P2P

72 Compliance with the GDPR, and similar data privacy laws, should be a component addressed by an IG plan. If an organization "processes" data as defined by the GDPR, then additional governance obligations should be included in the IG plan. When considering the required elements to demonstrate compliance with data governance obligations imposed by the GDPR, six key principles should be addressed: Legal Process; Limited Purpose; Minimization; Accuracy; Storage Capacity; and Integrity. The "Legal Process" element calls for establishing a fair and transparent process so that informed user consent is achievable. The "Limited Purpose" principle enables an organization to demonstrate that any forms of PII are collected for a specific reason and that the user has consented to the organizational use of the data for the specified purpose. The "Minimization" principle should be enforced by the organization, ensuring they enforce records retention schedules and disposition of information that has no legal obligation to be held. The "Minimization" Principle sets for the following obligation: an organization must ensure the personal data being processed is: adequate (sufficient to properly fulfill the stated purpose); relevant (has a rational link to the stated purpose); and limited (only what is necessary and not to hold more than needed for the stated purpose). Additional obligations exist imposing data privacy requirements which are focused on data standards, data accuracy and storage limitations. Data privacy obligations impose additional challenges which should be addressed through IG plans and reliance on technology. When assessing the fourth principle for GDPR compliance, "Accuracy", it is essential for the organizations to have the ability to gauge the effectiveness of the classification of the data in its possession and control. If the end-user has ability to manually classify information by "type", there should be some access to the data's contents to determine if the user designations are accurate. If users are able to delete data, there should be an audit log that tracks the user's actions. Security of the data is an additional factor in ensuring that data remains accurate, by limiting unauthorized access to information and restricting access to alter information to only approved users. The fifth GDPR compliance principle, "Storage Capacity" imposes responsibility on an organization to delete user data that is no longer in use. If an organization wishes to maintain user data for a longer period of time, they should take steps to "anonymize" the data by using pseudonyms, and other means of obscuring the true identity of the user. Remove "ROT" (Redundant – Obsolete – Trivial) will enable organizations to reduce both costs and risks. Security of data is paramount, whether at rest or in-transit encryption should be used to safeguard information. The sixth and final principle to consider for GDPR compliance is "Integrity", which should be seen as a requirement to protect user information processed for a specific purpose by an organization. Protecting the security and confidentiality of certain forms of PII is an essential element of IG programs, as well as GDPR compliance... Managing Data Controlled by the Organization – Internal Data vs. Third-Party Data Organizations inevitably possess information created by third parties. Handling data that originated from a third-party triggers information management obligations incumbent upon the organization in possession and control such data. Depending on the nature of the business relationship between the entities, there may be additional confidentiality concerns connected with third-party information. Certain types of confidentiality or legal privilege may extend to a communications, thus providing additional concerns for IG plans. Relationships between law firms and their corporate clients exemplify the importance of IG programs, since certain communications are likely to subject to attorney-client privilege protections. In addition, law firms frequently possess source data which belongs to their corporate clients. Corporate organizations should be aware of what data they have shared with their outside counsel law firms, and should require those firms to purge corporate information which is eligible for disposition under the organization's retention plan and is not subject to a legal hold. Law firms should identify data in its possession which belongs to clients, or former clients, and seek guidance as to what actions that client would like taken regarding their data. The emergence of cloud based data centers, and outsourced I.T. services, should also be considerations addressed by an IG plan. Does the organization waive rights to access to their data pursuant to the terms of an existing contract with

• Cover