Online all the time, anywhere with anything
Call Us: +46 8 50003170

Classify content to comply with GDPR

It is not enough to classify documents to comply with GDPR, especially here in Sweden, the Swedish Data Privacy law does not count unstructured data as data that is applicable to the law. Emails, posts on Intranet, notes in CRM and other systems will be governed by GDPR. Many organisations have an Information Classification policy for documents. Now they have to add all content sources to their policy for classification.

In the classifications I have seen it is not common to have a policy for data that contains PII(Personal Identifiable Information), now when the policies has to be updated it is vital to add what data is PII. It is also wise to have some notification on what consent the registered has made to store PII, to also include the date when the consent was collected.

The standard levels of classification is simply not enough even for smaller organizations. Many common standardized classifications contain these levels.

  • Public
  • Internal
  • Confidential
  • Secret

If ypu subscribe to Enterprise Mobility suite for Office 365 you can install the Azure Information Protection add-in to Office. This enables you to directly in Office-programs classify information even emails in Outlook. However there are other sources of storing where PII will be stored. Some of these systems are the ones below.

 

  • If you use OneNote you have a big work as the application is free-text. I will ecplain later why free text is a problem for GDPR.
  • CRM systems contain a lot of PII. To comply you can add a field for consent and date of consent to the contact records.
  • HR systems contain a lot of data that is PII and this data can be sensitive.
  • Intranet has to be searchable to find information that is PII linked to a registered. If the registered wants to use their right to erasure or even the right to data portability.

The right to data portability will create a lot of work for organizations to have systems that are searchable such as SharePoint. The registered can request to have the PII your organization store, you have to supply the registered with the data in a time period of in most cases only a month.

The process your organization has to establish to assist registered with the right to data portability is a lot of hard work. Here are a couple of new procedures that you need to establish.

  • Where can a registered request the right to data portability?
  • Can a registered ask only for data portability without the right to be erased?
  • What is the most cost-effective way to supply the PII data? You cannot charge the customer for their right to data portability.
  • What information do you need to give to the registered on the change of ownership for the stored data?
  • Do you need to encrypt the data?
  • Ca the user download the data?

As you see there are a big work to be compliant with the right to data portability.

 

Need help with GDPR