One of the key principles of GDPR is that you have to transparently explain what personally identifiable information (PII data) you collect, how you collect and process that data, and why. To manage this process, most companies catalogue different information management systems that contain such data. These data registries are then often managed by a designated individual and the security is audited regularly.
It sounds simple – list the systems where you collect and process data, and explain what those are, why you use them, and what information you collect. For a business-to-consumer organization, such registries could include CRM systems and marketing automation systems. But what happens when a user exports a contact list from such systems to an Excel file and saves that to a network share folder?
At that point, a new data registry that contains PII data is created and it should be catalogued, and the users of that registry should be trained to process the data properly. It is quite likely that lots of such mini-Excel registries have been and are being saved all over the company network.
A recent study from AIIM reveals that over 30% of organization have little or only marginal confidence that the personal information in their core content systems is under control. Shared drives, SharePoint repositories, and content lodged in third-party SaaS application are particularly challenging.
The data dilemma
A lot of content in network folders is obsolete. Storage is cheap, and no one really knows what the data is or whether it’s relevant. A Veritas study confirms that typically 85% of all organizational data is either so called ROT data – redundant, obsolete, or trivial – or can be considered dark data of which no one knows what it contains.
The dilemma with GDPR requirements is that companies have to define and transparently document their data handling processes for PII data. Organizations cannot collect and store personally identifiable information unless there is a documented reason to do so and the individual the data represents agrees with the process. But how do you know if your ROT data contains PII data? And if you don’t know, then how can you manage it?
A typical enterprise can have millions of documents in their network folders. It is impossible to search for PII information manually – a task could take years to complete and the job might never finish as new information is created every day.
GDPR needs to be taken seriously
The first preliminary ruling about GDPR has recently been implemented in Germany. US-based ICANN (Internet Corporation for Assigned Names and Numbers) had been demanding its German partner to collect the names and contact details of the technical and administrational responsibility individuals who had been buying internet domains in case there are issues with the registration. The court denied the collection of personal data, based on there being no clear business need to collect that data. This shows the effect that GDPR has on businesses and organizations everywhere if they operate in Europe.
Customers and prospects have the right to know what data has been collected of them and for what reasons. They also have the right to request their data to be forgotten and have all their personally identifiable information erased. The potential fines for failing to comply can be significant: up to 4% of annual revenue or up to 20 million Euros, whichever is more. The first cases will show how strictly the EU Commission will apply the fines.
According to the same AIIM study, automated document classification and PII identification are among the most important IIM technologies in companies’ compliance efforts.
Introducing M-Files Repository Sensor – an AI-powered toolkit to identify PII data
M-Files introduces a new AI-powered add-on product called M-Files Repository Sensor to its Intelligent Information Management solution portfolio. The tool leverages artificial intelligence and technologies, such as text analytics and natural language understanding (NLU) to identify certain patterns, such as social security numbers in content and helps organizations to better achieve compliance with GDPR.
M-Files can crawl its own repository as well as all connected repositories, like SharePoint, Documentum, or traditional network folders to identify PII data. Identified content is tagged with metadata and can be processed via workflows to ensure that misfiled content is either destroyed or moved to documented GDPR data registries.
Want to learn more? Contact us.