Expect a mad scramble for companies to comply with the recent changes to privacy and data sovereignty laws in the European Union and Russia. If your organization has been stalling to update its governance and compliance strategy, now is a good time to start.
The European Court of Justice’s recent scrapping of the Safe Harbor agreement between Europe and the United States came on the heels of the Russian government’s amending its data protection law to require that personal data about Russian citizens be stored in Russia. While some of the implications of these new requirements are still unclear, global organizations are required to comply and ensure that they control which information is transferred into the United States and which is to remain on the soil of the country of origin.
These changes should be a wake-up call for multinational businesses or any company with employees in one region that needs to transfer information such as payroll or benefit data to another region. Further regulations could hinder sharing data between partners, vendors, or customers, such as those needed for loyalty programs, service management contracts, or customer relationship management. The European Data Protection Authority already has said third party data sharing could come under intense scrutiny for such practices.
It can be a difficult task to separate information that is subject to data privacy regulations from information that is not. Sure, documents written in Russian may be easy to classify as Russian, but in a multinational corporation, a lot of Russia-related content likely will be in English and authored by employees in countries other than Russia. The best solution is a sound information governance strategy. For those who do it properly – classifying content with the right metadata – complying with any change in the regulatory landscape can be a lot easier.
On a technology level, the ability to comply with the EU and Russian laws is likely similar to complying with data laws that exist elsewhere – many countries already have existing information sovereignty regulations that multi-national corporations are dealing with. The technology is available for multinational companies to have the right information governance platform in place to address new data sovereignty laws in other countries. What’s important, however, is that the information governance platform of choice has the flexibility and agility to address the ever-changing regulatory landscape. Some features to expect from the right information governance platform include the following:
- It works for any type of content and information.
- It can be integrated with any type of information systems that you already have.
- It provides adaptability on how you define your info governance policies.
Here are the top three things for an organization to think about when looking to adopt an information governance strategy:
- The big picture: Organizations should look at their information governance holistically. Just looking at one system, emails or file shares for example, will not solve the problem. You really need to think of all the information that enters the enterprise and all the touch points where the information comes in or out.
- Implement co-operatively: The implementation of the strategy needs to be a co-operative effort between the business stakeholders and IT department. The business stakeholders set the policies and boundaries between what needs to be accomplished, while IT needs to come up with strategy with how to implement that. Failing to do that, your information governance might address the regulations, but could also stand in the way of business productivity.
- Build Flexibility: Laws and regulations are changing all of the time, so organizations have to build in the expectations that there will be changes. That implies the ability to change not only the policies but also the data model itself. Without a flexible data model, you might be able to tweak your policy while facing a daunting task of reclassifying terabytes of existing data.
The continued growth of cloud-based services should also be considered when designing compliance with privacy and data-sovereignty laws. Today, choosing a cloud provider is no longer just about the functionality, features, and price. It’s also about these fundamental underlying issues that may or may not be obvious, such as data sovereignty. Challenges that attend the changing data-protection laws are compounded by the huge wave of adoption of consumer-grade software in the last couple of years, especially cloud-based services. A lot of companies have adopted consumer-grade services that make it nearly impossible to address data-privacy regulations. For example, if your content is in Google, Dropbox, or Evernote, you might have a very hard time complying.
When choosing a cloud provider, IT and business professionals should ensure that the partner can address data-sovereignty requirements. Avoiding the issue or tackling it piecemeal essentially sets up an organization for potential penalties and fines that can reach millions of dollars. At the end of the day, most regulations do not impose any dramatically new features that your organization has to implement. The majority simply require that there is good law and order in your information governance.
If your company already has some information governance practices, chances are you are in good shape and have the flexibility to make the tweaks that some of these regulation changes could require. It’s unlikely that you will need completely new software because one regulation changes. Who has access to the data? How long does the data need to stay in the organization? How do you find it and can you audit what happened? That is what most of the regulations are about. An information governance strategy that is flexible and holistic will answer these questions – and keep you in compliance with data-sovereignty requirements regulations – without slowing down your business.
Adam Howatson is Chief Marketing Officer at OpenText. Adam joined OpenText in October of 2000. Over the past 14 years, Adam has served in Product Management, Marketing, Engineering, Information Technology, Office of The President/PMO, Partner Development, and Mergers and Acquisitions. He has developed an extensive awareness of OpenText and its customers, people, culture, products, and markets.
Subscribe to Data Informed for the latest information and news on big data and analytics for the enterprise.