 Welcome everyone to today's guest lecture. Dr. Lisa Dalby is an information governance professional with the Royal Bank of Canada. Lisa holds a doctorate PhD in information technology and is a certified records manager and a certified information governance professional. Lisa is also as most of you know a lecturer at the School of Information San Jose State University in both the Master of Archives and Records Administration and the Master of Library and Information Science program. Lisa teaches on a variety of subjects which include emerging technology trends and their effect on information management and governance and today she's going to speak to us about the compliance issues with the EU's new GDPR regulations. So Lisa I'll turn it over to you. Hello everyone and thank you Pat for that lovely introduction and this kind invitation to speak. So as the title of my presentation indicates, I'm here to have a very high-level conversation about the European Union, the EU, general data protection regulation, effectively known as GDPR. And what I'm going to talk to you about today is very much from the perspective of an information management professional, a records management professional. GDPR is really a very complex legislation with you know very gray areas in some areas and I am really here just to share my story as an information governance professional and a records manager who worked on a large GDPR project for a large organization who operates in the European Union starting in around 2017 and really continuing up until today and beyond. So welcome everyone and we're really going to be talking about GDPR and really a path towards records and information management compliance. So as way of agenda for today, I thought we begin with just a high-level overview of what the EU general data protection regulation is with a flavor of me interjecting my perspective from an organizational kind of case study focus. Then I want to talk about what is really most important to a records managers and information management professionals is the concept of data subject rights under GDPR and probably one of the most talked about subject rights in GDPR is this whole concept of the right to erasure by by clients or customers or people also known you know in the general media as the right to be forgotten and it is probably again what will we would be focusing on the most today and because you know the new California Consumer Privacy Act is getting a lot of attention in the media and I thought I would kind of take some time to draw comparisons between GDPR and the new California reg and then we really do as information managers and records managers needs to understand the exemptions that apply to us under the right to erasure or the right to be forgotten or the right to deletion and then as we close out to today's discussion I will talk about you know under GDPR beyond sort of these data subject rights additional information management or records management responsibilities that came about because of the record because of the new regulation and then I will close out with always talking about the importance of information governance programs and records management programs and really you can only succeed in this space by moving forward with an information governance or records and information management program at the very least in this space. So complying with GDPR for an organization is really from my perspective it was really a massive undertaking for an organization and it took again a large compliance program with a senior executive oversight with a number of working committees and really dividing these various working committees into various work streams and I managed to chair the data retention and destruction work stream within the GDPR project which is very specific but it was very relevant to records and information management and really I'm just here to share my experiences with you given that it is really a unique experience working on a GDPR project for a multinational organization. The organization is a major bank and it provides commercial banking, wealth management, insurance, it has you know 84,000 employees, 16 million clients operating in 33 countries so it really is a great case study to look at and the organization is considered under GDPR a controller it controls information and it also a processor it processes information on on the behalf of other organization and obviously an organization this size will have personally identifiable information or personal data and that's the key focus of GDPR is personal data and GDPR defines personal data as any information which are related to an identified or identified natural person and so that's really broadly interpreted so you know identifiable information is your name your you know your ID numbers your account numbers your customer numbers your or any combination of those but what is what is what is important about that definition is also the concept of natural person so it really just means people so that excludes legal entities corporation foundations or institutions which is an important concept so we're really just talking about people and the regulation is really talks again about for birth to death so it's all in it's all encompassing it's for the life of the natural person GDPR also talks a little bit about sensitive data which it describes its biometrics health data you know your race your ethnic your sex your sexual orientation your religion so there's also a sub definition of personal data then they talk about personal data but I really did want to stress that as records and information professionals and as you know information governance professionals we really care about all data so when we talk about GDPR which is very kind of specific to kind of personal information or sensitive data we have to always keep in mind that we we as information professionals care about all data not just what is personal or sensitive as defined under GDPR so I'm gonna begin by really talking about so the European took the GDPR took effect on May 25th 2018 so it's it's been past a year so it's really interesting to reflect on what the last year looks like in terms of GDPR compliance and so the break was really just designed to protect the privacy rights and freedoms of individuals residing in the EU and we really only have to look at you know media weekly and read about it to see you know you know great shares in the media and scandals if we have some time at the end you know we can talk a little bit about aquifax that's probably one of the biggest ones I've seen recently so we really do need to understand that this is a reality that breaches and and our privacy of information is really a serious concern and so and given that GDPR is concerned with the processing of EU residents personal data regardless of where the information is stored the break is really affecting organizations globally and so GDPR is really a comprehensive regulation with provisions that talk about client consent data breaches data processing security and individual subject rights and so individual subject rights is what we're going to be really focusing on today because that really is is one of the key things that we should understand as managers and information professionals so what is really interesting about GDPR and why it is receiving so much attention outside of the EU it is really because it's expected to kind of set the standard for all privacy regulations globally to follow and I'm closely tracking New Zealand, Chile, India, Canada is making some changes to their privacy regulations so it's really interesting just to see how this reg is affecting other national privacy regulations across the globe but what is really scary about GDPR is that the EU supervisory or authorities or what we know as regulators can find organizations 20 million euros or 4% of the annual global revenue for violations so again that's why this is getting so much attention because those lines for organizations can be quite substantial so individual subject rights and this is where we'll start so under GDPR subjects who are people have a number of rights and my goal really is to share with you what these rights mean from an information management records management perspective so under GDPR there's basically eight high-level rights that individuals have with regards to their data so individuals have the right to be informed and that really means that they have the right to know what data and information you have on them that is being stored or processed under GDPR people and subjects have the right to access so they really have the right to contact an organization that has their data and and say hey please give me access or view or please provide copies of kind of the data you have on me they also have the right to rectification this is really interesting because if they see if they see something in their data or their records that is not accurate data subjects have the right to request that you change the data and make it accurate so if they see an error they have the right to request a change to their data they also have the right to erasure which is what we're going to be talking about today in a little detail which really is what we're recalling sort of the right to be forgotten in its provision number 17 under GDPR again this is this is really an interesting you know the right to ask for information to be deleted about them they also have the right to restrict processing and so a lot of organizations process data automatically they just need data points and and and you know decisions get made automatically through workflow solutions so under GDPR an individual has the right to restrict that sort of auto processing of data which is interesting because sometimes auto processing of data can issue results that are not favorable so interesting that they have the right to to investigate this kind of auto processing of data they also have the right to data portability which is the really the right to transfer their personal data to another organization if they move or or or any other third party and they also have the right to object and withdraw consent so that's interesting because it's part of GDPR individuals are generally consenting and signing consent agreements but at any given time they can withdraw that for a certain period of time or withdraw it permanently so under GDPR these are just the rights of individuals so as records people and information professionals it's just important that we have an understanding of these these rights so I thought I'd just take those high-level rights that we just talked about and do a quick comparison to what the new California consumer privacy rights of sorry privacy rights draft is saying in this domain so as many of you know California in June of 2018 signed in the new law regarding client and people privacy the new laws is scheduled to take place in 2020 and it's really is the reason why it's getting so much attention because it really is one of the first state laws in the US to pass something very GDPR like in terms of protecting client privacy and it's I just thought it'd be really just an interesting comparison there's a lot of states that have got kind of draft legislation to follow I think I saw you know Vermont Colorado so it's going to be really interesting to see this space in terms in terms of states publishing and enacting privacy legislation so at a very high level there's very a lot of similarities between the two and there's a there's a few things that are a little different so I just at a very high level want to chat about just just a few so the right to be informed and the right to access your data and the right to port that data outside of your organization is covered in the California reg under the concept of the right to disclosure which is you know you have the right to request collect and and understand what organizations have on you interesting under the California reg they also have the concept of the right to erasure they call it the right to deletion and we'll talk a little bit more about that they have the right to to request the deletion of data as well and if you look at the bottom of this slide they also have the right to opt out which is very comparable to the EU reg of the right to object or withdraw consent consumers have the right to request that information not be be sold or you know restrictions on the sale of PII personally identifiable information so you can see how there are very much similarities interesting under the California reg they don't have the right to like change data or the right to correct data if it's not accurate and they don't have that very specific right of you know if something is being manually or automatically processed to change that which I thought was interesting but what they do have that is on what the EU doesn't have which I thought was really kind of interesting is of course California has has a right to do not discriminate against clients or customers if they do exercise any of these consumer rights so that was an interesting disclosure in the new California reg is that you know if I am access exercising the right to opt out or disclose or delete you do not discriminate against against me which is which is which is interesting so when I first heard about this kind of right to a razor as a records manager I was like I was a little bit panicking to be honest I'm like who are the EU to come and say what can be deleted and what can't be deleted and so you know that that's kind of a very natural first reaction when you hear about the right to be forgotten and the right to erasure but I'm here to say that that right to erasure is not an absolute right and it has several exemptions three of which really affected me in the private sector but I've listed six here and but the three that really affected me in the private sector the ones with the little stars next to them but I will focus in on them mostly so the right to erasure is article 17 and and so but these are the exemption so this is absolutely a client or customer has the right to be forgotten but not if there's a legal obligation to retain that personal data and what I mean there was often competing legislation or regulations to return to retain data and and from my perspective this often is you know bank act regulations anti-money laundering regulations tax acts these competing regulations that say hey you must retain data for X amount of years so these are the traditional kind of record keeping regulations that we're most familiar with but pretty much form the basis of our retention schedules so if your retention schedule says hey we have a legal obligation to retain this personal information then you have a right to keep that that data regardless of this right to erasure there's also the concept of being allowed to keep data to carry out your contractual obligations so personal data is often required to to process or service or do the job that you interact with your client so if you're a financial organization you often are required to have personal to keep personal benefit a viable information so that you can offer those banking services or products or loans and mortgages and credit cards and all investments all those wonderful things that you engage with an organization to do you have the right to keep that data in order to you know do your job and and process and and service your clients so that's another you know obligation and that's another exemption under under GDPR for the right to be forgotten the third it the third item is to establish our exercise or defend of a legal legal claim and so what this means is that you you're required or have the right to retain personally identifiable information on a subject or a consumer if there's sort of like a legal hold there's some lawsuit or court order or class action or you're protecting yourself and against an investigation or third-party demand request or if there's sort of some case going on and you need that that data to defend yourself or defend one of your clients then there's that exemption to retain that data and again more importantly but more sort of in the private sector you have the right to retain data for freedom of information and expression which we could have a whole other lecture on on the balancing you know freedom of information and privacy if the data is interest of public health you also have the right to retain that data and also if the data is going to help you know generally for scientific historical research or statistical purposes so the right to erasure is a right of individuals but there's also these important exemptions which allow an organization to retain that data for these purposes so really quite bluntly the need to retain your data really is for as long as your you know servicing your client or your consumer so it would be like the relationship so it really it really just focuses GDPR really as a records and information manager professional it really just focuses as you to really think about data retention and destruction I also get a really questioned in this space around the concept of deleting data when it should be deleted and not over retaining data and the concept of encrypting or anonymizing so under GDPR if you want to retain data potentially for long-term trending or analysis or for any sort of research purposes the concept of encrypting or anonymizing like irreversibly taking personally identify a relationship personal information and masking it in some way so that is not viewed in any way and cannot be reversed that is also a concept I like to say that that's like plan B we really do want to delete data when it's when it's up for destruction but if you need sort of aggregation of data for sort of long-term trending analysis it is acceptable to sort of anonymize all that personally identifiable and sensitive data and keep your data set for long-term trending and analysis as long as all that personally identifiable information is anonymized masked and encrypted in any way so again I thought I would do a really interesting comparison between GDPR and California in terms of what they think of consumer rights in this space around deletion and again very similar which is very interesting and then there's a couple nuances so you know California is exactly shares the same concept that you know consumers have the right to exercise free speech and ensure the rights that of other consumers to exercise his or her rights in terms of freedom of information so there's a real one-to-one relationship there California also says that they need to have exemptions if the data is required for some sort of legal obligations so again like a one-to-one relationship there again California says that you know there's a need to retain data if the data is needed to transact and provide goods and services requested by the consumer there's not that public health correlation and interestingly California doesn't have that public health exemption so that could change since the California is still kind of in draft format but it'll be interesting to track that public health item and again California again has one-to-one relationship that if information is required for peer review or you know scientific historic or you know statistical purposes that it also can be retained and it really has a event again a very one-to-one relationship about keeping data that needs to detect security incidents protect against you know fraudulent or illegal activity so sort of that the legal defense construct or prosecute those responsibility the responsible for illegal activity so again it's just really interesting to see how the EU is influencing potentially influencing kind of California red so I'm gonna stop there because I'm going to switch gears a little bit and talk about some other evidentiary information management responsibilities that we need to think about as records and information managers if I do see two questions in the area one is from G how will you supply impact companies with CDPR so artificial intelligence that's a great question and I think it will greatly impact organizations I know not only artificial intelligence but there's two other tools with artificial intelligence capabilities that have the capability to scan environments whether they be structured environments or unstructured environments and I'll just briefly talk a little bit about that structured environments early those data warehouses and data lakes and those data environments versus unstructured environments which are like share points and share drives and you know files both physical and non you know mostly electronic records so there's tools that can search those environments and I'll name a few of them if you're interested that I've looked at that search those environments and have the capability to using AI and machine learning and just their own sophisticated tooling to search these environments and pull up personally identifiable information pull up stale data how you define stale data so absolutely there's absolutely tooling in this space which will help you identify data stores that have personally identifiable information and also help you identify stale data so they're called kind of discovery tools stealth audit is one information analyzers another store IQ active navigation so there's these tools in this space which absolutely help organizations identify they're personally identifiable or sensitive data in these various storage wherever they store the wherever they storage wherever they store that environment in their environments so what those tools do we'll do discovery so we'll tell you that hey you've got stale data or personally identifiable information and they actually depending on how you install the tools will take you to the next step and say hey how do you want to action this data that we found in these environments and there's generally three ways to action these in this data that they found they actually can go in and delete the data they can quarantine it which means like move it to a space where people can access it and you know then deal with it or they can actually transfer it and move it to like a content manager tool or SharePoint tool or some electronic records management tool where the data should be residing instead of like in sort of non-controlled environments so it's really and they also have really these tools have sophisticated kind of reporting reporting to elements to it so you can report on the types of information you're finding and I find that to be the most powerful when you do say a scan of you know SharePoints or ShareDrives and you say hey look in this environment I've found you know X amount of numbers of personally identifiable information and I think when you have those metrics it really gives you credibility and good good data to go to senior people within your organization and say hey we need to fund a project or this is this is the scope of the issue that we have here so yeah these there's lots of great tools and that can help in this space and a lot of them are driven by artificial intelligence and you know machine learning so great question we have a second question too from Carl would a potential Brexit retroactively remove the rights of British citizens to GDPR protection and would this have significant economic effects for British organizations who utilize personal data? Wow great question I have I've had that question before and it's really interesting like what's gonna happen post-Brexit and so what the industry is saying in for generally with most EU regs is that when Britain exits they will not in this space in this space specifically in privacy they will not adopt anything lower than what GDPR has already prescribed so they're not gonna exit and then you know have no privacy reg they're gonna exit and have the very similar privacy reg they'll probably keep keep keep keep this keep the flavor because I think that's what is known but that is only high level what the industry is saying your question is great I've I've tracked just a little bit of it on what the what what blogs are saying but the the general sense is that they won't go backward they might you know when that when the time comes in you know implement something a little stronger but the the general feeling is that you know this GDPR set a set of kind of a gold standard and they they won't come backwards so it's still very early in this space and that's why it's a really interesting question and it's something that we will need to monitor especially if you're an organization that operates in the UK and many North American organizations do so it's just gonna be interesting to see how that the whole exit strategy happens and what regs they will adopt generally beyond this from the EU and what they want but we know that they won't generally in this space privacy take a step backwards I hope that answers the question you said thank you and that's all for the questions right now great and so again at a very high level with the GDPR reg not only did we really need to worry about the data subject requests that we were going to get and these right to a razor questions we were going to get back so the legislation and again it's a very comprehensive legislation with like a hundred provisions and I've really only focused on one which is provision 17 but the other provisions of the reg were by way of implementing those provisions creating records and creating data on some of the data was already being created by the organization and some of the data was was new so again as a you know with new processes and we just need to understand that you know when a new regulation comes in not only do we have to understand the the regs how it and influence influences us as records managers even when it's influencing another part of the organization those other parts of the organizations are creating records so I just wanted to quickly talk about you know three big areas where I saw differences in this record-keeping responsibilities and has as information managers and records managers we shouldn't even need to understand that new records and new data was being created so did we need to update our policies and procedures did we need to update our retention schedules because these new kind of classes of data was coming in and being created as part of GDPR and the answer to that is yes so part of the GDPR requires that you know we do impact privacy impact assessments on certain data sets and that we map inventories and workflows and so again these were new types of data that was being created so we had to think about ways of how we were going to manage these privacy impact assessments that we were creating another massive part of GDPR was in consents to you know how we manage their data and their preferences on how we wanted their today data to be managed and you know how they wanted to be contacted and all of these data requests that were coming in so again we had to think about new and inventive ways on how to manage you know tracking what client can send it to what and and and their preferences and then managing all those requests for subject for subject rights as well and we can't forget that although we you know our vendors the vendors that work on behalf of our organizations the supplier who the suppliers who manage data on our behalf they are also subject to the right to the rights under GDPR what they're called processors and so we had to make sure that you know we're performing risk assessments on our suppliers and then you know if we're making adjustments to contracts because of GDPR that we're managing the contracts right and we're managing these risk assessments and managing our vendors in that space as well and thankfully hopefully this never happens but if an incident did happen under GDPR you have a legal obligation to notify your your clients and report on incidents and assess the incidents so thankfully this hasn't happened but if it did you'd again this is whole record keeping requirements around tracking the incidents tracking breaches happens who the breach happens to and and how you manage and worked through the incidents so it's just really interesting from sort of an evidentiary perspective as information managers when a new regulation comes along sometimes it creates new record keeping responsibilities for you and so that's all I kind of wanted to communicate on this slide so obviously you know and this is a plug for the for the program and and for those all interested in records governance and records and information management none of this compliance for GDPR would have been possible without an organization having an overarching information governance information management program you know GDPR really is just elevated the level of care and accountability especially in the area of retention and disposition of data and you know so none of what could be accomplished can be accomplished with out an overarching data retention information governance program and and so you'll see the slide here and you know data and records you know there's most organization and petabytes of data that can be as I mentioned with third-party suppliers it could be on shared drives and personal drives it could be as much as like we like to think that we are very much a modern electronic organization data still exists in physical boxes you know in storage in with stored vendors there's data on social media and on our websites there's lots of data in our applications and the data lakes and the data warehouse and SharePoint sites and everything so it really is a risk around data retention and destruction from a GDPR perspective if you're not effectively managing the data and as much as I will always plug the ARMA general like general record keeping principles but the ones I like to folk I know there's eight but the ones I like to focus on the most are the ones around you know retention and making sure that you know we as an organization shall you know maintain records for the right time period and then we also have to be mindful of deleting data when it's no longer required and the concept of accountability that all employees should be accountable and have data retention and destruction requirements at first in mind and that we really compliance is that is a is another big one and that you know our organizations and partners shall comply with these you know record keeping laws and responsibilities so I know that's a big landscape on a big ass but very high level we you know you know GDPR is you know important regulation and you can only really comply with it if you have you know it makes compliance much easier if you have an overarching information governance program and you know and what I mean by that is just having you know that legal structure at the very top of our little slide we see here and having policies and procedures around data retention and destruction and being able to educate and train and provide advisory services and the and data literacy and education and training and publicizing the importance of GDPR within your organization and everything is based on a risk management perspective in terms of sometimes you will have to make risk based decisions do you put blanket retentions on certain data knowing that you know some data will be retained longer than required and so there's a whole element to risk management when you're looking at an overarching program and you will never do any of this alone so as part of an overarching information governance program of course you will have you know committees as I was I was part of and and have stakeholders and so that concept of not doing this alone is very much important and then you know communicating and reporting and doing metrics and dashboarding you know I saw the probably the best forward moving movement of the information governance program by just reporting on some numbers that were not maybe positive and and then getting the appropriate funding and resources because the funding because the numbers were not you know positive so having those metrics and not just speaking anecdotally is really important to having you know trending and analysis and then also using those metrics to report on your success is also important and if I said you know if I make information governance and having an information governance program to help GDPR sound easy it's not it requires change management and also issue management there's many times where you're going to come across systems that aren't doing the right thing and you're going to say hey I've identified this issue we but the what is important is you track the issue you identify the issue you document the issue and then you issue management issue manage it and then you say hey you know you've got you know this amount of months to get into a compliance but you know you can't you have to document that and treat have a whole issue management program associated with your IG program because not everyone is going to be be able to be in complaint naturally on day one and so and then you heard me speak about overarching all of this information governance program or a whole host of technology tools that you can use you heard me talk about the scanning tools there's electronic records management tools there's email vaulting tools there's e-discovery tools there's a many tools that can help in this space so technology while it's very important doesn't drive your IG program but it just supports it more holistically and you think you know you've heard me say this previously that you're not going to be able to do this alone you're going to need your colleagues from maybe your privacy team those teams that manage third parties your privacy your cyber security information security teams so again just this overarching program is not is what is generally required in order to deal with new regulations like TV PR that come around and I think it's important to know if you have an established IG program you're generally more you're not reacting you're more to a reg when it comes and you're scrambling having an IG program makes you more proactive and when a new reg comes along and they will there it's trending that way having this overarching program will just help you be more proactive as opposed to reactive so I'm drawing just closer to the end of my presentation and I know we have a couple maybe 10 minutes for questions but just you know we've seen privacy in the media the biggest one I've seen quite recently is you know the aqua facts reach that you know number of client data information was released from 2017 I think it was 143 million clients data was was released but this this the need for GDPR is real and what what is interesting it about the aqua facts fines that came down as a result of that preach was I've never quite seen this is that while information security was number one on the list number two on the list was the data retention requirements and that's why this is also important aqua facts had an established data retention policy but the fact that it did not comply with their data retention policy and had and had over retained data and it was that over retention of data that got breached was number two on the list so I just wanted to call that out as is just in terms of trending and in what we're seeing that these fines can happen and breaches do happen and so that's why you know being aware the regulations and then being aware of information you know how to kind of be proactive in managing your data with an information governance program is very important so with that I'll see if there's any further questions I don't see any yet does anyone have any questions if you'd like to just unmute your mic you could ask or put it in the chat area no I don't see any so I just want to thank you very much Lisa for a very informative presentation really interesting no my pleasure happy to here's my contact information happy to address any follow-up questions and I recently wrote a short blog post on the iSchool site if you want to see it there there's the link to the blog so thanks everyone thank you