And our lack of knowledge of what is stored in our SharePoint collaboration systems.
This blog post only gives a cursory summary of the regulation and the challenges we face; as a topic it warrants further reading, exploration and understanding, but I hope this will be enough to get you going in the right direction.
Collaborate, Collaborate, Collaborate!
When SharePoint becomes a strategic platform within your organisation, you’ll do everything in your power to make sure that it’s used to its maximum capability… The reality is we don’t spend anywhere near enough time on end user adoption, but that’s a subject for another blog post or two in the future.
Whatever the state of adoption in your organisation, when SharePoint is your Collaboration platform, people will use it for a whole range of use cases, people will store all kind of things on your collaboration solution.
You may be (quite rightly) expecting organisation charts, business documents, lots of finance spreadsheets and some business images, but what really gets put into your collaboration solution? All of those things for sure, but what else?
Do you know?
Can you hand on heart trust that your organisation is only using the collaboration platform for exactly what you expected?
I didn’t think so!
There will be people’s CVs, appraisal documents, sick notes, maybe customer or client details, project and company finances. All sorts of data stored is stored in your collaboration platform.
But this is good yes?
It means people are finding their own uses and value from your collaboration solution and that’s a positive thing?
Yes and very much no.
The challenge is how do you know that all this ‘other’ information is being secured properly, has an appropriate owner, that it has the right data classification (you do classify your data don’t you?), that it is kept for the right amount of time (disposal and retention) and that it even should be stored in a collaboration solution in the first place?
You probably don’t really know do you? It’s probably a niggling concern in the back of your mind, but hey it’s not the end of the world is it?
Well up until now, it was a challenge, it was a worry, in fact if things got out of control, data leaked or used out of turn there were possible fines and reputational damage, which would be quite annoying!
But from here on in things have gone ugly and very scary…
The Eye of Sauron is Upon Us
The EU General Data Protection Regulation (GDPR) was approved on the 15th December 2015 and the grace period for achieving compliance under the GDPR is the end of the 1st quarter of 2018.
The EU GDPR introduces a single data protection regulation. (It is not just a ‘directive’ as it was before, therefore being a ‘regulation’ means it is directly applicable to all member states without a need for local legislation) for Europe, it applies across all EU Member States and primarily covers personal data and the processing of such data, either in the EU or of EU citizens by organisations outside the EU.
Personal Data is any information you may hold relating to an identifiable or identified natural person i.e. you or me. The key term is ‘Identifiable’ and that relates to anyone that can be directly or indirectly identified by the information you hold or process such as their name, an ID number, location data, online identifier etc. furthermore it also applies to more generic identifiers such as physical, genetic, mental, cultural or social identity.
Processing of personal data covers a wide array of activities, including recording, structuring, storing, alteration, consultation, use, disclosure, erasure, destruction etc. so for all companies, there will be some level of processing of personal data that falls under EU GDPR’s gaze, very much like that of Sauron from Lord of the Rings!
So how scary is the EU GDPR, is it scarier than the all-seeing eye?
The answer is very much YES!
It’s a personally very scary €10,000,000 – €20,000,000 for culpable individuals and for entities it’s a whopping 2% - 4% of total worldwide annual turnover!
So, irrespective of where (a satellite office in Malta) and why (missing a piece of data on a collaboration solution following a ‘Right to Erasure’ request) an EU GDPR issue arises, the financial impact alone is huge and means we can no longer sweep our data protection foibles under the carpet.
The impact of EU GDPR on SharePoint Collaboratio
For your business systems (HR, CRM, Claims, Finance etc.) this is probably not too much of an issue as you know what data you have, what it’s being used for and who has access etc. but for your unstructured data stored on collaboration systems like SharePoint, most organisations really struggle to know what data they have.
Some may say that’s the nature of collaboration solutions, but EU GDPR applies significant pressure on us all to make sure that we do have a very clear understanding of what our unstructured data is and govern it appropriately.
So how important is it to understand what your users are storing in your SharePoint collaboration solution? The answer is very important and you only have 2 years to put in place processes and controls that ensure that your unstructured data is governed appropriately and in line with the EU GDPR.
Two years! We all know how long it takes to effectively impact technology projects, further more we all know how vast our pools of unstructured data are in file-shares and collaboration solutions and cloud based systems. Two years is not long, we need to act quickly and soon to avoid huge damages.
So what is the real impact of EU GDPR on your collaboration solution? Maybe the question should be where is the ‘personal’ or ‘personally identifiable’ data hiding in your SharePoint collaboration solution?
- Lists with employee or customer data in?
- Have you got copies of CV’s for recruitments candidates in your document libraries?
- Do you have the resignation letter due to personal circumstances on your management site document library?
- Are there personally identifiable photos from a customer event?
- Payroll exports?
- Temporary spreadsheets with customer details?
- Customer details or identifieable person details in discussion forum?
- etc. etc.
The list of places where personal data can hide in plain sight of the auditors on your SharePoint collaboration solution is astonishing.
The number of ways that this content can be accessed, used, processed, misused, shared and basically live ungoverned, unstructured is worrying.
There is no single answer to removing the pressures that the EU GDPR now places upon us all; the nature of collaboration solutions and unstructured data means that this challenge is very real and very difficult to solve without significant investments in culture, technology and process.
We want our collaboration solutions to facilitate our teams working together, break down silos, foster innovation and encouraging knowledge sharing across our businesses. We want collaboration to be woven into our business processes and enable our employees to unlock the full potential of our unstructured data.
We used to do this by adopting a free-love, no barriers, open relationship between unstructured data and our employees. But now we need to take a little more pragmatic view on our collaborative world, we need to comply with policy, legal, regulatory and business processes as well as the EU GDPR if we are to stay in business.
Information Governance needs to be applied by default, not exception, because we don’t really truly know where or when we need to apply the rules in our SharePoint collaboration systems, especially when it comes to personal data.
We need to go on a huge business change journey to take us from a world of unmanaged, unstructured, unknown data, to a position of knowledge, understanding and effective governance whilst balancing our overall vision of unlocking the value of our unstructured data.
For each and every piece of data in your SharePoint Collaboration solutions, we need:
- To know if it is personal or identifiable data
- Clarity of what it is we hold
- Understanding of how it can be processed
- To know who owns it
- Clear understanding of who can access it
- To understand what business value it offers us
- Clear retention and disposal policies
- To know exactly how EU GDPR applies to it
- ….and much much more.
Two years is not very long in business terms.
Two years is nowhere near long enough in IT and business change project terms.
You need to act now.← Other blog articles