A good incentive to update and strengthen your organization’s records and information management (RIM) policies is the looming threat of fines upwards of 20 million euros, courtesy of the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018.
What does a data protection rule from across the pond have to do with domestic RIM policies and procedures? Quite a lot — and that may actually be a good thing. The EU’s data protection regulation of course applies to organizations in the EU. However, it also applies to those outside the region that offer goods and services in the EU and to those that track the online behavior of site visitors from the EU.
Both data controllers (the organizations that direct the processing of personal data and specify the reasons for its collection) and mere data processors are subject to the data protection regulation. In sum, pretty much anyone conducting any sort of business at all via the web probably needs to ramp up RIM policies and procedures to comply with the GDPR.
The GDPR requirements may, truth be told, be a little past due given the number of vast, highly embarrassing breaches of sensitive data suffered by institutions large and small. Organizations that have been intending to clean up their act on data now have the motivation they need to get started.
But how? If it hasn’t already, an organization should assess its data collection procedures with respect to individuals’ consent to the gathering of their personal information. Consider how that data — particularly the more sensitive stuff — is being processed, stored and eventually discarded.
Under the GDPR, companies should not keep data longer than is necessary for processing purposes. RIM policies and procedures should be updated to ensure that data is obtained, protected, processed, retained and disposed of within the parameters of the data protection regulation.
It is a bit of a pain to update RIM policies and processes to be GDPR compliant. But doing so is less painful than an embarrassing, damaging data breach or a fine of 20 million euros. Ultimately, the GDPR has brought attention to a problem all of us have — namely, guarding private data we gather and use — and spurred us on to protect not only those we happen to do business with, but our organizations as well.