Gavin Siggers, director of professional services, Iron Mountain
Gavin Siggers, director of professional services, Iron Mountain

By 2018 we can expect to see private supersonic jets, the first 3D printed car on the road, the UK may or may not find itself out of EU borders and the flow of data into organisations will have increased by as much as five-fold, according to IDC.

The deadline for meeting new regulations around the treatment of personally identifiable information (PII) is another significant development we can expect to see in 2018. A combination of this and expected volumes in data growth may cause major implications for businesses, which process personal data.

In July of this year, the European Parliament passed the final vote on its new General Data Protection Regulation (GDPR), which, in an increasingly digital world, is designed to protect the personal information of EU citizens. Despite the new laws not being enforced for another two years, this is a relatively short period of time for organisations to prepare themselves, especially considering that businesses will need to assess the new requirements, evaluate existing measures and plan a path to full compliance.

To help businesses understand the effect of the GDPR on their information management processes and where it fits within the wider regulatory landscape, here are six key steps to get your records GDPR-ready.

Understanding GDPR

The GDPR is by far the largest shake-up of data protection rules so far this century. It includes more than 50 Articles that have far-reaching implications for organisations and their use and storage of personal data. In essence, the legislation protects the right of a European citizen to determine whether, when, how and to whom his or her personal information is revealed and how it can be used.

The Information Commissioner's Office recommends that businesses need to start planning their approach to GDPR compliance as early possible. The problem remains that many businesses across Europe are still unaware of how the changes will affect them and the impact they have.

There are a number of important steps you can take immediately to help your organisation identify where PII resides and understand your obligations towards its management. With the prospect of multi-million Euro fines for non-compliance, can you afford to wait?

Step 1 – How is personal data defined and do I hold it?

The first step in deciding which parts of the new legislation will apply to your organisation is understanding what is meant by personal data. The definition of ‘personal data' in the context of the new regulation is data relating to a ‘data subject' (a person) who can be directly or indirectly identified on the basis of that data. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers within organisations should be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to diminish those risks.

Step 2 – Will I be affected by GDPR?

Next, it is important to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. As well as ‘personal data', key terms to understand include ‘territorial scope', ‘data subject access requests', ‘data protection impact assessment (DPIA)', ‘the right to erasure', ‘data portability' and ‘consent'. For further information on these, go to our knowledge centre, or find the glossary of terms on

Step 3 –Where is data kept within my organisation?

To meet your statutory obligations, you first need to know where your personal data is stored. Ensure that the following areas are analysed to gauge the full extent of your data storage: corporate systems, employees' personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners.

Step 4 – What's after business analysis?

We recommend creating a data map, which provides a 360-degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate, assess and monitor all information on an ongoing basis.

Step 5 – The review and updating processes

Once you know where your information is located, you will need to know what you can do with it and for how long it can be retained. This will require you to make sure that your retention policies are up to date, reflecting legal, regulatory or contractual obligations so that you are only keeping what is permitted and that you are destroying personal data (and all other records) when required to in a defensible way.

Step 6 –Awareness and responsiveness

Finally, it is important to make sure that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, therefore, all parties must understand and comply with the same retention policies. Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic, responsive and adaptable to evolving business and regulatory landscapes.

Across Europe, organisations have long been aware of the need to ensure that personal data that is stored meets the latest regulatory requirements. However, the introduction of the GDPR as well as associated penalties for non-compliance highlights the critical importance of employing data retention correctly. It's now vital to get data retention right, especially when businesses are at risk of fines of up to four percent of annual world group turnover or €20 million (£16.7 million).

Following these six steps means organisations have left the starting blocks when it comes to keeping regulators at bay. However, those who fail to act now will be left rushing to catch up at a time when blunders may be punishable by law and could cost your organisation dearly.

Contributed by Gavin Siggers, director of professional services, Iron Mountain