The role of Infor Business Innovation in GDPR compliance
March 5, 2018
By John Vicari, senior director, Infor Business Innovation
The European Union’s General Data Protection Regulation (GDPR) is designed to enable individuals to better control their personal data.
“Personal data” is defined in the GDPR as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. In other words, any data or processes that can identify the subject comprise that individual’s personal data.
Playing a crucial role in supporting the requirements of the GDPR at Infor is Business Innovation, Infor’s enterprise information technology (IT) team. This group is responsible for providing and maintaining an information processing capability that supports Infor’s business globally. With more than 500 employees supporting over 130 locations, the Business Innovation team plans, operates, and supports Infor’s IT business and technical requirements, enabling business users to carry out their roles efficiently, productively, and securely.
While IT usually brings to mind computer support, Business Innovation’s responsibilities extend far beyond the help desk. Business Innovation’s major areas of responsibilities are listed below and include managing risk associated with technology information, and ensuring that Infor’s internal infrastructure is secure.
- Sales, marketing, and “deal” management
- Finance & accounting management
- Human capital/talent management consulting
- Infrastructure (compute, storage, network, telco, messaging, security)
- Data management (business intelligence, data governance, data warehousing)
- Technology information risk
- Production management, support, and QA
- Architecture and applications development
Although many obligations need to be fulfilled to meet the requirements of the GDPR, Business Innovation started with the first step for compliance: mapping the data flow to enable us to assess our privacy risks. This includes understanding and documenting the following:
- What kind of personal data is collected (e.g., name, email, address)?
- How is it collected (e.g., form, online, call center)?
- Where is it stored?
- How is it processed?
- Is the data encrypted?
- Who is accountable for personal data?
- What is the location of the systems/filing systems containing the data?
- Who has access to the information?
- Is the information disclosed/shared with anyone (e.g., suppliers, third parties)?
- Does the system interface with or transfer information to other systems?
- How long do we keep it?
The delivery of the principles and rights in the GDPR will not be possible if we do not have a complete understanding of personal data and its associated processing.
Data management best practice
The Business Innovation team is assessing other capabilities and components needed to fully address the data management requirements of the GDPR. These components fall under these five categories:
- Case management: Systems required for managing data subject requests, complaints, and communications related to emergencies and data breaches
- Controls management: Systems to manage the control for all aspects of personal data
- Privacy compliance: Systems that manage data protection assessments, identify risk gaps, demonstrate compliance, and record data purpose
- Training: Training solutions/systems that can demonstrate understanding of the GDPR and compliance requirements
- Data security: Implement systems that protect data via the use of encryption, pseudonymizing, and other security technologies
- Data maintenance: Systems to manage data quality, including updates of data throughout the data lifecycle. This includes data deletion and suppression as a required function
- Breach response: The deployment of systems that will detect, manage, and resolve breaches (identify breached data, identify impacted users, and notify all relevant parties)
- Network: Deployment of detailed and integrated network and cyber security procedures, systems, and processes to provide enhanced levels of network security
- Application: Deployment of systems to ensure all applications that store, process, and manage personal data are secure
- Infrastructure: Deployment of systems to protect all IT infrastructure, including cloud solutions, use for data management, processing, storage and archiving
- Data discovery: Systems that assess structured and unstructured data across the enterprise identifying personal data
- Data mapping: Systems that “flag” all data related to an individual and show how all elements are tied together
- Consent: Systems that manage, track, and demonstrate all GDPR consent provisions
- Activity monitoring: Identify how data is being accessed and used and by whom and how value can be derived from it
- Omni-channel management: Systems to manage and coordinate data coming in from multiple channels
- Archive management: Systems to ensure archived data is managed and deleted in accordance with retention polices
One of the key changes brought about by the GDPR is its impact on the rights of individuals with respect to how their data is used. Since the GDPR gives individuals more control over the ways in which Infor processes their personal data, our responsibilities are greater than ever to ensure we’re absolutely clear on our data management.
Individual rights under GDPR are the “right of access,” “right to rectification,” “right to erasure” (or the “right to be forgotten”), “right to restriction of processing,” “right to data portability,” and “right to object.” In a functional sense, these rights require Business Innovation to provide the technology and processes to:
- Connect individuals to their personal data
- Categorize personal data by type and processing purpose
- Map or tract the full lifecycle of personal data
- Perform search and retrieval
- Enable rectification, redaction, erasure, anonymization
- Enable freeze and suppression
- Enable the transmission of personal data from one technology stack to another
With over 16,500 employees and 90,000 customers in more than 170 countries, Infor faces an exciting challenge with implementing the new data protection laws of the GDPR. However, while challenging, there are also a wide range of benefits to be realized because of the GDPR. The technical and process improvements necessary to meet the new GDPR requirements will result in dramatic efficiencies in how Infor manages and secures personal data.
John Vicari brings more than 30 years of experience to his role as a senior director on Infor’s Business Innovation team.