Data security and compliance are on the minds of C-suite leaders in all industries. It seems like every week there is yet another high-profile data security breach, and some of the world’s most tech-savvy companies are falling victim. Indeed, as I am writing this article, Facebook — already facing scrutiny over how it handles the private information of its users — has disclosed that an attack on its computer network exposed the personal information of nearly 50 million users. The breach could not have come at a worse time for Facebook, and we are certain to see the implications play out in the news.
At the same time, data protection regulations around the world are becoming increasingly strict. One prominent example is the General Data Protection Regulation (GDPR) that went into effect in Europe earlier this year. The GDPR is an overarching data protection law that applies to all European Union residents and designed to make companies more accountable for the way they process personal data. While the rule is European in scope, it influences compliance and liability for any organization dealing with the personal data of EU citizens.
Drivers for transformation
For these reasons, data security and compliance are increasing drivers for organizational spending on digital transformation. In a 2017 AIIM research report, “Governance and Compliance in 2017: A Real World View,” organizations were asked to rank the top drivers for digital technology investment in their company. Improved process productivity (42 percent) and faster response (30 percent) remain at the top of common objectives, but for the first time, information security and compliance have entered the top three drivers for digital transformation.
The implications of data security and compliance can be seen by looking at three sectors: financial, legal and healthcare. All three are experiencing tremendous disruption and increasing risk. At the same time, many organizations are finding operational performance and process improvement opportunities that would not be possible without the digitization of key business processes and workflows.
As the old adage says: follow the money. For instance, the banking industry began experiencing a major transformation long before “digital transformation” was cool. For most of us, the very idea of visiting a physical bank branch has become an antiquated notion replaced by smartphones and 24/7 connection to the internet. You could say that the banking industry is the most digitally disrupted industry today.
And the transformation of how money is managed is not just limited to banks. According to the American Productivity and Quality Center (APQC), nearly 3 in 4 organizations have an active financial process transformation project underway. While regulations and risk help drive it, demand for financial process transformation also represents an enormous opportunity to improve a key component of every enterprise operation while ensuring new levels of information governance. An opportunity not only to improve operations and reduce costs, but also to address the increasingly challenging issues of security and compliance.
According to the American Productivity and Quality Center (APQC), nearly 3 in 4 organizations have an active financial process transformation project underway.
The emphasis on data security and the risk of data loss have become sharpened focal points for legal departments in all industries. Federal, state and local laws mix together with an increasingly complex array of international requirements that drive improved data security and compliance.
This requires businesses to implement more focused and stricter information governance policies, practices and enforcement efforts.
In the face of increasing need, many organizations question if they are falling short of their security and compliance goals. According to the 2017 AIIM report, 48 percent rate the maturity of their efforts as either “poor” or “extremely poor,” while only 14 percent feel they are above average. From a legal and compliance perspective, these numbers are troubling. Experts tell us that when it comes to experiencing a data breach, the question is not if it will happen, but when, and put the odds of your organization getting hacked this year as high as 1 in 4. And yet not all breaches are the result of external hacking. Some are the result of internal staff — whether intentionally or unintentionally — exposing data to those beyond corporate walls who do not have the right to access it.
According to a 2018 Raconteur Legal Innovation report, the legal profession is adopting a much more aggressive approach to digital transformation as a result. “Improving the use of technology” ranked as the No. 1 priority for 94 percent of firms surveyed. The biggest change expected over the next decade that appealed to 35 percent of respondents was “paperless offices as the new normal.”
For practitioners in healthcare one of the biggest challenges of data security and compliance is that of matching IT resources with highly complex compliance requirements while keeping daily processes working efficiently and securely. Indeed, moving patients efficiently through a single or multi-physician practice while handling the necessary daily workflow — while at the same time ensuring ever higher levels of data security — is a huge challenge. And the sensitivity and privacy of medical information makes regulatory compliance an increasingly front-and-center C-suite concern.
The Health Insurance Portability and Accountability Act, or HIPAA, is one seminal piece of legislation in the healthcare industry that governs the use, management and protection of “individually identifiable health information.” But there are others to consider. The Health Information Technology for Economic and Clinical Health (HITECH) act deals exclusively with health information communication and technology. Surprisingly, even the Patriot Act, designed primarily as a vehicle for the U.S. government to enhance its ability to monitor and detect activities related to 909terrorism, has provisions for data privacy. Specifically, rule 42 CFR part 2 establishes additional privacy provisions for health records of patients maintained in connection with federally assisted drug or alcohol abuse programs.
Data security and compliance in healthcare is complex. And while many large-scale healthcare organizations have enterprise-sized budgets and teams of IT to support the effort, many small medical practices struggle to balance data security and regulatory compliance demands with the needs of effectively running the clinic and delivering healthcare.
If you have extensive image archives of scanned documents, consider recapturing them with modern OCR to create enhanced metadata and improved potential for analytics.
Where does your organization sit in terms of data security and compliance? Here are some recommendations to improve your information governance.
• Create an information governance team including representatives from IT, records management, compliance, legal, and all lines of business.
• Review the risks posed by the types of information that you hold. What happens if it is lost or exposed, including those instances involving internal staff or caused by general negligence?
• Draft an information governance policy. Focus initial efforts on areas where the content is the most sensitive.
• If you have extensive image archives of scanned documents, consider recapturing them with modern OCR to create enhanced metadata and improved potential for analytics.
• Investigate day-forward process automation and data classification, particularly for process-based and routine inbound content that will, in effect, automate ongoing compliance.
The specter of security and compliance demands greater levels of information governance. Data hacking is at an all-time high, regulations are getting stricter, and the risks posed to organizations have never been more demanding. Consider these factors and develop best practices around them as you design your strategies. Look for providers and partners with the right mix of capability, vision and expertise that will allow you to take the right actions to properly secure and protect private information.
Kevin Craine is the managing director of Craine Communications Group. He is writer, podcaster and technology analyst, as well as the author of the book Designing a Document Strategy and a respected authority on document management and process improvement. He was named the No. 1 ECM Influencer to follow on Twitter.