In the past few decades, significant leaps have been made when it comes to the digital evolution of the business world. Some of this revolution’s products are collaboration tools. These very effective cloud services are now used to bring closer all the experts within a team, allowing them to collaborate, no matter the boundaries of geographical borders. People all over the world are now capable of sharing files, making elaborate plans, or engaging in video conferences within a matter of seconds.
However, sharing data through the cloud creates a brand new field of worry. We need to think about the security, privacy, and compliance strategies, and how to protect both business and its clients.
No need to mention that the rise in cyber crime and waves of ransomware attacks are getting stronger and more numerous by the day. So much that one of the biggest concerns today can be phrased as:
How do we keep the personal data of our customers, partners, and employees safe?
As a matter of fact, this concern led to the creation of brand new regulations and policies in the business world. This new set of regulations hold companies accountable for the handling of personally identifiable information (PII).
But, first thing first.
What is PII, anyway?
The abbreviation stands for Personally Identifiable Information. It includes any possible data that can be (mis)used to identify a specific individual. Some of it is confidential information like a national identification or social security number, name, birthday, address, IP address, social media posts, and current location… Pretty scary, right?
Having in mind that technology is just warming up and that the Internet of Things (IoT) increases the volume and types of data that can be captured, the definition of PII is expected to expand.
So, what can we do?
In the European Union, the General Data Protection Regulation (GDPR) has been created and it demands that companies know whose PII they have and, what is even more important – where it is stored. Another thing the GDPR demands is that the data can be deleted at any moment if required.
Also, GDPR appeals to all companies to implement systems and practices to protect personal data and to have an ability to prove compliance with documentation. It’s not bad to mention that fines are more than significant: €20 million or 4% of global annual revenue. Of course, whichever is higher.
This way the GDPR protects EU citizens from inappropriate use of their personal data by any organization that might be in their possession.
The Basis of GDPR
One perspective which GDPR drew attention to is the way we should view ownership of personal information.
An individual’s control over his or her personal information is a fundamental right.
No matter if the data is stored in a CRM, Content Management Solution, SharePoint, Home Directory, or Content Collaboration Platform.
To be able to control the data, the GDPR classifies businesses into two roles: controllers and processors. A controller is the one that determines the purpose and means of the processing of personal data, and a processor performs the processing on behalf of the controller.
So, in order to comply with GDPR (especially when using any collaboration tools, and not to mention if the company has more than a few of those in their hands), any company and any business individual should follow the next recommendations and bits of advice.
- Centralize your content and information
Processors of PII (the ones that generate, share, and store it) should be able to know precisely where and what type of PII they have in their possession. Furthermore, processors must know also who can access it and who is actually accessing it at any given moment.
Much greater control and visibility over PII can be achieved if locating data is done within a centralized structure. What can significantly consolidate the unstructured data (whether data is stored on-premises, in a private or a public cloud) is the use of a Critical Control Point– as moving files into a CCP provides the opportunity to analyze, audit, and track data to ensure its compliance with the GDPR and other regulations. Centralizing content on a modern cloud-based infrastructure provides data transparency and also streamlines administration, minimizing thus a probability of human errors. However, as errors simply can’t be avoided, organizations should select a CCP that allows them to expose, minimize, and recover from risks as quickly as possible.
- Create a Company Policy
Every organization should create policy documents that can cover every single detail of what users (of the collaboration tools) can and can’t do with their collaboration stack. Don’t be fooled, policies are critical for a successful and compliant collaboration strategy. Start with defining these 3 crucial points:
- Which documents can be shared externally and internally
- Who can be invited to group meetings and conferences
- Which access requirements will be implemented like two-factor authentication
Also, it would be a good idea to implement security and privacy training sessions for members of your team.
- Choose Tools with the Right Security Features
The collaboration tools are many, and so are their security and privacy solutions built into the system. So, make sure you browse through every single feature available, including the certifications proving that they’re compliant with standards like ISO 27001 or PCI-DSS.
Another thing you must have in mind when choosing a collaboration tool for your business is that the service you choose has plenty of admin features to help provide your IT team with complete control over who gets access to what data: there may be options like single sign-on, two-factor authentication, and more… What you choose will directly affect IT teams, who will have more or less control over the way their users access these services.
- Manage Data Carefully
When it comes to choosing the right collaboration tool(s), you should be led by one thought first: collaboration tool must support the proper management of data. Precedence should have those all ready to support compliance with GDPR, of course, and those that also give end-users the tools they need to remove data from their systems where necessary – crucial for the new “right to be forgotten” regulation (When an EU resident exercises the right to be forgotten, a company must find and delete the resident’s PII).
Also, it’s good to know that organizations may reduce their risk of non-compliance by creating granular group-based policies based on contextual relevance – based on users, departments, or regions. And by setting retention policies, organizations can retain deleted files over a specified period or forever.
- Remember the Basics
It is of the utmost importance to never lose from sight that your team also has a part to play in keeping your business secure and compliant. Create strong password standards and adherence to privacy policies.
The Hidden Challenges of GDPR
Most organizations will fail to meet GDPR requirements mostly through so-called shadow IT (the software that employees install or sign up for, without having formal IT departments perform a security review), shadow data (personal content saved by employees in the corporate content collaboration solution), and confusion over types of the collected data and a delegation of the management responsibility.
So, it all starts and ends with people. Sure, you need to be careful when choosing your organization’s collaborative tools. However, don’t forget to be just as careful (if not more) when educating your team members. The great part of data security lies in their hands.