The struggle for most firms’ information governance programs has simply been getting off the fence and starting the ball rolling. GDPR is an opportune catalyst.
The General Data Protection Regulation (GDPR) has increased the territorial scope of protection for personal data and privacy for EU residents. Companies selling into, providing services to, or conducting online behavior monitoring of EU residents are now required to attain consent in a more transparent manner (privacy by design). Additionally, the EU resident has the right to be forgotten and the ability to request the transfer of private data from one entity to another (data portability).
All of these “rights” first require that an organization have the proper visibility into its information holdings. The inability of the firm to report on all of its holdings (regardless of media or location) upon request is a major source of concern for many US firms.
An IG initiative requires collaboration across key stakeholders from across the firm: Management Committee, Administration, Finance & Accounting, HR, IT, Information Security, and representation from the individual practice groups. GDPR can be the catalyst to gather this group and take actionable steps towards implementing a program. The program will identify relevant data locations (both electronic and physical), proper indexing, security protocols, purging per retention schedules, and necessary audits. A more general Information Governance program will allow the firm to comply with any requests pursuant to GDPR, while exercising sustainable document handling practices that withstand client scrutiny.