SharePoint and the GDPR
Implications of the GDPR
Earlier this month, I spoke at a conference in Aarhus, Denmark on the implications of the new European Union General Data Protection Regulation (GDPR). The seminar was hosted by one of our premier European partners, NNIT, and featured speakers from Microsoft, NNIT's information security consultancy, and an attorney with deep subject matter expertise in the new EU-wide law. The final document was agreed in mid-December, 2015 and is expected to become EU law in the next couple of months.
If you haven’t started preparing for the European Union’s General Data Protection Regulation (GDPR) yet, now’s the time to kick-start your strategy. Why? Because this regulation will have significant IT and legal ramifications for any organization with operations or customers inside the European Union.
While there’s still time to work on your approach to the GDPR, this is not just another ordinary regulation where a passive and complacent implementation strategy will suffice. Besides giving your European customers and employees rock-solid assurances that their personal data is secure, you will need to comply with the GDPR to avoid its enormous fines: either €20,0,000 or 4% of your revenue – whichever is greater.
So, what will you be expected to do under the GDPR and what implications does it have for your organization?
What is the GDPR?
The GDPR is a new law that replaces the EU’s existing data protection and privacy regulation. The laws that are currently in place are over 20 years old, and are struggling to keep up with new developments in technology and data gathering methods. At the same time, a series of high-profile leaks in recent years have combined to push the EU to seek out a new approach to protecting their citizen’s online lives. So, the GDPR will aim to unify data privacy laws across member states, by creating one law that applies to the entire EU.
The new law will:
Provide a ‘right to be forgotten’.
Force companies to ask consumers for explicit consent whenever they process their data.
Ensures easier access to one’s own data.
Make organizations announce all data breaches within 24 hours.
The most significant part of the GDPR is that it forces any company that treats or holds data on EU citizens to comply with the law. Even if your offices, servers and staff are based outside thebloc’s borders, you will still be held liable under the regulation. The GDPR truly has global reach.
So what do I have to do?
If you want to avoid getting stung by the EU’s fines and maintain the trust of your European customers, partners, and employees, you will need to immediately develop a compliance and data governance plan. Any regulatory compliance program needs to involve a variety of stakeholders inside of an organization, but the uniqueness of this law means that a variety of actors, from the CIO's office, down to legal, HR, IT operations and security, should work together to discuss how to best implement a compliance program. We recommend the following steps as a starter: For a more in-depth walkthrough, download our ebook.
Appoint a data protection officer
This person will carry out regular checks of your data protection practices and ensure you are compliant.
Understand how the law will affect your business
Different companies will be affected by the law in different ways depending on where they’re based. Find out how you’re affected and what that will mean.
If your staff ever come into contact with EU citizens’ data, they’ll need to understand that they may have to treat it differently to how they did so in the past.
Review your systems and the data you currently hold
The GDPR has a lot to say about what kinds of data you can store, where and in what form. Review your data to make sure it’s compliant.
SharePoint and the GDPR
SharePoint is one of the world’s most widely used document management and data storage systems, and the vast majority of Fortune 500 companies use it to store mission critical business data, ranging from intellectual property, to documents containing Personally Identifiable Information (PII) about their customers, partners, and employees. SharePoint has also been around and in use for over a decade, which means that in many companies, content sprawl is a fact of life. Under the GDPR, companies will be under enormous pressure to take inventory of the data they hold – in legacy and production systems – to ensure that personal data is protected, because an failed audit could cause enormous financial and reputational damage for any sized company.
Metalogix’ Sensitive Content Manager can play a key roll in your company’s GDPR compliance efforts. It employs machine learning to help you discover the kinds of private information that your company holds within SharePoint and then lets you decide what to do with it – whether to store it in a safer and more secure server or remove it from your systems altogether.
As I like to say, you don't know what you don't know – and the first step of any information security and governance plan is discovering what content you hold and where it resides. More often than not, PII is lurking on a SharePoint site with open permissions, unbeknownst to IT security and even SharePoint Admins themselves. Data discovery is thus the foundation of GDPR compliance and what better place to start than SharePoint.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.