GDPR: Best addressed as a content services problem?

According to Nuxeo’s Director of Product Marketing David Jones, too many GDPR plans are based on the false assumption that GDPR is purely a data challenge. The need to manage Subject Access Requests (SAR) may suggest otherwise.

As we all know, on 25th May the EU-wide General Data Protection Regulation will come into force as UK law as part of the sweeping changes around the protection of personal data and information.

Many GDPR plans are focused on this as only a data challenge, but there is an equally significant content challenge too. That’s to say, organisations have numerous places where content and information is stored about customers, but still lack an easy way to search, access and secure that information.

That’s not necessarily a problem if the focus is just on the management and the security of personal information inside an organisation. And when you look at the way many UK firms are addressing GDPR, they’re largely focusing on just that aspect: making sure that data is locked down, secure, and that only the right people can have access to it.

However, there is a bigger issue that’s lurking around the corner when it comes to GDPR – Subject Access Requests. Having an easy means of managing and accessing content and information becomes an issue when handling this often overlooked aspect of the regulation. That’s the ability for any EU citizen to ask an organisation to provide full details of the personal information that they store on them. (In the UK currently, organisations can charge a fee for processing a Subject Access Request, but under GDPR for the most part no charge can be levied.)

Subject Access Requests: The “don’t forget about me” part of GDPR compliance

If you think about it from a practical perspective, what firms will be mandated to do when someone asks for their personal information is to gather all the information from all of their systems that could possibly store information on that person, collate it, and then share it with that citizen.

And while the British public doesn’t know a lot about GDPR, the one thing they’re likely to do in late May is test Subject Access Requests (SARs) – now they no longer incur a charge. It’s more than likely that at least a minority will contact their bank, or phone provider, or council on that first Monday and say, “Give me all of the information that you have on me and I’d like it as soon as possible please.”

A lot of CIOs simply have not factored the Subject Access Request load into their GDPR planning. That could represent a big issue, if you think about the negative PR that will result when people start exercising this option and find that it’s taking much longer than it should for organisations to respond to these requests.

It’s often said that bad news travels seven times faster than the good. And in the days of social media, it travels an awful lot faster and further than it ever used to – and the negative PR possibilities for organisations getting this wrong are very serious.

The good news is that Subject Access Requests are precisely the kind of enterprise information challenge that Content Services Platforms can solve.

Could Content Services be the answer?

Organisations typically have many systems in use for managing business-critical information (ECM systems, file sharing apps, network file folders, etc.) and sometimes even more than one per department. In this environment, it’s virtually impossible to arrive at a single version of the truth – ironically a key original selling point of legacy enterprise content management (ECM) solutions.

Many leading edge Content Service Platforms in contrast are ‘repository-neutral’, allowing users to quickly find the information they need to do their jobs no matter where it resides. Even better, when the platform is integrated with other core business systems, content is delivered in context, transforming information into knowledge for improved decision making.

A Content Services Platform (CSP) means that firms managing Subject Access Requests can connect data from all of those different systems in the business and serve those requests from citizens when they come in, sharing that back to the citizen in an appropriate format and in a timely manner. Secondly, from an organisational perspective a CSP helps firms identify all of the places within the business where personal information is in fact stored, helping from an auditing point of view as well.

There are numerous solutions being touted by vendors keen to jump on the bandwagon as being able to deliver “GDPR Compliance”. So why would anyone consider a CSP for GDPR? The problem is that no one solution can claim to deliver GDPR compliance – for a number of reasons.

1 .GDPR is not something you “solve” – it is a series of best practices and processes to manage personal information better

2.No single solution caters for all of those aspects at the moment – and even if it did it could not guarantee making an organisation compliant.

The current crop of GDPR solutions  tend to look for personal information in  the file system and network drives, in Word documents and Excel spreadsheets, and in other unstructured content. However, they won’t look within the core enterprise CRM or the ERP systems, HR systems, or other line of business systems – which is where personal information is primarily stored. A Content Services Platform can however, and will look at both file systems (for unstructured content) and inside connected enterprise solutions (which are often database applications containing structured data) in order to provide a complete view of your GDPR related information, and so also form the perfect foundation to also meet your SAR-specific requirements.

Organisations need to appreciate the full impact of GDPR, beyond simple data security and also consider how to adequately accommodate Subject Access Requests and beyond. And they need to do this now – before GDPR comes into force and before the SARs start growing.

If you don’t, expect the vast amount of possible negative PR around GDPR to be based, not around lack of compliance and associated fines from the regulators, but around poor customer service and failure to properly serve the individual data subjects the regulation was put in place to protect in the first place.

By David Jones, Director of Product Marketing, Nuxeo

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.