In partnership with:
www.aiim.org
About the Research
About AIIM
As the non-profit association dedicated to nurturing, growing and supporting the information management community, AIIM is proud to provide this research at no charge to our members. In this way, the entire community can leverage the education, thought leadership and direction provided by our work. We would like these research findings to be as widely distributed as possible. Feel free to use individual elements of this research in presentations and publications with the attribution – “© AIIM 2017, www.aiim.org”. Permission is not given for other aggregators to host this report on their own website.
AIIM has been an advocate and supporter of information professionals for over 70 years. The association mission is to ensure that information professionals understand the current and future challenges of managing information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research and member service. Today, AIIM is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants.
Rather than redistribute a copy of this report to your colleagues or clients, we would prefer that you direct them to www.aiim.org/research for a download of their own. Our ability to deliver such high-quality research is partially made possible by underwriters, without whom we would have to use a paid subscription model. For that, we hope you will join us in thanking them.
Process and Survey Demographics While we appreciate the support of these sponsors, we also greatly value our objectivity and independence as a non-profit industry association. The results of the survey and the market commentary made in this report are independent of any bias from the vendor community. The survey was taken using a web-based tool collecting responses from 104 individual members of the AIIM community during the month of May 2017. Invitations to take the survey were sent via e-mail to a selection of the AIIM community members and through various social media outlets. Survey demographics can be found in Appendix 1.
© AIIM 2017
About the Author Bob Larrivee is Vice President and Chief Analyst of AIIM Market Intelligence. Internationally recognized as a subject matter expert, and thought leader with over thirty years of experience in the fields of information and process management, Bob is an avid techie with a focus on process improvement, and applying advanced technologies to solve business problems, improve business processes, and automate business operations. © 2017
© 2017
AIIM 1100 Wayne Avenue, Suite 1100 Silver Spring, MD 20910 +1 301.587.8202 www.aiim.org
AIIM Europe Office 1, Broomhall Business Centre Broomhall Lane, Worcester, WR5 2NT, UK +44 (0)1905 727.600 www.aiim.org
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 2
www.aiim.org
Introduction In April 2016, the General Data Protection Regulation (GDPR) passed in the European Union (EU) and will be enforced beginning in May 2018. The intention of GDPR is to strengthen and unify data protection for all individuals within the EU. As with most regulations of this type, the impact is closest felt by businesses within the EU, but also extends beyond to any company transacting business within the EU. In short, GDPR has an international impact on how businesses manage and protect their EU related information and data assets. Aside from GDPR, there are implications businesses must be concerned with in relation to data privacy and protection. Research data in this study shows that for thirty-one percent of respondents reporting data loss or exposure within the last twelve months, the primary reasons cited are staff negligence or bad practices—not technology or hacking. Sixteen percent of our respondents reported internal or HR incidents due to unauthorized access. The result of these breaches is the exposure or loss of Personally Identifiable Information (PII) of employees, customers or citizens as a result of these data breaches. In terms of GDPR, a lack of compliance could lead to sanctions of up to four percent of worldwide turnover, based on the previous financial year. The survey sample we conducted in May 2017 is intended to assess the general readiness of businesses in relation to meeting the compliance requirements of GDPR, as we approach the May 2018 enforcement deadline. The following report presents the results we collected along with our analysis of those results, and our recommendations on steps businesses can take to better prepare for GDPR enforcement day. (Note: While the information contained in this document provides insight that can be beneficial, it is in no way intended to serve as or be considered as legal guidance. AIIM strongly recommends businesses seek professional legal advice and services in addressing compliance needs related to GDPR.)
Š AIIM 2017
Key Findings 1. Thirty-two percent of respondents have GDPR projects in place preparing for the May 2018 enforcement. Six percent say they are fully prepared. 2. Twenty-three percent of respondents feel they will be fully prepared for GDPR by May 2018. Thirty-two percent will still be planning for GDPR. 3.
Thirty-one percent of respondents cite data loss or exposure due staff negligence or bad practices in the last 12 months. Sixteen percent cite internal or HR incidents due to unauthorized access.
4. Fourteen percent of respondents report exposure or loss of Personally Identifiable Information (PII) on customers or citizens as a result of data breaches. Ten percent report loss or exposure of employee data. 5. Twenty-six percent of respondents say they understand the issues related to the appointment of a Data Protection Officer (DPO). Nineteen percent indicate they are fully prepared to appoint a DPO. 6.
Fifty percent of our respondents agree that GDPR requires a holistic approach across the enterprise. Thirty-nine percent feel that strong Information Governance (IG) practices are key to managing data privacy.
7.
Seventy-four percent of respondents will focus on developing strong Information Governance (IG) policies. Fifty-seven percent will conduct awareness training and implement data cleansing exercises to ensure data quality and integrity.
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 3
www.aiim.org
Generally Speaking Preparedness is key in any situation, especially when it comes to regulatory compliance where fines for non-compliance will be quite harsh. But let’s put GDPR aside for the moment and discuss what should be of greater concern and the underlying reason for regulations like GPDR: protection of personal information – data privacy. Businesses have a responsibility to protect the data entrusted to them by their employees and customers, and for government agencies, by their citizens. Our research finds that thirty-one percent of respondents report data loss or exposure happening within the last twelve months. The primary reason cited is staff negligence or bad practices, not technology or hacking. Sixteen percent of our respondents reported internal or HR incidents due to unauthorized access. The result of these breaches has been the exposure or loss of Personally
Identifiable Information (PII) on employees, customers, or citizens as a result of these data breaches.
Figure 1. On a scale of 1 to 5 (1 being not at all and 5 being fully prepared to meet the requirements) how would you rate the readiness of your organization in meeting GDPR requirements now?
35% 30% 25% 20% 15% 10% 5% 0% Not at all
We are thinking about it
We are We have a We are fully planning for project in prepared it place
This brings us back to GDPR and the need for regulatory guidelines to protect personal data. In short, GDPR is intended to unify and theoretically simplify data protection practices for businesses within the European Union (EU). In a sense, GDPR gives control of personal data back to the individual owners residing within the EU. It addresses personal data managed both inside and external to the EU, meaning that international companies are impacted by this regulation as well.
We then asked our respondents to look out to May 2018 and make a projection of their GDPR readiness for their businesses at the time enforcement takes hold. At that point in time, twenty-three percent say they feel they will be fully prepared with twenty-five percent indicating they have a project in place, yet there are still six percent who say they will still have done nothing by that time.
As we sit one year following the passing of GDPR, with less than a year left until enforcement, we asked our respondents about their level of readiness. One might think that given the amount of time to prepare in advance of enforcement, a significant number would have responded that they were fully prepared, yet the opposite is true.
Considering there is still nearly a year to prepare, the combination of those who are “thinking about it” and those who feel they will have not done anything at all is quite significant and leads one to wonder if these businesses feel there is no real reason to be concerned, or if they simply do not understand GDPR and what the impact of non-compliance will be for them. (Figure 2)
We find that only six percent of our respondents feel they are fully prepared for GDPR while twenty-five percent say they are thinking about it and seven percent say they have basically done nothing at all. (Figure 1)
© AIIM 2017
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 4
www.aiim.org
Figure 2. On a scale of 1 to 5 (1 being not at all and 5 being fully prepared to meet the requirements) how would you rate the readiness of your organization in meeting the GDPR requirements when it goes into effect in May of 2018?
Figure 3. On a scale of 1 to 5 (1 being not at all and 5 being fully prepared to meet the requirements) how concerned are you about the impact GDPR will have on your business?
35%
30%
30%
25%
25%
20%
20%
15%
15%
10%
10% 5% 5% 0% 0%
Not at all Not at all
We are thinking about it
We are planning for it
We have a project in place
We are fully prepared
So if there is no action, or it appears that there is little action being taken, is there really any concern on the part of these companies? There should be— this is a compliance requirement after all. When asked about the level of concern, using the same response type as the previous questions, we find that eight percent are not concerned at all while twenty-five percent say they are thinking about it. Additionally, fourteen percent say they are “fully prepared.” For those who are not concerned or are thinking about it, this is a reminder, the clock is ticking and while the compliance element is a certainty, there is also the hard fact that data leakage or breaches do in fact occur and certainly should be an area of focus and concern—even if GDPR is not—as this could impact your business overall. The good news is that the majority are in fact planning and preparing for GDPR enforcement to arrive in May 2018 and should be in relatively good shape when it does. (Figure 3)
© AIIM 2017
We are thinking about it
We are We have a We are fully planning for project in prepared it place
Of course perception is everything, and so having asked about preparedness and concern, we asked about the perceived level of understanding on the part of the executive team. Twenty-one percent told us they feel their executives have little awareness (13%) to no idea (8%) of what GDPR is or means, indicating that for these businesses it will be a struggle over the next several months should they decide to take action. On the other hand, forty-seven percent say that their executives are aware of (26%) or fully understand (21%) the non-compliance implications of GDPR, indicating that they at least have a sense of what it means for their businesses. The fact that executives understand the implications of non-compliance is a positive indicator that some actions may be taken to move the organization forward, if not to fully comply by May 2018. This begins a process that puts some projects in motion that will align the businesses IG policies, procedures, and strategies to support GDPR compliance.
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 5
www.aiim.org
Figure 4. On a scale of 1 to 5 (1 have no idea and 5 fully understand the implications) how would you rate the level of understanding your executives have of the implications of GDPR non-compliance? 35% 30%
It seems there may be a challenge lurking for the forty-seven percent who report storing their GDPR content with various third parties including their partners and suppliers. Put yourself in this situation. You are being called upon to erase all PII related to a client. This includes any that you have stored with a third party. What policies, procedures, and validation do you have in place to ensure and demonstrate this has been done in compliance with the GDPR requirements? (Figure 5) Figure 5. Understanding that there is PII data already managed within databases and Line-of-Business applications like Salesforce, etc., where do you feel GDPR impacted content is being stored within the following:
25% 20% 15%
0% 10% 20% 30% 40% 50% 60% 70% 80%
10%
Email and Email servers
5%
PC and network drives drives
0%
ECM System Cloud applications Mobile devices Enterprise File Sync and Share (EFSS) silos ERM System Third parties (Partners, suppliers, etc.) Removable storage devices Unmanaged file servers Unknown Other
When looking at where PII data is stored, it is no surprise that data, which can be found in content, is stored in email and on email servers which tops the list for seventy-seven percent of our respondents. This of course presents a challenge when we asked where GPDR impacted content is stored, as email remains to this day, the largest challenge of all when it comes to content, as do PCs and network drives listed by sixty-seven percent of respondents.
Š AIIM 2017
Part of meeting GDPR requirements is based on having a solid Information Governance (IG) framework and policies that align with and support GDPR. This framework typically would include, but is not limited to policies, processes, people, technologies, training, and monitoring. Policies will outline areas focused on use, security and more.
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 6
www.aiim.org
We asked our respondents to rate their IG policies, in particular those that define security and compliance in different areas. Thirty-five percent say they are above average to excellent in addressing PII stored on-premise while more than one third are below average to poor when it comes to mobile devices. (Figure 6) Figure 6. On a scale of 1 to 5 (1=Poor; 5=Excellent), please rate your Information Governance policies that define security and compliance for the following? 0%
25%
50%
75%
100%
Figure 7. In which of the following ways does your organization hold personal data on European employees and customers outside of your home region?
0%
10%
20%
30%
40%
50%
HR records for European employees SaaS application data on customers ( CRM, contracts, invoices, etc.) SaaS application data on employees (e.g., Payroll, HR, etc.) Cloud content apps
PII stored on premise PII in transit (to and from websites, office…
Data centers
Cloud stored content
As a SaaS provider of applications
Laptops Mobile phones and tablets
As an outsource provider of services
Removable Storage Devices
None of these
Personal Identifiable Information (PII)…
Don’t know
PII stored in files and documents PII stored in other countries
Extending this beyond just European employees and customers, we asked the same question in more general terms about the ways in which they hold personal data on non-European employees and customers outside of their home regions.
PII Collection within your country PII collected from other countries outside…
1 = Poor
2 = Below average
3 = Average
4 = Above average
5 = Excellent
Knowing how they feel about their security practices, we then turn our attention to the ways in which they hold personal data, in this particular instance, on European employees and customers outside of their home regions.
Forty-seven percent indicate they hold HR records for non-European employees, thirty-five percent use cloud content applications, and forty-two percent indicate they hold SaaS application data on their customers that includes contracts, invoices, and other business information along these lines. (Figure 8)
Forty-seven percent indicate they hold HR records for European employees, Forty-two percent indicate they hold SaaS application data on their customers that includes contracts, invoices, and other business information along these lines. (Figure 7)
© AIIM 2017
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 7
www.aiim.org Figure 8. In which of the following ways does your organization hold personal data on non-European employees and customers outside of your home region?
Figure 9. Has your organization suffered any of the following in the last 12 months? 0%
0%
15%
30%
45%
60%
HR records for European employees
A data loss or exposure due to staff negligence or bad practice
SaaS application data on customers ( CRM, contracts, invoices, etc.)
A data breach involving internal staff or ex-staff
SaaS application data on employees (e.g., Payroll, HR, etc.) Cloud content apps Data centers
10%
20%
30%
40%
50%
60%
Internal or HR incidents due to unauthorized access A data breach from external hacking or intrusion
As a SaaS provider of applications Other As an outsource provider of services None of these
Don’t know
Don’t know
One of the challenges of poor IG practices, and a topic that is in the news almost daily, is data breaches. Every business must at minimum, recognize the possibility that a data breach could occur at some point in time, at some level. When we asked our respondents if they had suffered a type of data breach within the last twelve months, thirty-one percent of respondents told us that they had suffered data loss or exposure due to what they felt was staff negligence or bad practice.
Along with every data breach, comes a consequence, and when looking at the consequences, our respondents told us that disruption of normal business topped the list for twenty-one percent, which is of no surprise as any data breach is sure to cause disruption of some sort. What is concerning here, is the exposure or loss of customer and citizen PII data as reported by fourteen percent of our respondents, and the same of employee data as reported by ten percent. It is here where not only are businesses subject to fines and possible litigation, but loss of trust and loss of business as a result. (Figure 10)
For sixteen percent equally, a data breach had occurred involving internal or ex-staff, or internal or HR incidents due to unauthorized access. (Figure 9)
© AIIM 2017
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 8
www.aiim.org Figure 10. What have been the consequences of these data breach incidents? 0%
10%
20%
30%
40%
50%
Figure 11. Have you assessed the likely changes required by the forthcoming European Data Protection Regulation (GDPR)?
60%
Disruption to normal business Exposure/loss of PII data on customers/citizens
45%
Loss of customer trust 30%
Loss of competitive information Exposure/loss of PII data on employees
15%
PR impact Action/fines from the regulator
0%
Other Don’t Know
Impact of GDPR At minimum, given that GDPR passed into law in May of 2016 and will be enforced in May 2018, you would think every business would have done an assessment to understand what changes are required of them. As of the date of this report, ten percent say they are not familiar with GDPR, five percent are waiting for it to be enforced, and four percent feel it does not apply to them at all. I would say that if you are a gambler, OK, go with that. For those who are more proactive, forty percent feel they will be in good shape in May 2018, and thirty-five percent say they have done their initial assessments, so they do understand what is required of them. Of course, doing an initial assessment and actually being ready are two different things, but at least credit should be given for taking those steps. (Figure 11)
Š AIIM 2017
Change brings with it issues and the changes related to GDPR, while challenging, could be seen as similar to those of other regulatory requirements and information management initiatives. So do businesses understand the issues as they relate to GDPR? That depends on the topic. When looking at the right to access PII, forty one percent of respondents say they have a good understanding of the issues while fourteen percent indicate they fully understand the issues related to an individual’s right to access personal information on-demand. When addressing data in transit, thirty-four percent have some understanding while twenty percent have little (16%) to no (4%) understanding of the issues at all. (Figure 12)
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 9
www.aiim.org So nearly one quarter really have no clear understanding of what is required of them in relation to the movement of data across their enterprise, between their resources and partners, or between their resources and other external parties. Since security is an essential part of data protection and data transit is part of day-to-day business activity, this is an area of concern, or at least should be, and needs to be an area of focus, given it is a potential weak point where a data breach could occur.
Twenty-seven percent of our respondents said they feel they are well prepared and ten percent fully prepared to manage data in transit. Nineteen percent of respondents indicate they are fully prepared to appoint a Data Protection Officer (DPO), with an additional twenty-four percent well prepared to appoint a DPO. (Figure 13) Figure 13. On a scale of 1 to 5 (1 being no idea and 5 being fully understand) how prepared is your company in addressing the issues of each of the following as related to the requirements of GDPR?
Figure 12. On a scale of 1 to 5 (1 being no idea and 5 being fully understand) how well does your company understand the issues of each of the following as related to the requirements of GDPR? 0%
50%
100%
0%
50%
100%
Data export restrictions
Data export restrictions
Data in Transit
Right to access personal information (Ondemand electronic copy of data held)
Data Portability
Data in Transit Right to be forgotten/erased Data Portability Explicit consent
Right to be forgotten/erased Privacy by Design
On demand electronic copy of data held
Explicit consent
Appointment of Data Protection Officer (>5,000 subjects)
Appointment of Data Protection Officer (>5,000 subjects)
Breach notification “without delay”
Breach notification “without delay” 1 = No understanding 3 = Some understanding 5 = They fully understand
2 = Very Little understanding 4 = A good understanding
Understanding an issue and the ability to address an issue are two significantly different things, and so we asked our respondents how prepared their businesses are in addressing the issues related to GDPR.
© AIIM 2017
1 = Not prepared at all 4 = Well prepared
2 = Somewhat prepared 5 = They fully Prepared
3 = Prepared
There will be an impact with all of this, the question is where will the greatest impact be felt? According to thirty-two percent of our respondents the greatest impact area for them will be in the areas of unstructured data and application systems, followed by the procedural and process areas for twenty-one percent.
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 10
www.aiim.org This makes sense especially with unstructured data and content where there are few to no controls over how it is managed, and with new regulations and compliance requirements, comes the need for new or modified processes and procedures to ensure adherence. (Figure 14)
Figure 15. How do the data protection requirements of GDPR compare to your home region? (Where your parent company is located)
Don’t know, 7%
Figure 14. In what business area will the impact be greatest?
More stringent, 26% Staff training and conformance, 20%
Cloud and SaaS services, 3%
Unstructured data system and application changes (ECM, email, shared drives, Etc.), 32%
Governance policies, 10%
This is where my parent company is located, 33%
Procedures and process, 21%
Less stringent, 4%
About the same, 30%
Structured data system and application changes (ERP, CRM, Big Data, Etc.), 15%
Opinions GDPR is not the only regulatory requirement businesses must comply with, there are many more and the question might be, how does this one compare to the rest? So out of curiosity, we asked how our respondents felt about GDPR as compared to the data requirements of their home regions. Twenty-six percent see them as more stringent while thirty percent say they are about the same. One-third cite that Europe is where their companies are located, so for them we can say there is no difference as well. We find that only four percent say that GDPR is less stringent than the other regulations they must adhere to in their regions. This could also be based on the nature of their business, such as the oil and gas industry. (Figure 15)
© AIIM 2017
The majority of our respondents agree (39%) or strongly agree (50%) that GDPR is not a one-off siloed project, and requires a holistic approach that combines governance, training, technology, process and security. This same mind-set holds true among the majority that strong IG practices are key to managing data privacy. There is also a sense where forty-seven percent agree, and 10% strongly agree that the government should “encourage” the creation and use of stronger and more tamper proof encryption tools. (Figure 16)
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 11
www.aiim.org Figure 16. How do you feel about the following statements? (Strongly Disagree, Disagree, Neither Agree nor Disagree, Agree, Strongly Agree) 0%
20%
40%
60%
80%
100%
Our senior management don’t take the risks of the GDPR seriously The government should encourage “stronger, tamperproof” data encryption Cloud providers need to do more to re-assure regionalized data controllers There is a lack of GDPR ready tools and applications which might prevent us to be ready in… The privacy rules are changing faster than we can change our systems Strong information governance practices are key to managing data privacy GDPR requires a holistic approach consisting of governance, training,…
Given this is one of the elements of GDPR – as highlighted in Article 37 titled “Designation of the data protection officer”1 - from a readiness perspective, this is a major step toward being compliant at the time of enforcement in May 2018. Figure 17. Do you have a Data Protection Officer responsible for GDPR?
Yes, 30% No, 44%
Planned, 25% Strongly Disagree
Disagree
We saw in an earlier question that many businesses are ready to appoint a Data Protection Officer (DPO), but how many already have one in place? We find that at the time of writing this report, thirty percent of our respondents have a DPO in place today, with an additional twenty-five percent planning for it. (Figure 17)
© AIIM 2017
Having a DPO is not the only action needed to be compliant, there are many more, so we asked what our respondents will be doing between now and May 2018. The top of the list includes developing stronger governance policies (74%), developing and conducting regular training and communications (57%), and ensuring data quality and integrity are maintained and cleansed as required and requested (57%).
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 12
www.aiim.org Surprisingly, only thirty-six percent said they will incorporate a means to monitor the information environment for potential leaks, and thirty-three percent say they will use analytics tools to identify and classify PII. This is an opportunity to streamline this activity, but also gain consistency, increase quality, and strengthen defensibility. (Figure 18) Figure 18. What actions will you be taking to prepare for May 2018 and compliance with GDPR? (Choose all that apply)
0% Develop stronger governance policies Develop and conduct regular training and communications Ensure data quality and integrity are maintained and cleansed as required and… Design standardized processes for managing GDPR specific governance… Establish and implement regular audit practices Design standardized processes for managing information and transactions… Using information policy and data/content inventory tools to enforce desired actions… Identify international risk factors and develop a plan to mitigate those risks Incorporate a means of monitoring the information environment for potential leaks Using data and content analytics tools for PII identification and classification Implement a notification communications system for potential breach alerts Other
© AIIM 2017
20%
40%
60%
80%
Conclusion GDPR is an extremely important issue lurking on the horizon for EU businesses and those transacting business within the EU. Enforcement of GDPR is scheduled for May 2018 and all businesses must comply, but more importantly, GDPR stresses the importance for businesses government agencies to protect and secure the PII data entrusted to them by their employees, customers, and citizens. As shown in this report, data breaches occur, not as we might think, through the hacking of technology, but more frequently, by human error, negligence or a lack of clear policy and oversight. This is where strong Information Governance combined with training, technology, enhanced security measures, and regular auditing of the information ecosystem enable companies to get a helicopter view of their enterprise to ensure data is protected, detect potential risks, and take corrective actions as needed. Yes, GDPR is the driving force to move businesses toward stronger data protection practices, but it should be seen as a positive motivator and an opportunity to do what must be done—and should have been done all along. It is also an opportunity to evaluate how technology will support your IG initiatives and align your business to comply with GDPR to strengthen your practices. As you have read this report, we hope that you have asked yourself these same questions and answered them truthfully. Is your business ready for May 2018 and GDPR? How protected is the PII entrusted to your business and if required, could you prove the integrity of the data? Do you know where all of the PII in your business resides, or are there areas of doubt, like email inboxes and network drives? Let’s take this one step more, and consider mobile devices, is there a possibility that the employees in your business have PII from your customers or citizens sitting on their mobile phone or tablet? If so, how would you know, or more relevantly, could you access and destroy it if requested to do so? Taking this into consideration, how do you feel about your business readiness and where do you feel you can improve in relation to GDPR?
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 13
www.aiim.org Here are several things to consider.
Know what you have for PII Identify what PII data is being captured, in what forms, where it is captured, how it is captured, who is capturing it, and how it is being used. Then limit this to only the minimum amount of data for specific and legitimate purposes.
Create a “Helicopter� view Connect your data and content between systems across the enterprise to get a clear view of what data is being used, who is using it and who is trying to use it. This will also enable better control over security, portability, transit monitoring, and disposition.
These are a few things to consider and get you started down the path to protecting PII and meeting the May 2018 compliance deadline for GDPR. As noted in the beginning of this report, we highly recommend that you seek the advice of legal counsel and the expertise of those closely familiar with GPDR, as these individuals can work closely with you to discuss your specific needs as they relate to GDPR specifically. We also invite you to reach out to our underwriting partners who have also worked with their customers in developing GDPR programs and practices in an effort to meet the looming May 2018 enforcement deadline. Even if you have done nothing to date, it is not too late to begin. The next step is yours.
References 1
https://gdpr-info.eu
Maximize metadata use Automated metadata application through auto-classification can help ensure privacy-by-design and compliance-by-default, as well as serve to assist in retention management to limit storage.
Apply encryption technologies Use of encryption can be used for both in transit and at rest PII to ensure the integrity and confidentiality of your entrusted data.
Control and monitor Use access control lists to grant access and audit trails to track and monitor activity within the information ecosystem. The net gain is the ability to know when and how PII is being accessed, as well as who is doing the accessing.
Š AIIM 2017
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 14
www.aiim.org
Appendix 1 – Demographics Company Size
Sector
Total survey responses = 104 over 10,000, 17%
1-10, 12%
Non-Profit, Charity, 3%
Retail, Transport, Real Estate, 1%
Media, Entertainment, Publishing, 2%
5,00110,000, 8%
Manufacturing, Aerospace, Food, Process, 4%
11-100, 22%
Telecoms, Water, Utilities, 3% Other, 1% Consultants, 14%
Document Services Provider, 6%
Life Science, Pharmaceutical, 2%
Education, 2%
Legal and Professional Services, 3%
1,0015,000, 18% 5011,000, 7%
Engineering & Construction, 5%
IT & High Tech — not ECM, 13%
101-500, 16%
Finance (Non-Banking), 2% Banking, 2% Insurance, 4%
Role IT Consultant or Project Manager President, CEO, Managing…
Government & Public Services – National/International, 5%
IT & High Tech — supplier of ECM products or services, 24%
Head of records/information… Business Consultant IT staff
Healthcare, 1%
Government & Public Services - Local/State, 3%
Head of IT Records or document… Line-of-business executive,… Sales Marketing Legal/Corporate… HR 0%
© AIIM 2017
10%
20%
30%
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 15
www.aiim.org
DocuWare Europe GmbH Therese-Giehse-Platz 2 82110 Germering Germany Tel: +49 (0)89 / 89 44 33 - 0 Fax: +49 (0)89 / 841 99 66 docuware@docuware.com www.docuware.com SALES CONTACT: Marcin Pichur – Senior Sales Director +48 660 700096 Marcin.pichur@docuware.com
About DocuWare DocuWare office automation solutions deliver smart digital workflow and document control that set a new pace for worker productivity and business performance. DocuWare’s zero-compromise cloud services are a recognized best-fit for digitizing, automating and transforming key document-centric processes in finance, human resources, manufacturing, government, and more. DocuWare proudly supports over 16,000 customers and operates in over 70 countries with headquarters in Germany and the U.S.
© AIIM 2017
Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's progress, and understand important next steps to move your organization forward .
Page | 20
www.aiim.org
AIIM (www.aiim.org) AIIM is the global community of information professionals. We provide the education, research and certification that information professionals need to manage and share information assets in an era of mobile, social, cloud and big data. Š 2017 AIIM AIIM Europe 1100 Wayne Avenue, Suite 1100 Office One, Broomhall Business Centre, Broomhall Lane, Silver Spring, MD 20910 Worcester, WR5 2NT, UK Tap into vendor-neutral industry research through AIIM. Learn about industry trends, benchmark your organization's +12017 301.587.8202 +44 (0)1905 727600 Š AIIM progress, and understand important next steps to move your organization forward . www.aiim.org www.aiim.org
Page | 25