The lack of understanding and misconceptions of the scale and full impact of GDPR is hampering efforts to comply.

There is only one year left until full compliance with GDPR – the new EU General Data Protection Regulation 2016/679 – is required, and preparation among businesses to ensure compliance is starting to take shape. But many issues and challenges remain.

Some businesses are incorrectly cancelling their preparations due to a misunderstanding about the effects of Brexit, according to one report. Many businesses are even unsure about what the ‘data’ in data protection refers to, and mistakenly assume that data is limited to content within a database, rather than personal information that can be contained within documents, spreadsheets, recorded phone calls, and many other places.

So far, cyber security concerns have dominated expert discussions, but businesses cannot ignore issues that surround the right to erasure, data portability and governance. GDPR goes beyond the mere protection of data from security risks; it focuses, equally heavily, on the appropriate use of it within the organisations.

Robust governance

GDPR compliance is fundamentally an information governance Issue. Businesses must first understand the content they have and apply a coherent and consistent approach for protecting and managing it. While on paper it is easy to implement an information governance strategy to get a handle on content, it is not a task that can be achieved with a policy document and a couple of spreadsheets.

Not all content is created equal and no one policy will cover all information. Where the content is and how it is used is revolutionising the way companies create, share and secure files as they face the challenges of flexible mobile working styles, new mobile and connected devices, lenient BYOD policies, and the surge of cloud and mobile productivity apps. Companies must be forward looking and aim to design a mechanism to sustain GDPR compliance organically, across the whole organisation.

Identifying and classifying content

Much of the confusion can be alleviated by companies first taking the initial steps to identify the information stores that hold personal sensitive information and implementing systems to capture, tag and secure personal data. Once the data is identified, it should only then be handled by the correct people according to GDPR regulations.

Again, this is not a simple task and requires a thorough, intelligent and strategic approach. With regards to data portability, there are certain barriers that exist for companies, which can be as simple as knowing for certain which data the right to portability applies to, and having the right tools in place to assemble a coherent set, in an agreed format to deliver to a customer or a third-party.

As GDPR does not advise an exact or universal format for transferring personal data, businesses should choose software that can encrypt content to add a layer of protection.

Forgiving and forgetting

The complete erasure of personal data or ‘right to be forgotten’ can be a particularly troublesome area when it comes to being compliant with GDPR regulations. Businesses must be certain that all customer data has been thoroughly removed from all content that they hold without any undue delay. In addition, a business must be able to prove, beyond reasonable doubt, that the data has been removed.

The situation is further complicated when a business is unsure what content they have and where it is stored. While most businesses have considerable control over the dissemination and duplication of customer and employee data stored in relations databases, the same is simply not true when it comes to information stored in files, documents and other mediums.

Distributed content stores and mobile working are the biggest culprits for content dissemination, making it difficult to know, let alone prove, if customer data has truly been erased. There also has to be a consistent process for managing customer requests that are defensible and auditable. Any tools utilised to capture evidence of the data removal must also be similarly robust.

Shadow IT

Even with the correct procedures in place, shadow IT can pose a risk to ensuring compliance. Shadow IT is the ever increasing and freely spreading phenomenon that continues to haunt data security.

When IT departments are not able to cater to all the employees’ needs when they request it, employees turn to their own methods to complete their tasks. This results in an organisation’s data becoming scattered. And without policies or tracking by IT departments, these rogue files become mines.

The use of shadow IT has run unrestrained, especially when it comes to collaboration, within and outside of organisations. In fact, 70% of global businesses employees use their own individual collaboration platforms. This figure is expected to grow as the use of mobile devices in enterprises grows and year-over-year spending at many companies remains flat.

In order to preserve workflow and encourage seamless collaboration, there should be a unified GDPR register of information, but this becomes a challenge without the existence of centralised management or visibility given the splintered content stored on various unauthorised devices, shared drives, collaboration sites and laptop hard disks.

Whilst concerns about data security are valid, the key to achieving compliance with GDPR in all regards is providing a method for identifying and controlling access to GDPR-sensitive information, with full auditability and process automation supporting most business functions that handle personal data.

A platform to support GDPR compliance should be specifically designed to integrate with core business systems, and be scalable and agile to accelerate information flow across the business. This can be achieved with an open, modular system that is designed around information governance, is easy to build on, integrate and extend for fast time to value and true digital transformation.

Once a business correctly identifies all of the content they possess, (removing files that are obsolete to prevent unnecessary data hoarding), they can apply processes and governance through such a platform, that also ensures compliance with regulations, without disrupting seamless and effective workflow.


Interesting article from Ben Rossi of Information Age regarding what the consequences may be if you don’t comply to GDPR by May 25th 2018. There are severe punishments in place for lack of compliance which can be easily avoided. One way to avoid such punishments is Flowz. For more information, contact us at