1504881153014
Information Governance

The Nexus Between GDPR Compliance and Effective Global Records Retention Schedules


The EU General Data Protection Regulation 2016/679 (GDPR) takes effect May 25, 2018. Organisations are racing to get their houses in order to comply with its strict data protection requirements. When it comes to personal data, individual privacy rights have far-reaching implications at the enterprise level. Yet compliance hinges on quality information governance practices when it comes to data processing and management. Under the GDPR, enterprises must be able to demonstrate that they have implemented technical and organisational measures that show they considered and integrated data protection into data processing activities. Implicit in this requirement is that companies must be able to demonstrate they know what information they possess and where they store it.

This task can be daunting. Developing the right data management toolbox is not merely a matter of investing in innovative technologies or relying on third-parties. Rather, it begins with an organisation working with the right internal and external experts to first identifying data location, volume, proliferation and protection status, and then defining policies for sensitive data classifications. Essentially, GDPR compliance is associated with the enforcement of properly developed records retention policies which establish a schedule for various categories of records or data, identify how long the information is to be kept, and provide a comprehensive plan for disposition. A successful records retention schedule (RRS) requires knowledge of the information and data stored by an organisation. The RRS allows an organisation to meet its business needs while ensuring compliance with legal and regulatory requirements and local or industry best practices.

Most organisations have poor information governance practices. The first step in overcoming the usual obstacles is a multi-disciplinary enterprise accountability initiative to develop a framework outlining the controls, metrics, processes, policies, and roles required to manage data. Unfortunately, this is easier said than done.

Fortunately, the GDPR includes two requirements that serve as information governance resources:

1) Article 30: The Record-Keeping Requirement

Article 30 of the GDPR contains record creation, maintenance, and accessibility requirements. The Article obliges organisations to create and maintain record processing activities under their responsibility (“Record”).

Creation and Maintenance

The Record should contain up-to-date information, including:

· identification and contact details of the data controller(s), processor(s), their representative(s), and protection officer;
· the purpose of the processing;
· a description of the categories of data subjects, personal data, and recipients;
· a list of international data transfers and suitable safeguards concerning the protection of personal data;
· where possible, the envisaged maximum retention periods for each data category; and
· where possible, a general description and assessment of the technical and organisational measures ensuring the security of the processing (the pseudonymisation or encryption of personal data, the ability to promptly restore availability and access to personal data in the event of a physical or technical incident, and a process for regularly testing are examples of these measures). 

Accessibility

The appropriate supervisory authorities must have the ability to access the Record upon request.

2) Section 4: The Data Protection Officer (DPO)

Under Article 37 of the GDPR, organisations must appoint a DPO if they carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking), processing of special categories of data, or data relating to criminal histories.

The role of the DPO was first established and delineated in the EU by Section 8 of Regulation (EC) 45/2001, which created the requirement that all EU institutions and bodies have a DPO. Articles 24(1)(d) and 26 of the Regulation instituted the DPO's duty to keep a register of processing operations, and Article 25(2) lists the information to be included, mirroring the GDPR's Record requirements. An adept DPO can help manage the Record, allowing it to become an internal monitoring tool offering an overview of all the personal data processing activities of an organisation.

Remember that the DPO's role runs contrary to many of the aims of others working with information across an organisation. DPOs ensure compliance and protect customers' privacy; they do not maximise data security or improve business functions. Deepening understanding of employee roles across the organisation and creating a framework through an accountability initiative will lay the groundwork for collaboration and allow lessons to be learned about information management and data wrangling solutions, something central to identifying and processing sensitive data.

While the Record and the DPO both serve as prerequisites for compliance and effective accountability measure if effectively implemented, they also add value to an organisation and become a tool for managing enterprise risk and assisting with information governance.

The stakes are high under GDPR as failure to comply could lead to a maximum penalty of €20,000,000 accompanied by long-term reputational damage.

Contributors - Jessica Sheehan and Lisa Douglas