privacy management program?At long last, the May 25 effective date of the GDPR is here. Yet, most recent studies show that approximately 50% of global firms are not ready and, by most estimates, full preparedness for the GDPR is less than 15%.[1] Why is this so and how can you leverage your existing records management program to improve the maturity of your privacy management program?
The principles of Privacy and Records Management are virtually the same
Below are the principles of the ARMA Generally Accepted Record Keeping Principles and the key principles of the GDPR. Note that except for the principle of consent/lawful purpose, all of the other seven principals have equivalents in both frameworks.
A business may store any record of its activities that it finds useful for the conduct of the business. Many, but not all, of these records are based on legally mandated record retention requirements. The GDPR limits the collection and storage of personal data to only those situations where the data subject has consented to its use or for which there is an otherwise lawful purpose for maintaining the information. So, the first benefit of aligning records management with privacy is that it provides a records retention schedule supported by valid legal citations that is auditable and includes the lawful purpose for possessing and retaining private information.
Not only are the principles of privacy and records management virtually the same, records management is a necessary element to operationalize privacy. Nymity, the leading privacy research firm, embeds records management in its privacy compliance framework. The fourth of Nymity’s privacy framework principles is to “Embed data privacy into operations.” Nymity cites Iron Mountain guidance for this principle, specifically calling on organizations to “Integrate data privacy into records retention practices” by:
“[E]stablish[ing] records retention policies, procedures and other accountability mechanisms to ensure proper storage of both hard copy and electronic records. The Privacy Office ensures that these practices address data privacy issues, such as:
– Limitations on retaining personal data;
– Respect for litigation and compliance retention requirements;
– Who has access to stored records; and
– Where records are stored.
The organization must also address retention in the form of system backup plans, including testing and offsite storage.”
Records Management is how Privacy is implemented
Look at any current survey of progress towards implementing GDPR and you will find that the easy things to do, i.e., those things that can be done by senior management by fiat or with minimal effort, are the things that most organizations have accomplished already. Most organizations have promulgated privacy policies, created a privacy governance structure and conducted some level of privacy training. None of these things require actually touching the content or require the kind of in-depth knowledge of records, systems and processes where real workers and systems intersect with privacy policy.
For example, a Nymity “Comprehensive Benchmark Rankings Report” I generated on May 20, 2018, shows that 81% of respondents report they have assigned privacy compliance to a senior individual (CPO, CISO, General Counsel, etc.), 63% have implemented standard contract clauses for data transfer and 75% have created a privacy policy. In contrast, only 38% have integrated privacy in their records retention policies, 39% have classified data by type (e.g., sensitive, confidential, public) and merely 21% have created an inventory of personal data and processing activities.[1] Similarly, in a recent survey of 6,000 security professionals, the ISACA found that 59% reported that their biggest concern in preparing for GDPR compliance was data discovery and mapping.[2]
In my opinion, the reasons for this disparity are two fold: first there are simply not enough knowledgeable people available in most organizations to conduct this work and the people who know the records, processes and systems are not the same people who know the law and draft the policies. Finally, other than Iron Mountain Policy Center, there are not many options to map privacy obligations to records, processes and systems.
Your records management program, the privacy compliance catalyst
Historically, the definition of a business ‘record’ centered on preserving artifacts that were legally mandated and those that were necessary to run the business. More recently, as records management morphed into Information Governance, Iron Mountain and our Customer Advisory Board have developed a “Records Management and Information Governance (IG) Risk Control Framework” which highlights the role of the Records Management and IG community in mitigating information risk.[3] With fines up to 4% of global revenues, personal data covered by the GDPR are now among the riskiest types of information for a firm to manage and thus should be subject to the stricter controls inherent with being a business record.
The true value of a good records retention schedule is that it becomes the ‘gearbox’ for all the critical data about a firm’s information, with all of it in one place and all of it manageable from there. For example, in Iron Mountain Policy Center, there is provision not only for listing the record classification scheme and its associated retention minimums and privacy maximums, but also to identify which record classes contain sensitive and personally identifying information and to map those record classes to the business processing activities that created or use the information as well as the systems they are stored in. This, along with the designation of the ‘copy of record’, enables organizations to destroy unneeded copies thereby complying with the GDPR principle to “limit storage of PII” as well as the IG principle of disposing of all redundant, obsolete and trivial information.
Finally, as firms prepare for the GDPR, one of the issues hampering them is the lack of skilled personnel dedicated to this effort. Among the Fortune 100, those with relatively immature privacy programs have an average of 3.5 privacy FTE’s[4], whereas, according to ARMA/Iron Mountain research, among the Fortune 1000, 50% have more than 4 record management FTE’s, 35% more than 7, 22% more than 10 RM/IG FTE’s. So, not only are your records management professionals close to the processes and systems, there are more of them available to handle privacy compliance issues.
So, as May 25 has arrived, unleash your records management program to bring your privacy program into compliance.
[1] Given that more firms report having classified data than have inventoried it, the takeaway is that they have adopted some version of the ISO 20007 data classification, not that they have actually tagged the data, since you cannot tag data you have not inventoried.
[3] http://www.ironmountain.com/resources/whitepapers/a/a-practical-guide-for-a-records-and-information-management-risk-control-framework
[5] https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-benchmarking-survey.html The ISACA, based on its most recent survey reports that 29% of respondents believe they will be fully GDPR ready at the deadline. Infra, at Note 3.