Industry interview with iManage: Save the data
This article was originally featured as an industry interview in the September issue of Briefing. To read the issue in full, download Briefing.
It is now mere months until the European Union’s General Data Protection Regulation (GDPR) takes effect – so the big question is whether any businesses that haven’t taken steps to limit exposure to a new world of hefty fines for noncompliance have really left it a little too late.
Rob Florendine, solutions manager at iManage, says the funding for any suitable technology projects should certainly have been allocated by now. But it’s also a little more complicated than that, as so much of the work to do involves tackling human processes.
Not least among these is weighing up the threat itself. “The truth is a business’s response will depend on its perception of GDPR risk. Does it prepare in advance, or does it adopt a more wait-and-see attitude?” he says.
The latter is a strong possibility. But Neil Araujo, CEO at iManage, adds: “The consequences of non-compliance are very tangible this time, and so the issues are getting the attention of broader business leadership – finance and strategy, as well as the IT crowd.
“The overall objective is improved data hygiene – having a clear picture of which information is where, and whether and when that needs to change in future.”
Florendine highlights at least one very human part of the process that could still be set in motion in time for May next year – carefully interviewing business leaders to understand how data flows through their department from their perspective. “Personally identifiable information can start with the collection of a business card. That makes its way into a marketing list and then an engagement with someone’s personal data. If you realise at any point that a lot of data is flowing into one of your systems – and it has been doing that for decades, but the types of information aren’t clear – it’s definitely time to consider remedial actions.”
And although some parts of that data’s processing will still involve people, technology can harness automation for others, providing more management peace of mind and surfacing specific problems, such as data breaches, sooner.
In the case of the latter, one of the GDPR’s potential requirements is to notify authorities (and potentially your client) of a breach within 72 hours of becoming aware.
Araujo explains: “So, a lot of the focus is rightly about bringing more efficient automation to compliance processes – for example automatically identifying documents that contain [personal data] and having the analytics to know immediately wherever such documents are not secured.”
And this is where iManage solutions can fit in – whether it’s the Govern suite for security policy management, Threat Manager for tracking patterns of behaviour and flagging – or even pre-empting – a breach, or Records Manager for formulating retention policies in line with GDPR.
Using RAVN, moreover (which iManage acquired in May 2017), firms can also harness artificial intelligence algorithms to uncover information about their information even faster. A case in point, says Florendine, is contract analytics.
“If a firm’s dealing with thousands of supplier agreements, under GDPR it may need to quickly find the data protection provisions within all those agreements and make a judgement about whether they’re compliant. A tool to expedite that process could be rather important.”
Another example is a “data auditing tool” to scan multiple business systems – HR, CRM, and so on – for the locations of different categories of personal information. “Article 25 of the GDPR says that businesses need to adopt ‘privacy by design’ – which means putting privacy at the heart of the operation,” says Florendine.
“A tool for constantly managing the flow of personal data into particular systems and repositories, automatically flagging old and redundant content and quickly remediating unsecured sensitive data suddenly becomes very important.
“In particular, it primes that content for the GDPR’s data subject access requests, where people can ask for personal data related to them to be immediately corrected, removed completely or imported to a different provider. A tool to run a search on a person’s name for a report or redaction from certain documents could be a huge win in terms of both efficiency and compliance. With the exponential growth in enterprise data, the logistical challenges in running such an exercise manually verge on impossible.”
And artificial intelligence brings something else to the table – the ability to ‘learn’ about the forms of data found in different forms of document.
Florendine explains: “Feed in 50 passport scans and a machine can use that sample to find thousands and thousands of other examples in a firm’s management systems.”
But perhaps best of all, he says, AI can prevent us humans from going off the compliance rails.
“The Panama papers and cyberattack scenarios make the headlines, but about 85% of data breaches stem from an incident as mundane as an email being sent to the wrong person.
“A more content-aware system can learn more about what people are doing, and prompt a final check that the contact is the correct one.”
Indeed, adds Araujo, the next version of iManage Work, due by the end of 2017, will do something very similar.
“With RAVN as the engine, the DMS will be able to check for [personal data] in documents and trigger an alert before the lawyer presses ‘send’.”
Now that’s an example of machine and human working in reassuring harmony. The time left until GDPR day may be ticking ominously, but for the firm that’s invested it could prove AI’s finest hour.