Iron Mountain® Policy Center Solution Enterprise Edition
•Download as PPTX, PDF•
1 like•139 views
Policy Center Enterprise Edition combines subscription access to Policy Center, a cloud-based retention and privacy policy management platform, with expert Advisory Services to help you comply with existing and new regulations, such as the General Data Protection Regulation (GDPR). It helps you manage privacy and retention together, so you can know your retention and privacy obligations, and show compliance.
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Iron Mountain® Policy Center Solution Enterprise Edition
Similar to Iron Mountain® Policy Center Solution Enterprise Edition (20)
Recently uploaded
Recently uploaded (20)
Iron Mountain® Policy Center Solution Enterprise Edition
- 1. Know Your Retention and Privacy Obligations. Show Compliance. ENTERPRISE EDITION IRON MOUNTAIN POLICY CENTER SOLUTION ® ©2018 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks and registered trademarks are the property of their respective owners.
- 2. • EU-wide data privacy legislation requiring compliance by all organizations who do business with EU data subjects • Protects the right of an EU data subject to determine whether, when, how and to whom his personal data is revealed and how it can be used • Severe fines for failure to comply; up to 4% annual world turnover or €20 million, whichever is greater • If GDPR compliance doesn't start with information governance, you'll probably fail – Forbes* • You must know and show: • What personal information you have, where it lives & who owns it • How to treat it & how long to keep it WHAT IT IS WHAT IT DOES WHAT IT MEANS WHAT IS THE EUROPEAN UNION (EU) GENERAL DATA PROTECTION REGULATION (GDPR)? *https://www.forbes.com/sites/forbestechcouncil/2017/12/06/if-gdpr-compliance-doesnt-start-with-information-governance-youll-probably- fail/#21f637812e1e
- 3. 64% of organizations say the biggest barrier to GDPR compliance is the need to make comprehensive changes in business practices. McDermott Will & Emery LLP and Ponemon Institute LLC, “The Race to GDPR: A Study of Companies in the United States & Europe” 2018.
- 4. COMMON CHALLENGES • Keeping your retention and privacy policies current to comply with changing laws globally • Incurring unnecessary cost and risk by keeping information longer than required • Limited or no ability to communicate policy changes to content owners and infrastructure • Proving to regulators that your organization is compliant
- 5. WHAT IF YOU COULD… • Receive expert guidance and tools to comply with the GDPR and other regulations that govern you? • Receive continuously updated retention and privacy requirements so you can keep your policy management connected and dispose of information when it’s no longer required? • Provide online visibility into the latest version of your retention schedule, privacy policies and critical information about your business processes that contain personal data?
- 6. THE ADVANTAGE OF MANAGING PRIVACY AND RETENTION TOGETHER Increasing privacy concerns and regulations like the GDPR are elevating the need for privacy and retention to be managed together so you can: ✔ Have a unified view of your personal data and related obligations ✔ Dispose of private information as soon as possible ✔ Reduce unnecessary exposure to data breaches
- 7. Combines subscription access to a cloud-based retention and privacy policy management platform with expert Advisory Services to help you comply with existing and new regulations, such as the General Data Protection Regulation (GDPR). WHAT YOU GAIN: • Expert Advisory Services team support • Continuously updated online portal with retention and privacy legal citations • Simple explanation of requirements to support your retention and privacy decisions • Filters to view record classes and types affected by privacy law • Tools to document critical information about your business processes that contain personal data (GDPR Article 30) • Ability to distribute policy to content infrastructure and key stakeholders POLICY CENTER ENTERPRISE EDITION
- 8. RETENTION AND PRIVACY CITATIONS COLLECTED BY INTERNATIONAL NETWORK OF LAW FIRMS CONTRIBUTE INTERNATIONAL NETWORK OF HIGH QUALITY LAW FIRMS CONTRIBUTE LEGAL CITATIONS FOR GLOBAL RESEARCH CURATE LEGAL STAFF CURATES LEGAL CONTENT AND PUBLISHES TO GLOBAL RESEARCH DATABASE PUBLISH YOU REVIEW LEGAL CONTENT, AUTHOR AND PUBLISH RETENTION RULES AND PRIVACY OBLIGATIONS VIA THE ONLINE PORTAL • Draft content • Submit to Iron Mountain • Monitor changes • Embellish content • Approve and publish • Manage subscriptions • Manage sources • Publish retention rules and privacy obligations
- 9. SHOW CONNECTIONS VISUALLY THROUGH DATA FLOW MAPS CREATE A UNIFIED VIEW OF YOUR PERSONAL DATA AND RELATED OBLIGATIONS CONNECT CRITICAL INFORMATION ABOUT YOUR PERSONAL DATA
- 10. *Above are a summarized sampling of what data controllers and processors must do according to the full GDPR text. The full text can be found on the European Commission website: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf Keep a record of processing activities that involve personal data Document a lawful basis for processing data Only store data for as long as is necessary Notify authorities and data subjects about data breaches without undue delay Erase data under the 'right to be forgotten’ Provide data subjects access to their data and processing details THE GDPR SAYS YOU MUST*: WITH POLICY CENTER YOU’LL HAVE: YOU’LL BE ABLE TO: Retention & Privacy Legal Citations Business Process Library & Data Flow Maps ✔ Show your record of processing activities on demand in a visual map ✔ Show connection of processing activities to retention and privacy requirements ✔ Know when personal data has met retention requirements so you can dispose of it ✔ Know if records containing personal data are in a data source that was breached ✔ Know where to locate personal data to comply with erasure requests ✔ Know when you can refuse erasure requests if retention requirements have not been met HOW POLICY CENTER CAN HELP YOU COMPLY WITH THE GDPR
- 11. • Keep your retention and privacy policy management connected, current and compliant • Save on information storage costs • Reduce unnecessary exposure to data breaches • Reduce effort of responding to privacy requests • Quickly locate personal information • Reduce risk of fines • Distribute policy to people and data repositories • Join a collaborative user community WITH POLICY CENTER YOU’LL BE ABLE TO:
- 12. Join the Policy Center User Community to: Share ideas and best practices around Policy Center and other information governance topics Learn about Policy Center, trends in the industry, and how other companies are responding Advise on Policy Center feature development Build a strong community of passionate users and help us continue to build a solution that helps you JOIN THE POLICY CENTER USER COMMUNITY Collaborative community of information professionals, centered around the solution that helps you know your obligations and show compliance. SHARE LEARN ADVISE BUILD POLICY CENTER USER COMMUNITY
- 14. PRE-BUILT POLICY CENTER SOLUTION SUITE ESSENTIAL EDITION STANDARD EDITION • Pre-built, best practice retention schedule for information created in general business departments • Retention requirements updated annually • Covers a single country (US, UK or Canada) • Read-only retention schedule • Available only to select small business customers as part of the Governance, Risk & Compliance service Includes Essential Edition features plus: • Ability to personalize record classes and modify retention rules • Option to add one industry-specific retention schedule *Click here for the latest list of pre-packaged industry standard retention schedules available.
- 15. CUSTOMIZED WITH ADVISORY SERVICES POLICY CENTER SOLUTION SUITE PROFESSIONAL EDITION ENTERPRISE EDITION • Work with our expert Advisory Services team to customize your retention schedule • Retention requirements continuously updated • Covers multiple industries • Option to connect policy to your content infrastructure through an open application programming interface (API) • Coverage for up to 10 countries • Up to 5 admins with editing capabilities Includes Professional Edition features plus: • Work with Advisory Services on your privacy policy • Privacy requirements continuously updated • Data flow mapping tool to record processing activities (GDPR Article 30) • Complete global coverage • Up to 8 admins with editing capabilities
- 16. POLICY CENTER COMPETITIVE COMPARISON
- 17. 17 POLICY CENTER DIFFERENTIATION Working with Iron Mountain, customers benefit from our: INTEGRATED RETENTION AND PRIVACY POLICY MANAGEMENT Most providers either specialize in retention or privacy, but not both. Policy Center is a retention and privacy policy management platform that provides a unified view to keep your retention and privacy policy management connected, current and compliant. DEEP INFORMATION GOVERNANCE EXPERTISE Our Advisory Services team is one of the industry’s largest IG consultancies with expert professionals dedicated to the intricacies of retention, privacy, compliance and risk management for 20+ years. HIGH QUALITY, SPECIALIZED LEGAL RESEARCH Iron Mountain maintains relationships with an international network of law firms and legal research providers that are dedicated to the intricacies of retention and privacy legal research, rather than general legal research that you would find at most law firms.
- 18. 18 POLICY CENTER DIFFERENTIATION Working with Iron Mountain, customers benefit from our: FLEXIBLE, NEEDS-BASED PLATFORM Policy Center is a scalable platform available as a subscription service, ranging from pre-built to more advanced customized editions. Our Advisory Services team can work with you to customize and optimize your privacy policy and records classification scheme based on best practices, the level of granularity you need, and your risk appetite. COMPREHENSIVE INFORMATION MANAGEMENT PORTFOLIO Our breadth of services enable customers to deal with fewer vendors. Our broad multinational footprint and financial strength enable us to be where our customers need the solutions and services. INVESTMENT IN SECURITY AND INFRASTRUCTURE With dedicated security professionals focused on ensuring the security of your information, Iron Mountain is regularly named by Security Magazine in the Security 500 Survey, an annual ranking of the nation’s most secure companies.
Editor's Notes
- In the news we’re hearing about privacy concerns and high profile data breaches almost every day. We’re starting to see the law address some of these concerns in the context of our increasingly digital world. WHAT THE GENDERAL DATA PROTECTION REGULATION (GDPR) IS The latest and most stringent data protection law addressing growing concerns over how personal data is used is the European Union (EU) General Data Protection Regulation (GDPR) in effect from May 25, 2018. This regulation applies not only to companies who are physically based in the EU, but it also applies to those outside of the EU who conduct business with EU data subjects. WHAT IT DOES The goal of the GDPR is to protects the right of an EU data subject to determine whether, when, how and to whom his personal data is revealed and how it can be used. Much stricter than other data protection laws in the past, the GDPR dramatically increases the maximum penalties for failure to comply to up to 4% annual world turnover or €20 million, whichever is greater. WHAT IT MEANS As noted in the December 2017 Forbes article, “If GDPR compliance doesn't start with information governance, you'll probably fail.” There is a heightened need to be more mature in your information governance (IG) practices by taking a holistic approach to managing all types of information throughout its lifecycle, especially personally identifiable information (PII). That means you must know your business, legal and regulatory obligations for how to manage personal data and also be able to show compliance. You need to have a unified view into: what personal information you have, where it lives & who owns it how to treat it & how long to keep it
- Many organizations are feeling the pain of all of the work it takes to comply with increasingly strict regulations like the GDPR. The need to make comprehensive changes to business practices is the biggest barrier to compliance. 64% of respondents say they are concerned about the need to make comprehensive changes in business practices before achieving compliance, according to a recent study conducted by The Ponemon Institute and sponsored by McDermott Will and Emery LLP.
- Like many of your peers, you’re responsible for implementing controls and policies to ensure your organization is complying with laws and regulations. This includes interpreting laws and identifying compliance requirements for managing information, such as retention rules and privacy obligations, so you can properly protect and legally dispose of information when it’s no longer required. That’s challenging when the regulatory environment is constantly changing due to existing and new regulations, such as the GDPR. But if you don’t have a well executed retention program, you risk incurring unnecessary cost and risk by keeping information longer than required As laws change, without guidance and automated tools to enable compliance, you may find yourself with limited or no ability to communicate policy changes to content owners and infrastructure so they can manage information according to policy. With the advent of increasingly stringent regulations like the GDPR, not only will you need to make sure you have a well-executed information governance program, but you’ll also need a way to prove to regulators that your organization is compliant.
- What if you could… Receive expert guidance and tools to comply with the GDPR and other regulations that govern you? Receive continuously updated retention and privacy requirements so you can keep your policy management connected and dispose of information when it’s no longer required? Provide online visibility into the latest version of your retention schedule, privacy policies and critical information about your business processes that contain personal data?
- Increasing privacy concerns and regulations like the GDPR are elevating the need for privacy and retention to be managed together. Most companies have a records retention schedule managed by the Records & Information Management department that governs policy for how long to keep all types of records, including records containing personal data. Separately many companies have a Privacy team that manages the privacy policy for records containing personal data. In some companies these groups are under the same department, but in many cases they are two siloes. Increasing privacy concerns, news of high profile data breaches and heavy-hitting regulations such as the GDPR are forcing these siloes to break down. There is an increased need to have a single unified view into how to manage personal data according to policy, regardless of if the policy is being driven by retention or privacy requirements. What’s more, there is an increased need to act on retention policy by disposing of private information as soon as possible so that it is not unnecessarily exposed to breach. A well-executed retention program is the way to make sure all information, especially personally identifiable information (PII) is disposed of as soon as it is no longer needed for business, legal or regulatory purposes. By managing retention and privacy together you can: Have a unified view of your personal data and related obligations Dispose of private information as soon as possible Reduce unnecessary exposure to data breaches
- Policy Center Enterprise Edition is the solution that gives you a unified view into your retention and privacy policies so you can both know your obligations and show compliance. Policy Center Enterprise Edition combines subscription access to a cloud-based retention and privacy policy management platform with expert Advisory Services to help you comply with existing and new regulations, such as the General Data Protection Regulation (GDPR). With this solution you’ll receive: Expert Advisory Services team support Continuously updated online portal with retention and privacy legal citations Simple explanation of requirements to support your retention and privacy decisions Filters to view record classes and types affected by privacy law Tools to document critical information about your business processes that contain personal data (GDPR Article 30) Ability to distribute policy to content infrastructure and key stakeholders
- To know your obligations, you can go into your Policy Center portal to access continuously updated retention and privacy legal citations collected by our international network of law firms covering 160 jurisdictions. Here’s what the process looks like to collect the legal content: CONTRIBUTE Our international network of high quality law firms conducts legal research on the latest changes in law that have an impact on retention and privacy requirements. As laws change, our network contributes their legal research to be added to Iron Mountain’s global research database. The research contains fully cited and summarized legal citations, including a simple explanation of the requirements to empower your decisions on retention rules and privacy obligations that make sense for your organization. CURATE Iron Mountain legal staff curates the legal research to ensure it conforms to guidelines for consistency and matches your subscription to specific areas of law. PUBLISH In your Policy Center portal, you’ll receive a feed of continuously updated retention and privacy legal citations based on where you operate and the types of law required to support your retention and privacy policies. After reviewing the updates, you can authorize to automatically map the updated requirements into your record class structure and update your retention rules and privacy obligations accordingly. You also have the option to have our Advisory Services team monitor and map your updated citations on your behalf. You can then publish the updated retention rules and privacy obligations for your organization to follow.
- To show compliance, you’ll have tools to document critical information about your business processes that contain personal data, enabling compliance with the GDPR Article 30 requirements. To keep your retention schedule and privacy policies connected, it’s most effective to categorize privacy requirements in the same way you do retention requirements and have a centralized place to see everything together so you have a holistic picture of how you are obligated to manage private information, including how long you are legally obligated to keep it. CONNECT CRITICAL INFORMATION ABOUT YOUR PERSONAL DATA In Policy Center, you’ll be able to connect critical information about your personal data, including where it lives, who owns it, what process it’s a part of and what are the applicable retention rules and privacy obligations. You can use the Business Process Library in Policy Center to keep a catalogue of your business processes that contain personal data and document all of the information required by Article 30 of the GDPR. SHOW CONNECTIONS VISUALLY THROUGH DATA FLOW MAPS To make it easier to collect critical information about your business processes that contain personal data and make the connections more easily understandable, you’ll be able to create data flow maps to centrally show the connections visually. In your maps you can show the movement of personal data within and outside of your organization so you can quickly identify where personal information is located to respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation. Using an online business process mapping tool makes it easier to gather the information from the process owner, show your compliance to regulators and easily search for information to respond to respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation. As a bonus, this documentation of your business processes is a great lens to underpin your digital transformation efforts to identify where you can digitally transform business workflows.
- The advantage of managing privacy and retention together through Policy Center come to light when we take the GDPR as the use case. THE GDPR SAYS YOU MUST Keep a record of processing activities that involve personal data (Article 30 in the GDPR) Document a lawful basis for processing data (Article 6) Only store data for as long as is necessary (Article 5) Notify authorities and data subjects about data breaches without undue delay (Articles 33 & 34) Erase data under the 'right to be forgotten’ (Article 17) Provide data subjects access to their data and processing details (Articles 13 & 15) *Above are a summarized sampling of what data controllers and processors must do according to the full GDPR text. The full text can be found on the European Commission website: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf WITH POLICY CENTER YOU’LL HAVE Retention & Privacy Legal Citations Fully cited and summarized legal citations with a simple explanation of the requirements to empower your decisions on retention rules and privacy obligations that make sense for your organization. Business Process Library & Data Flow Maps Tools to make it easier for you to capture critical information about personal data, including what it is, where it lives, who owns it, what process it’s a part of and the applicable retention rules and privacy obligations. To make it easier to collect this critical information from business process owners and make the connections between pieces of information more easily understandable, you can create data flow maps to centrally show the connections visually to regulators or whoever else needs to see them. Using these centralized visual maps, you’ll be able to quickly identify where information is located to respond to time-sensitive issues such as data breaches, subject access requests, data erasure requests, audits and litigation. YOU’LL BE ABLE TO KNOW YOUR OBLIGATIONS AND SHOW COMPLIANCE Show your record of processing activities on demand in a visual map Show connection of processing activities to retention and privacy requirements Know when personal data has met retention requirements so you can dispose of it Know if records containing personal data are in a data source that was breached Know where to locate personal data to comply with erasure requests Know when you can refuse erasure requests if retention requirements have not been met
- WITH POLICY CENTER YOU’LL BE ABLE TO: Keep your retention and privacy policy management connected, current and compliant Save on information storage costs Reduce unnecessary exposure to data breaches Reduce effort of responding to privacy requests Quickly locate personal information Reduce risk of fines Distribute policy to people and data repositories Join a collaborative user community
- The Policy Center User Community is a collaborative community of information professionals, centered around the solution that helps you know your obligations and show compliance. You can join the community to take part in roundtables to discuss pertinent industry topics and to advise on Policy Center services and product functionality, Policy Center “Tips and Tricks” virtual sessions and connect in person at industry events. JOIN THE POLICY CENTER USER COMMUNITY TO Share ideas and best practices around Policy Center and other information governance topics Learn about Policy Center, trends in the industry, and how other companies are responding Advise on Policy Center feature development Build a strong community of passionate users and help us continue to build a solution that helps you