Information Governance



File Analytics: Going Beyond Digital Archiving

Are you looking for a way to find your most engaging documents quickly? Are you trying to understand what information is stored and where? You can make sense of your files using the power of Big Data and Machine Learning. Purify autonomously and automatically the storage of duplicates, obsolete elements or decommissioned applications with File Analytics.

File Analytics solutions allow you to go further than “classic” File Sharing. File Sharing solutions focus on giving access to data, anywhere in the world and at any time. But what if you want to want to leverage this content in new ways which can benefit the company and employees?

File Sharing and its Challenges

While File Sharing tools are perfect for internal corporate communication and information flow, and it allows documents to be transmitted quickly and efficiently, but they have certain drawbacks that make them, in the long run , much less effective:

  • Documents can be difficult to find. The multiplication of duplicates, suboptimal classification (even based on criteria specific to each user), the presence of links shares; the result? File Sharing tools are certainly populated with relevant documents, but there are so many documents stored there that finding the one you need can take hours.
  • Not all documents are valid. A document in a File Sharing tool is not necessarily a relevant document. It can indeed be considered obsolete, present erroneous information, or even have been corrected multiple times since its was added to the share. The result? Your company may have, unknowingly, harmful elements in your file shares.
  • Access to data is not always secure. With File Sharing tools like shared drives, information security is compromised by the multiplicity of users and access points. Documents “escape” management and the IT department. And, from the outside, attacks can multiply! In addition, confidentiality is endangered because it’s nearly impossible to encrypt document content and control access to it.

It is not reasonable to do information governance with Shared Drives (Google Drive, Microsoft OneDrive, Dropbox, etc.). Their advantages, such as simplicity, are quickly eclipsed by their disadvantages. The most important is endangering your company’s confidential information.

File Analytics, for Dynamic File System Cleaning

File systems must be “cleared” of spurious documents (duplicate, obsolete, and so on) to keep them efficient. File Analytics tools offer the ability to analyze information and cleanse assets, in order to more easily control the life cycle of files. They also allow you to automatically analyze the contents of documents, with:

  • Extraction of named entities (places, people, functions …);
  • Extraction of company data (product code, customer number …);
  • Categorization by learning …
  • … or through a semantic repository.

From CRM to Email: Facilitating Data Management

In all sectors, companies capture, store and use large amounts of data. Whether we are talking about a CRM or an email client, content can be:

  • Structured: It is framed by specific references, which will allow a search engine to interpret and locate it more easily;
  • Semi-structured: Data that is not organized according to a given repository, but that integrates metadata or any other type of related information, facilitating their processing and exploitation;
  • Unstructured: Content that not subject to any repository and contains no associated information.

File analytics tools are intended to facilitate access to this data, regardless of their “quality” and their level of structure. They can also efficiently govern your corporate information, which is essential when you need to be responsive to the demands of customers, employees and partners.

File Analytics tools make access to quality data faster and more accurate. Want to know more? Connect with our team.

Content Services, Tools for Effective Information Governance

Effective information governance can not be achieved without the support of dedicated tools, called “Content Services”. Content Services make it possible to manage all data-related processes and ensure that employees find the right information no matter where they are. There are several types of services: archiving, dematerialization, enterprise content management solutions, automation process tools and GED. Let’s look at each one.

From ECM to Content Services

Content Services are not new, but rather an evolution of ECM (Enterprise Content Management). Why did we change the vocabulary?

Simply: new challenges, new vocabulary. The term “ECM” was found to be too limited, not encompassing all issues related to content management in business. Content Services (“content services”) better explain the role of content applications, offering quick and concrete solutions to business problems, delivered quickly and operationally, as quickly as possible. This is much more than how we traditionally think of ECM, so justifying the change of name is not just a matter of image


Archiving is not just about savingIt is exploiting the data in a new way, offer the data durability and security, as well as the ability to find that data from any device connected to the Internet. But there are several families of archiving:

  • Digital archiving is a set of actions that aim to identify, collect, classify, preserve, communicate and return electronic documents. Digital archiving can be used to satisfy legal obligations (from a few years to several decades, depending on the type of document), or information needs in the company (from one service to another, depending on the type of document, or one site to another for heritage purposes).
  • Mixed archiving is archiving between digital documents and paper documents. It is a practice that requires the definition of an archiving policy, with the creation or adaptation of a global document repository and the selection of a service offering adapted to the company. Such a project requires the setting up of a dedicated team, coordinated by a project manager who prioritizes the successive stages and facilitates decision-making.
  • Mass archiving. Often identified as the ideal archiving solution by IT departments, mass archiving makes it possible to import and preserve large amounts of electronic resources (documents, emails, videos, archives …). They have a certain advantage: their interoperability with the other blocks of the information system (messaging software, ERP, CRM, DM). This is what allows all applications of the company to file electronic documents, to consult them and to exploit them whatever the volumetrics.
  • Archiving with probative value. It has become a major issue for companies, because it’s not just about saving documents. Evidence-based archiving goes further, since it guarantees their authenticity (the documents were produced by those who claim to have produced them), their durability (they will always be accessible when they are needed) and their integrity (they have not been changed by a malicious person). The ultimate goal? That they can be used as irrefutable proof in case of dispute, whether with a client, an administration or another company.


Dematerialization happens when a company wants to replace the use of paper (or any other type of physical medium, such as a magnetic tape) with digital files stored on servers, on suitable media or computers. Many documents may be involved: invoices, administrative procedures, cash flow, etc…

There are two main types of dematerialization:

  • “Native dematerialization”, which consists of receiving all new documents in digital format. We then change processes and software.
  • “Duplicative dematerialization”, which consists of copying in digital format the documents initially received in paper format. Information governance consists of “retrieving” documents to integrate them into the dematerialisation process.

In both cases, all documents of the company can be made available to employees. Different profiles can be created to “limit” access to these documents for a particular service.


EDM, or Electronic Document Management makes it possible to optimize the management and exploitation of documents by specialized and efficient electronic means. It is based on software that will takes several actions on documents:

  • Capture
  • Acquisition
  • Digitization
  • Validation
  • Diffusion
  • Classification
  • Indexation
  • Archiving

Document Management, an integral part of information governance in the workplace, relies on process automation, allowing users to focus more on high value-added tasks. It also greatly reduces the risk of error, and forgetfulness.

Process Automation

In the workplace, the same causes often produce the same effects. However, these causes require employees to repeat a gesture, an action, a decision … at least, if we do not think “process automation” !

Process automation is the essence of Case Management. It combines document management, business processes and collaborative work within a single space. It ensures that all the documents involved in the company’s processes will be processed by the right player and the right service. It has many advantages.

Process automation:

  • Reduces the time required to process applications;
  • Increases productivity and flexibility;
  • Smooths workloads;
  • Is implemented easily and quickly at the heart of the process;
  • Provides a fast ROI and an overview of all activity thanks to dynamic dashboards;
  • Concerns many sectors of activity.

Information governance involves the adoption of smart tools, like Content Services, archiving, process automation, document management and more, that save time and efficiency while reducing the risk of errors. Download our Content Services ebook to learn what solutions for Information Governance Everteam provides.

Making the Case for Information Governance: 4 Key Use Cases

The amount of content you store – structured and unstructured – shows no signs of slowing down. You are inundated with information, some which you need to keep, some you don’t. Enterprise content management helps you manage that information, but you also need an underlying information governance model and supporting technology to help you figure out not only what information you have and where, but what to do with it. 

Information Governance is not a one-time project

The biggest mistake that many make is assuming information governance is a one-time project. Set up some policies and procedures and your plan is in place. It’s not that simple. But it also doesn’t have to be complex. The best way to think of information governance is as an umbrella term that supports a number of use cases that require some type of activity around your information.

Or think of it this way:

Information governance is a set of problems and a set of solutions you take on to solve those problems.

Four common use cases for information governance

When you break information governance down into a series of projects or “mini-strategies”, it’s much easier to ensure your information is well managed going forward. Here are four of the most common use cases (or projects):

  • Records Management: A system for the collection, indexing and analysis of records produced anywhere – and by any system – in your organization.
  • File Analytics: Cross-repository inventory and analysis of content to uncover compliance deviation and execute policies to drive bulk actions to delete ROT and quarantine PII. This is the most common use case we discuss with customers today.
  • Application Archiving: Offload inactive content from production applications to reduce costs, increase compliance and rationalize infrastructure.
  • Application Decommissioning: Capturing and archiving content from systems to ensure ability to retrieve and report after decommissioning of the source system.

Making the case for information governance

It’s very hard to get information governance approved. Getting to the top of the list for any of the projects listed above is a real struggle. To help you prove how important these types of projects are, here are some points you can focus attention on:

  1. Meeting regulatory compliance requirements – new compliance requirements happen regularly and it’s costly to fall out of compliance.
  2. Reduce legal exposure – you put yourself at great legal risk when you store information in shared folders or cloud-based applications like Office 365 or Dropbox that you shouldn’t have there. Things like credit card numbers and other personally identifiable information.
  3. Reduce data theft exposure – same issue for data theft. Never assume you won’t get hacked. Assume you will, it’s just a matter of when. If you are a company that stores everything forever, the surface area you make available for data theft is enormous.
  4. Reduce storage and license costs – Traditional ROI analysis also make a great case for an information governance project. Reducing storage costs is one; reducing license costs, operating costs and other unnecessary expenses are also important to point out.
  5. Eliminate costs associated with obsolete systems – you’re ready to move to a new application or you no longer need an application – you don’t want to keep these systems around just to store the content they currently manage. What you need to do is archive the information you need to keep and then decommission these systems reducing costs.
  6. Reduce architectural complexity – this is particularly important with companies that regularly acquire other companies and end up with multiple systems to manage. An IG strategy would give these companies an organized way to figure out what systems and information they need; how to best archive information they must keep and decommission apps no longer required.

Success factors for information governance initiatives

You won’t be successful if you try to do everything at once. The complexity will kills any small successes you have. What works best is to take on an information governance solution that has a clear beginning and end, a clear scope and a clear success factors. For example, don’t say you are going to set up records management for the entire enterprise; say you are going to set up records management for a specific department and a specific type of content. Another example is to pick an obsolete application that costs a lot of money to maintain and set up a project to archive its content (or destroy it) and shut down the application.

In other words your IG strategy will find success if you think in terms of:

  • A tactical initiative in service of a long-term strategy
  • An effective solution design that fits an enterprise strategy
  • Specific near term objective that defines the scope of the initiative
  • Defined justification: Compliance, Cost or Business enablement
  • Scope defined by content types or use cases
  • Effective executive sponsorship

Ken Lownie, Everteam VP Operations recently spoke about information governance and how it fits into the overall structure of enterprise content management in the KMWorld webinar: The Future of Enterprise Content Management. If you’d like to listen to his full discussion, you can watch the replay on demand here.

GDPR and insurance companies: what will change?

The General Data Protection Regulation (GDPR) will come into force on May 25th. In the meantime, companies in the insurance sector, like the others, must comply with its new requirements ensuring that organizations are properly managing the confidentiality of the information they have transferred or collected from European citizens. But what will change? What advice does the CNIL, a reference organization in France regarding the application of the GDPR, give to insurance organizations that even US companies can apply?

A “compliance pack” called to evolve

By May 25, 2018, the enforcement date for GDPR, the CNIL has planned to update (and propose new) its compliance packages. First affected is the insurance sector. It must be said that insurance companies collect a considerable amount of data every year, which allow them to create personalized offers, adjust tariffs, or follow the evolution of the market and consumer needs.

The insurance compliance package proposed by the CNIL must therefore be enriched soon with a GDPR side, in addition to the reminder of the standards to which these companies are subject. Still, it is possible, by studying the texts of the new General Regulations on Data Protection, to outline the contours even more.

Remember: the rights of your customers

Let’s start with a quick reminder: what are the rights granted to your customers by the GDPR? The most important are undoubtedly the following ones. These are the ones that will require a whole new approach to information governance in the insurance industry:

  • The right of access to the data
  • The right to be informed about the processing of the data used
  • The right of rectification
  • The right of opposition
  • The right to portability of data, in some cases (we’ll talk about this again)
  • The right to be forgotten

All of these rights, such as the right of access to data for example, are not fundamentally new; most are already registered in the Data Protection Act of 1978. Those that already existed are nevertheless strengthened, reaffirmed and harmonized at European level.

Thus, in the insurance sector, it is essential to master (and be able to communicate) the following information: the personal data recorded, their provenance, the names and roles of the persons authorized to use them, the purpose and use of the data as well as their location, and who has access to that data. Article 18 of the GDPR allows any holder, past or current, of an insurance contract the right to receive a copy of his personal data, all in a common format and easily readable.

Insurance: how to be in compliance with the GDPR?

As an insurance company, you can not take the risk of not being in compliance with the requirements of the GDPR. To comply is to avoid a commercial risk (a sanction could have unfortunate consequences in terms of images and reputation) as well as a significant financial pitfall – the fines can go up to 20 000 000 € (US $23 million plus) , or 4% of the annual global turnover (of the two, the highest amount will be retained!).

Therefore, the first step to comply with the GDPR is to appoint a DPO, for Data Protection Officer (Delegate for Data Protection). Its mission will be to ensure that the law is respected and that processes are put in place to enhance the transparency of your company. In particular, he will have to make sure that you will be able, as of next May, to:

  • To group all the exchanges with the customers, whatever the points of contact used by them (mail, telephone, mail, passage in agency …) within the same document
  • To demonstrate that your customers have consented to the use of their personal data
  • To clarify, in the case of institutional control and at the request of customers, the use made of personal data
  • To set up information governance, based on documentary traceability, storage security and responsiveness

What the CNIL recommends

The work required to get GDPR compliant must be implemented gradually. Thus, the CNIL recommends for insurance, as for other companies, to carry out 4 main operations.

  1. First, an organizational component, with the designation of the DPO and its hierarchical position, and the setting up of steering committees.
  2. Then, a site “risks and internal controls”, allowing you to take stock of the current practices and the elements to be corrected.
  3. It should be followed by the deployment of information governance tools (access, traceability, security, communication…).
  4. Finally, an awareness step, internally and externally, on the new governance of information, will have to complete the implementation of the GDPR in the insurance sector.

Compliance with GDPR is not optional for companies in the insurance industry. If you’re looking for help figuring out what you need to do, give us a call.


Who are the Data Controllers and Data Processors in GDPR?

In my last Blog, I talked about the definition of Personal Data and the various data protection actions that Data Controllers and Data Processors made apply to this Personal Data (Anonymize, Pseudonymize and Minimize).

But who are these Data Controllers and Data Processors?

These are the parties that capture, process and store Personal Data belonging to Data Subjects. Under the GDPR Regulation, these parties have obligations to protect the Personal Data of these Data Subjects.

Data Controllers/Data Processors

Data Controllers

This is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law”;

In plain English, this is the party (individual, entity or authority) with which the Data Subject exchanges his or her Personal Data to receive the goods and services.

The GDPR Regulation imposes a range of data protection obligations on the Data Controller, including:

  • Restrict the scope of data that can be collected and the duration of retention of this data
  • Seek and obtain the consent of the Data Subject BEFORE the Personal Data is captured
  • Once received, protect this data
  • Notify data controllers if/when a data breach occurs
  • Appoint a Data Protection Officer or DPO (under certain conditions) – covered in a future blog

Data Processors

Similarly, the Data Processor is “the natural or legal person, public authority, agency or other body which pro-cesses personal data on behalf of the controller.”

This is the party that performs part or all of the processes on behalf of the Data Controller. One of the game changers with GDPR is that Data Processors also have obligations under that regulation and that these obligations also apply even to Data Processors located outside EU jurisdictions, example a US-based cloud provider performing data processes on behalf of an EU-based Data Controller located within the EU:

  • Must implement specific organization and technical data security measures
  • Keep detailed records of their processing activities
  • Appoint a Data Protection Officer or DPO (under certain conditions)
  • Notify data controllers if/when a data breach occurs

In view of these GDPR obligations, Data Controllers must do more diligence to the processes by which they select new Data Processors and re-qualify existing ones.

Data Controllers must also determine whether they fall under the GDPR Regulation and identify their responsibilities and measures they must implement vis-à-vis the Personal Data they process.

Lots more to talk about here, but suffice it to say that organizations that fit the definitions of Data Controllers and Data Processors should assess their GDPR-related Data Protection obligations and implement measures and technology-based solutions to enable and enact their compliance.

I will cover further aspects of the GDPR Regulation in upcoming blogs, namely the rights of Data Subjects.

Bassam Zarkout

Everteam and Aurotech Partner to Support Information Governance Across Banking, Finance, and Insurance

Boston, MA: Everteam, a leading technology provider of information governance solutions and Aurotech, Inc, a management and technology consulting firm, announce a strategic partnership to support enterprise organizations’ efforts to improve archiving and records management strategies in support of increasing compliance and privacy regulations.

Together the two companies will provide the strategic advice and technology necessary for successful information governance.

Organizations in Banking, Finance, and Insurance face growing regulations around information privacy and security, including support for the upcoming EU General Data Protection Regulation (GDPR) directives on data privacy. The challenges focus not only on appropriately securing information but on what information to keep and where to keep it.

With the help of Aurotech and Everteam, these organization can increase the effectiveness of their information management policies through well-defined content analytics, application archiving and decommissioning as well as records management programs.

“Everteam is pleased to partner with Aurotech, Inc. Their commitment to delivering solutions that increase efficiency and productivity across a range of information governance programs combines well with our delivery of information governance solutions that are easy to use and provide the critical capabilities needed by organizations today,” said Firas Raouf, CEO Everteam.

The implementation of digital transformation strategies is driving the adoption of new innovative technologies. It’s critical that effective legacy application decommissioning strategies are put in place to not only deal with legacy applications but ensure the appropriate migration of information to the new system an archiving solution or proper disposition. Surrounding all this is the application of content analytics and records management policies that ensure data is properly managed regardless of where it resides.

“Our customers are constantly dealing with mission-critical and complex business issues related to the proper management of their enterprise content. It’s our mission to ensure they have the right strategies in place and the right technology to support those strategies. Everteam’s Information Governance solutions provide an excellent mix of capabilities to help our customers manage their content end-to-end.” said Tim Schwedes, ECM Governance Lead Aurotech, Inc.

To learn more about this partnership and how we can help you, contact:

  • Aurotech: Niki Ward, Account Manager (; 208.559.2086)
  • Everteam: Ken Lownie, VP Operations (; 1 978.618.2363 )

About Aurotech

Aurotech is a provider of Information Governance and Business Process Management (BPM) solutions. With years of focused experience and leveraging an extensive partner network, we match technology to our customers’ requirements to address the full range of compliance, automation, and archival needs.

About Everteam

Everteam is a global software vendor specializing in information governance and process automation solutions for mid to large corporate enterprises and government entities. With over 25 years experience and innovation in the field of Enterprise Content Management, Everteam is recognized for successfully delivering highly sophisticated implementations of Content Management, Information Governance, and Business Transformation solutions.

How Analytics Help You Manage Your Information Silos

Over time, companies accumulate large amounts of data across different systems and tools, creating information silos. For many organizations, it’s difficult to manage shared access to these silos and control that access.

At the heart of most information siloes we find the management of the “document” with its two levels of complementary information, united and inseparable:

  • The document itself
  • The metadata, attached to the document that facilitates access to the document. Metadata provides classification, security and permissions (authentication) for the document. It also enables interoperability.

The challenge is that internal staff often find the process of capturing metadata tedious and complex, and are abandoning metadata assignment. But search engines depend on metadata to organize information and improve search queries. Without it, documents are indexed by file only, leading to a loss of control over the information. This loss of control has the potential to drive major risk to the company:

  • The dilution of information with high added value
  • Increased risks of non-identification of binding documents
  • Non-compliance with regulatory requirements for the retention and destruction of documents
  • The continuous rise in volumes stored on expensive and unsuitable media

There are many solutions that can manage these information silos including SharePoint, Box, Google Drive, Everteam and others. Often, organizations have more than one solution in place. And therein lies a big part of the challenge.

How analytics can help

Analytics technologies support the combination of innovations born of Big Data and Machine Learning. In other words, it is possible to analyze large volumes of data (including unstructured information) thanks to the power of file and content analytics and make sense of it automatically. Analytics can take away the need for knowledge workers to manually add metadata to documents. It does this by applying machine learning algorithms analyze the content of a file and automatically add the appropriate metadata information.

The best analytics solutions work with both structured and unstructured data in the same search interface. Analytical tools can completely reconfigure the exploitation of information on several levels.

From an operational point of view, Business Divisions can:

  • Quickly access relevant information, including in multisource and multilingual contexts
  • Expose information from duplicate or obsolete documents
  • Quickly identify all the company’s binding documents
  • Capitalize effectively on the storage repositories

Analytics technologies can also control a number of risks related to the unavailability or expiry of information. They can put General Management in a position to respond to the regulatory obligations inherent in its business and sector of activity. And they contribute to the proper running of the business by providing an effective and efficient service to internal customers, better able to meet the standards of their profession.

Finally, IT Departments see their work get easier and IT costs decrease by controlling storage and backup budgets, reducing the costs and delays of migration from one silo to another and, lastly, the perpetuation of stored formats.

Want to understand more connecting your information silos with analytics? Download our File Analytics datasheet.

Like what you’re reading on the blog? Subscribe to our newsletter. 

GDPR & You: Are You Ready for new European Data Protection Regulations?

There is a fundamental transformation underway. In the digital economy information is the currency of exchange. And, information knows no boundaries. Harmonization of regulations that fosters the free flow of information while strengthening privacy and security rights is an imperative for policy makers.

Take the EU and US trading block as an example. The total value of goods and services between the two largest trading blocks is estimated at $5.5 trillion employing 15 million. Cross border flows between the EU and the US are estimated to be 50% higher than any other trading block. 65% of US investment in information technology is in the EU.

Identity theft and impact of security and privacy breaches are impacting customer experience and customer loyalty negatively at increasing levels. They are also driving regulators to bolster data security and privacy legislation to impose stricter obligations on businesses and data controllers. Enter the new European Data Protection Regulation (EU GDPR).

As a response to advances in digital technologies such as big data, cloud computing and predictive analytics, coupled with revelations of bulk data collection and profiling by intelligence services the General Data Protection Regulation (GDPR) is a comprehensive overhaul of privacy legislation which considerably strengthens and expands privacy rights.

It spans more rigorous consent requirements data anonymization, the right to be forgotten and breach notification, which could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year — whichever is the greater — being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover — whichever is greater. For the average Fortune 500 company, that puts fines in the range of $800-900M.

In this new AIIM e-book (sponsored by Everteam) – Information Privacy and Security: GDPR is Just the Tip of the Iceberg, the focus is on five key questions that should be on every C-level executive’s list of priorities:

  1. How has the environment for information privacy and security changed?
  2. What is GDPR, why should you care, and what does it mean for your organization?
  3. What does “Privacy by Design” Mean?
  4. How will the Internet of Things make the privacy equation even more complicated?
  5. What should your organization do about all of this, and what role will machine learning play in solving the problem?

You can download your copy of the ebook here. And sign up for our newsletter to get more insights and guidance on GDPR and information governance straight to your inbox.

Gearing up for KMWorld – Join Us There

It’s a couple of weeks away and we’re deep into planning a great experience at KMWorld this year. Now maybe you why a software company focused on Information Governance and enterprise content management is sponsoring and speaking at KMWorld. If you sit down and think about though, the relationship is clear – Information Governance and Knowledge Management go hand in hand.

Knowledge workers deal with a lot of information spread across the company. Unfortunately a lot of it is in silos that are hard to reach and sometimes hard to find period. What do many knowledge workers do to get around this challenge? They go get everything they need and store a copy of all information in a file share or file sharing cloud-based application or on there hard drive. How do exactly do you manage this information now? How can you be sure that you aren’t violating a compliance policy or regulation? How do you your knowledge workers are accidently exposing private information? You need an information governance strategy – one that starts with file analytics.

Another way to look at this challenge is when you merge or acquire a new company. The same challenges, the same risks, and the same opportunities to engage in a process of information governance, something that isn’t so prohibitive or hard to manage that it never really gets adopted.

We’re Speaking at KMWorld!

VP Operations for Everteam USA, Ken Lownie is finalizing his presentation for his speaking session. His topic? Information Governance: A Key Enabler of Knowledge Management.

Here’s the overview and key takeaways from his session”

A prerequisite to effective knowledge management is the ability for an organization to capture, organize and preserve their information assets.  Information governance (IG) is focused on exactly those tasks.  In this session, I will five use cases from “real life” information governance initiatives.
Key takeaways:
  • The five fundamental capabilities of an IG framework
  • How to design an IG program that delivers IT cost reductions
  • Strategies for consolidating  information assets through a merger or acquisition
  • How to define an IG  program that will increase compliance and reduce risk related to data theft
  • The role of content analytics in information governance and knowledge management

Going to KMWorld? Let’s Connect

Ken and Dan Griffiths will be manning our booth at KM World – we have giveaways and prizes to win and some great reading material to take home with you. If you are attending and would like to arrange a chat, let us know and we’ll schedule time on Ken or Dan’s calendar.

What is GDPR and how is it related to Information Governance?

Unless you have been in a cave in the past year, you must have heard about GDPR, the European General Data Protection Regulation. It is a comprehensive data privacy directive which takes effect on May 25th, 2018. The directive builds on the current EU Privacy Directive and unifies data protection laws in EU countries.

Note: This is the first in a series of posts on the subject of GDPR compliance.

GDPR at a high level

  1. Data Privacy is a fundamental right of “natural persons” (called Data Subjects which are essentially EU Citizens anywhere in the world and individuals located within EU jurisdictions).
  2. This right relates to Personal Data; any information exchanged between Data Subjects and Data Controllers (providers of products and services) and Data Processors (their outsourcers), information that can be traced back to the Data Subject:
    • Personal: name, gender, national ID, location, DOB, physical, genetic, psychological, mental, cultural, social characteristics, online computer identifiers, medical, financial, etc.
    • Organizational: recruitment, salary, performance, benefits, etc.
    • Other: race, ethnic, religious, political opinions, biometric, etc.
  3. These Privacy Rights state that you can ONLY collect Personal Data lawfully and for legitimate reasons, and you are limited to using it to what is necessary and what it was intended for:
    • Right for consent
    • Right to be forgotten
    • Right for rectification
    • Right for data portability
    • Right to object
    • Right for limited usage of collected data
    • Right to be notified about data breaches

It is worth noting that the above GDPR restrictions apply to Data Controllers and Data Processors even if they located outside EU jurisdictions (example a US-based cloud provider).

GDPR defined

Organizations found to be non-compliant can face significant fines amounting up to 20 million Euros (roughly US$ 23.5 Million) or 4% of global annual revenue, whichever is greater. Not small change.

If you do the math, a US$ 10B corporation found to be non-compliant may be fined US$ 400 million.

“Sky is falling” statements like this can often produce the reverse effect:

  • There are no signs that the GDPR Supervisory Authorities in the various EU countries will be trigger happy on May 25th, 2018.
  • Organizations are however advised NOT to take the matter lightly… GDPR is serious business… and violations will probably be handled firmly.

What does all this have to do with Information Governance?

A lot.

GDPR compliance is perhaps the compelling event that organizations have been “waiting for” in order to fully embrace the Information Governance culture. Common “values” that are delivered by effective Information Governance Programs go a long way towards facilitating GDPR compliance, such as:

  • Visibility through content (content analysis, classification, etc.)
  • Data and content minimization (elimination of ROT)
  • Systematic lifecycle management and controls over content

GDPR is a deep subject, and in upcoming posts I will dive a little deeper its various aspects, such as:

  • Definition and scope of Personal Data
  • Obligations of Data Controllers and Data Processors
  • Privacy Impact Assessments
  • Data Privacy Officer
  • Consent
  • The “vaulted” Right to be Forgotten
  • Right of Data Portability
  • “Privacy by Design” and “Privacy by Default”

Details to come.