Policy Center Enterprise Edition combines subscription access to Policy Center, a cloud-based retention and privacy policy management platform, with expert Advisory Services to help you comply with existing and new regulations, such as the General Data Protection Regulation (GDPR). It helps you manage privacy and retention together, so you can know your retention and privacy obligations, and show compliance.
2. • EU-wide data privacy legislation requiring compliance by all organizations who
do business with EU data subjects
• Protects the right of an EU data subject to determine whether, when, how and
to whom his personal data is revealed and how it can be used
• Severe fines for failure to comply; up to 4% annual world turnover or €20
million, whichever is greater
• If GDPR compliance doesn't start with information governance, you'll probably
fail – Forbes*
• You must know and show:
• What personal information you have, where it lives & who owns it
• How to treat it & how long to keep it
WHAT IT IS
WHAT IT DOES
WHAT IT MEANS
WHAT IS THE EUROPEAN UNION (EU)
GENERAL DATA PROTECTION REGULATION
(GDPR)?
*https://www.forbes.com/sites/forbestechcouncil/2017/12/06/if-gdpr-compliance-doesnt-start-with-information-governance-youll-probably-
fail/#21f637812e1e
3. 64% of organizations say the biggest
barrier to GDPR compliance is the need to
make comprehensive changes in business
practices.
McDermott Will & Emery LLP and Ponemon Institute LLC, “The Race to
GDPR: A Study of Companies in the United States & Europe” 2018.
4. COMMON
CHALLENGES
• Keeping your retention and privacy policies
current to comply with changing laws globally
• Incurring unnecessary cost and risk by
keeping information longer than required
• Limited or no ability to communicate policy
changes to content owners and infrastructure
• Proving to regulators that your organization
is compliant
5. WHAT IF YOU COULD…
• Receive expert guidance and tools to comply with the GDPR and
other regulations that govern you?
• Receive continuously updated retention and privacy requirements
so you can keep your policy management connected and dispose
of information when it’s no longer required?
• Provide online visibility into the latest version of your retention
schedule, privacy policies and critical information about your
business processes that contain personal data?
6. THE ADVANTAGE OF MANAGING
PRIVACY AND RETENTION
TOGETHER
Increasing privacy concerns and regulations like the GDPR are
elevating the need for privacy and retention to be managed
together so you can:
✔ Have a unified view of your personal data and related obligations
✔ Dispose of private information as soon as possible
✔ Reduce unnecessary exposure to data breaches
7. Combines subscription access to a cloud-based retention and privacy policy
management platform with expert Advisory Services to help you comply with
existing and new regulations, such as the General Data Protection Regulation
(GDPR).
WHAT YOU GAIN:
• Expert Advisory Services team support
• Continuously updated online portal with retention and privacy legal citations
• Simple explanation of requirements to support your retention and privacy
decisions
• Filters to view record classes and types affected by privacy law
• Tools to document critical information about your business processes that
contain personal data (GDPR Article 30)
• Ability to distribute policy to content infrastructure and key stakeholders
POLICY CENTER ENTERPRISE EDITION
8. RETENTION AND PRIVACY CITATIONS COLLECTED
BY INTERNATIONAL NETWORK OF LAW FIRMS
CONTRIBUTE
INTERNATIONAL NETWORK OF
HIGH QUALITY LAW FIRMS
CONTRIBUTE LEGAL CITATIONS
FOR GLOBAL RESEARCH
CURATE
LEGAL STAFF CURATES LEGAL
CONTENT AND PUBLISHES TO
GLOBAL RESEARCH DATABASE
PUBLISH
YOU REVIEW LEGAL CONTENT,
AUTHOR AND PUBLISH RETENTION
RULES AND PRIVACY OBLIGATIONS
VIA THE ONLINE PORTAL
• Draft content
• Submit to Iron Mountain
• Monitor changes
• Embellish content
• Approve and publish
• Manage subscriptions
• Manage sources
• Publish retention rules
and privacy obligations
9. SHOW CONNECTIONS VISUALLY THROUGH
DATA FLOW MAPS
CREATE A UNIFIED VIEW OF YOUR PERSONAL
DATA AND RELATED OBLIGATIONS
CONNECT CRITICAL INFORMATION
ABOUT YOUR PERSONAL DATA
10. *Above are a summarized sampling of what data controllers and processors must do according to the full GDPR text. The full text can be found on the
European Commission website: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Keep a record of processing activities that
involve personal data
Document a lawful basis for processing
data
Only store data for as long as is necessary
Notify authorities and data subjects about
data breaches without undue delay
Erase data under the 'right to be forgotten’
Provide data subjects access to their data
and processing details
THE GDPR SAYS
YOU MUST*:
WITH POLICY CENTER
YOU’LL HAVE:
YOU’LL BE ABLE TO:
Retention & Privacy Legal Citations
Business Process Library & Data Flow Maps
✔ Show your record of processing activities on
demand in a visual map
✔ Show connection of processing activities to
retention and privacy requirements
✔ Know when personal data has met retention
requirements so you can dispose of it
✔ Know if records containing personal data are
in a data source that was breached
✔ Know where to locate personal data to
comply with erasure requests
✔ Know when you can refuse erasure requests
if retention requirements have not been met
HOW POLICY CENTER CAN HELP YOU COMPLY WITH THE GDPR
11. • Keep your retention and privacy policy management
connected, current and compliant
• Save on information storage costs
• Reduce unnecessary exposure to data breaches
• Reduce effort of responding to privacy requests
• Quickly locate personal information
• Reduce risk of fines
• Distribute policy to people and data repositories
• Join a collaborative user community
WITH POLICY CENTER YOU’LL
BE ABLE TO:
12. Join the Policy Center User Community to:
Share ideas and best practices around
Policy Center and other information
governance topics
Learn about Policy Center, trends in the industry,
and how other companies are responding
Advise on Policy Center feature development
Build a strong community of passionate users
and help us continue to build a solution that
helps you
JOIN THE POLICY CENTER USER COMMUNITY
Collaborative community of information professionals, centered around the solution that helps you know your obligations and show compliance.
SHARE
LEARN
ADVISE
BUILD
POLICY
CENTER
USER
COMMUNITY
13.
14. PRE-BUILT
POLICY CENTER SOLUTION SUITE
ESSENTIAL EDITION STANDARD EDITION
• Pre-built, best practice retention schedule for information created in general business departments
• Retention requirements updated annually
• Covers a single country (US, UK or Canada)
• Read-only retention schedule
• Available only to select small business
customers as part of the
Governance, Risk & Compliance service
Includes Essential Edition features plus:
• Ability to personalize record classes and
modify retention rules
• Option to add one industry-specific retention schedule
*Click here for the latest list of pre-packaged industry standard
retention schedules available.
15. CUSTOMIZED WITH ADVISORY SERVICES
POLICY CENTER SOLUTION SUITE
PROFESSIONAL EDITION ENTERPRISE EDITION
• Work with our expert Advisory Services team to customize your retention schedule
• Retention requirements continuously updated
• Covers multiple industries
• Option to connect policy to your content infrastructure through an open application programming interface (API)
• Coverage for up to 10 countries
• Up to 5 admins with editing capabilities
Includes Professional Edition features plus:
• Work with Advisory Services on your privacy policy
• Privacy requirements continuously updated
• Data flow mapping tool to record processing activities
(GDPR Article 30)
• Complete global coverage
• Up to 8 admins with editing capabilities
17. 17
POLICY CENTER
DIFFERENTIATION
Working with Iron Mountain, customers benefit from our:
INTEGRATED RETENTION AND PRIVACY POLICY MANAGEMENT
Most providers either specialize in retention or privacy, but not both. Policy Center is
a retention and privacy policy management platform that provides a unified view to
keep your retention and privacy policy management connected, current and
compliant.
DEEP INFORMATION GOVERNANCE EXPERTISE
Our Advisory Services team is one of the industry’s largest IG consultancies with
expert professionals dedicated to the intricacies of retention, privacy, compliance
and risk management for 20+ years.
HIGH QUALITY, SPECIALIZED LEGAL RESEARCH
Iron Mountain maintains relationships with an international network of law firms and
legal research providers that are dedicated to the intricacies of retention and privacy
legal research, rather than general legal research that you would find at most law
firms.
18. 18
POLICY CENTER
DIFFERENTIATION
Working with Iron Mountain, customers benefit from our:
FLEXIBLE, NEEDS-BASED PLATFORM
Policy Center is a scalable platform available as a subscription service, ranging from
pre-built to more advanced customized editions. Our Advisory Services team can
work with you to customize and optimize your privacy policy and records
classification scheme based on best practices, the level of granularity you need, and
your risk appetite.
COMPREHENSIVE INFORMATION MANAGEMENT PORTFOLIO
Our breadth of services enable customers to deal with fewer vendors. Our broad
multinational footprint and financial strength enable us to be where our customers
need the solutions and services.
INVESTMENT IN SECURITY AND INFRASTRUCTURE
With dedicated security professionals focused on ensuring the security of your
information, Iron Mountain is regularly named by Security Magazine in the Security
500 Survey, an annual ranking of the nation’s most secure companies.
Editor's Notes
In the news we’re hearing about privacy concerns and high profile data breaches almost every day.
We’re starting to see the law address some of these concerns in the context of our increasingly digital world.
WHAT THE GENDERAL DATA PROTECTION REGULATION (GDPR) IS
The latest and most stringent data protection law addressing growing concerns over how personal data is used is the European Union (EU) General Data Protection Regulation (GDPR) in effect from May 25, 2018.
This regulation applies not only to companies who are physically based in the EU, but it also applies to those outside of the EU who conduct business with EU data subjects.
WHAT IT DOES
The goal of the GDPR is to protects the right of an EU data subject to determine whether, when, how and to whom his personal data is revealed and how it can be used.
Much stricter than other data protection laws in the past, the GDPR dramatically increases the maximum penalties for failure to comply to up to 4% annual world turnover or €20 million, whichever is greater.
WHAT IT MEANS
As noted in the December 2017 Forbes article, “If GDPR compliance doesn't start with information governance, you'll probably fail.”
There is a heightened need to be more mature in your information governance (IG) practices by taking a holistic approach to managing all types of information throughout its lifecycle, especially personally identifiable information (PII).
That means you must know your business, legal and regulatory obligations for how to manage personal data and also be able to show compliance.
You need to have a unified view into:
what personal information you have, where it lives & who owns it
how to treat it & how long to keep it
Many organizations are feeling the pain of all of the work it takes to comply with increasingly strict regulations like the GDPR.
The need to make comprehensive changes to business practices is the biggest barrier to compliance.
64% of respondents say they are concerned about the need to make comprehensive changes in business practices before achieving compliance, according to a recent study conducted by The Ponemon Institute and sponsored by McDermott Will and Emery LLP.
Like many of your peers, you’re responsible for implementing controls and policies to ensure your organization is complying with laws and regulations.
This includes interpreting laws and identifying compliance requirements for managing information, such as retention rules and privacy obligations, so you can properly protect and legally dispose of information when it’s no longer required.
That’s challenging when the regulatory environment is constantly changing due to existing and new regulations, such as the GDPR.
But if you don’t have a well executed retention program, you risk incurring unnecessary cost and risk by keeping information longer than required
As laws change, without guidance and automated tools to enable compliance, you may find yourself with limited or no ability to communicate policy changes to content owners and infrastructure so they can manage information according to policy.
With the advent of increasingly stringent regulations like the GDPR, not only will you need to make sure you have a well-executed information governance program, but you’ll also need a way to prove to regulators that your organization is compliant.
What if you could…
Receive expert guidance and tools to comply with the GDPR and other regulations that govern you?
Receive continuously updated retention and privacy requirements so you can keep your policy management connected and dispose of information when it’s no longer required?
Provide online visibility into the latest version of your retention schedule, privacy policies and critical information about your business processes that contain personal data?
Increasing privacy concerns and regulations like the GDPR are elevating the need for privacy and retention to be managed together.
Most companies have a records retention schedule managed by the Records & Information Management department that governs policy for how long to keep all types of records, including records containing personal data.
Separately many companies have a Privacy team that manages the privacy policy for records containing personal data. In some companies these groups are under the same department, but in many cases they are two siloes.
Increasing privacy concerns, news of high profile data breaches and heavy-hitting regulations such as the GDPR are forcing these siloes to break down.
There is an increased need to have a single unified view into how to manage personal data according to policy, regardless of if the policy is being driven by retention or privacy requirements.
What’s more, there is an increased need to act on retention policy by disposing of private information as soon as possible so that it is not unnecessarily exposed to breach.
A well-executed retention program is the way to make sure all information, especially personally identifiable information (PII) is disposed of as soon as it is no longer needed for business, legal or regulatory purposes.
By managing retention and privacy together you can:
Have a unified view of your personal data and related obligations
Dispose of private information as soon as possible
Reduce unnecessary exposure to data breaches
Policy Center Enterprise Edition is the solution that gives you a unified view into your retention and privacy policies so you can both know your obligations and show compliance.
Policy Center Enterprise Edition combines subscription access to a cloud-based retention and privacy policy management platform with expert Advisory Services to help you comply with existing and new regulations, such as the General Data Protection Regulation (GDPR).
With this solution you’ll receive:
Expert Advisory Services team support
Continuously updated online portal with retention and privacy legal citations
Simple explanation of requirements to support your retention and privacy decisions
Filters to view record classes and types affected by privacy law
Tools to document critical information about your business processes that contain personal data (GDPR Article 30)
Ability to distribute policy to content infrastructure and key stakeholders
To know your obligations, you can go into your Policy Center portal to access continuously updated retention and privacy legal citations collected by our international network of law firms covering 160 jurisdictions.
Here’s what the process looks like to collect the legal content:
CONTRIBUTE
Our international network of high quality law firms conducts legal research on the latest changes in law that have an impact on retention and privacy requirements.
As laws change, our network contributes their legal research to be added to Iron Mountain’s global research database.
The research contains fully cited and summarized legal citations, including a simple explanation of the requirements to empower your decisions on retention rules and privacy obligations that make sense for your organization.
CURATE
Iron Mountain legal staff curates the legal research to ensure it conforms to guidelines for consistency and matches your subscription to specific areas of law.
PUBLISH
In your Policy Center portal, you’ll receive a feed of continuously updated retention and privacy legal citations based on where you operate and the types of law required to support your retention and privacy policies.
After reviewing the updates, you can authorize to automatically map the updated requirements into your record class structure and update your retention rules and privacy obligations accordingly.
You also have the option to have our Advisory Services team monitor and map your updated citations on your behalf.
You can then publish the updated retention rules and privacy obligations for your organization to follow.
To show compliance, you’ll have tools to document critical information about your business processes that contain personal data, enabling compliance with the GDPR Article 30 requirements.
To keep your retention schedule and privacy policies connected, it’s most effective to categorize privacy requirements in the same way you do retention requirements and have a centralized place to see everything together so you have a holistic picture of how you are obligated to manage private information, including how long you are legally obligated to keep it.
CONNECT CRITICAL INFORMATION ABOUT YOUR PERSONAL DATA
In Policy Center, you’ll be able to connect critical information about your personal data, including where it lives, who owns it, what process it’s a part of and what are the applicable retention rules and privacy obligations.
You can use the Business Process Library in Policy Center to keep a catalogue of your business processes that contain personal data and document all of the information required by Article 30 of the GDPR.
SHOW CONNECTIONS VISUALLY THROUGH DATA FLOW MAPS
To make it easier to collect critical information about your business processes that contain personal data and make the connections more easily understandable, you’ll be able to create data flow maps to centrally show the connections visually.
In your maps you can show the movement of personal data within and outside of your organization so you can quickly identify where personal information is located to respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation.
Using an online business process mapping tool makes it easier to gather the information from the process owner, show your compliance to regulators and easily search for information to respond to respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation.
As a bonus, this documentation of your business processes is a great lens to underpin your digital transformation efforts to identify where you can digitally transform business workflows.
The advantage of managing privacy and retention together through Policy Center come to light when we take the GDPR as the use case.
THE GDPR SAYS YOU MUST
Keep a record of processing activities that involve personal data (Article 30 in the GDPR)
Document a lawful basis for processing data (Article 6)
Only store data for as long as is necessary (Article 5)
Notify authorities and data subjects about data breaches without undue delay (Articles 33 & 34)
Erase data under the 'right to be forgotten’ (Article 17)
Provide data subjects access to their data and processing details (Articles 13 & 15)
*Above are a summarized sampling of what data controllers and processors must do according to the full GDPR text. The full text can be found on the European Commission website: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
WITH POLICY CENTER YOU’LL HAVE
Retention & Privacy Legal Citations
Fully cited and summarized legal citations with a simple explanation of the requirements to empower your decisions on retention rules and privacy obligations that make sense for your organization.
Business Process Library & Data Flow Maps
Tools to make it easier for you to capture critical information about personal data, including what it is, where it lives, who owns it, what process it’s a part of and the applicable retention rules and privacy obligations.
To make it easier to collect this critical information from business process owners and make the connections between pieces of information more easily understandable, you can create data flow maps to centrally show the connections visually to regulators or whoever else needs to see them.
Using these centralized visual maps, you’ll be able to quickly identify where information is located to respond to time-sensitive issues such as data breaches, subject access requests, data erasure requests, audits and litigation.
YOU’LL BE ABLE TO KNOW YOUR OBLIGATIONS AND SHOW COMPLIANCE
Show your record of processing activities on demand in a visual map
Show connection of processing activities to retention and privacy requirements
Know when personal data has met retention requirements so you can dispose of it
Know if records containing personal data are in a data source that was breached
Know where to locate personal data to comply with erasure requests
Know when you can refuse erasure requests if retention requirements have not been met
WITH POLICY CENTER YOU’LL BE ABLE TO:
Keep your retention and privacy policy management connected, current and compliant
Save on information storage costs
Reduce unnecessary exposure to data breaches
Reduce effort of responding to privacy requests
Quickly locate personal information
Reduce risk of fines
Distribute policy to people and data repositories
Join a collaborative user community
The Policy Center User Community is a collaborative community of information professionals, centered around the solution that helps you know your obligations and show compliance.
You can join the community to take part in roundtables to discuss pertinent industry topics and to advise on Policy Center services and product functionality, Policy Center “Tips and Tricks” virtual sessions and connect in person at industry events.
JOIN THE POLICY CENTER USER COMMUNITY TO
Share ideas and best practices around Policy Center and other information governance topics
Learn about Policy Center, trends in the industry, and how other companies are responding
Advise on Policy Center feature development
Build a strong community of passionate users and help us continue to build a solution that helps you