All three examples are more or less real and good examples of why we need to manage information security and privacy regulations.

• XXXXXX describes his/her mental illness in an interview for a documentary

• XXXXXX and YYYYYY are fully nude in some shots done for a non X-rated feature film

• XXXXXX, a Hollywood star, participates in a commercial for a new product line.

Information classification

We start to define different levels of security within the company and with partners, customers, contractors etc. Those four levels are:

• Public

• Internal

• Confidential

• Secret

The next type of levels are about privacy and derived from GDPR.

• Non personal information

• Personal, but not identifiable information

• Personal identifiable information

• Personal sensitive identifiable information

In addition to these generic classifications for security do we have NDA’s and other terms in agreements to manage.

Ownership and responsibility

The ownership of the classification of the information objects belongs to the process owner for each capability.

The more difficult question is which level of classification each information object should have and if there are cases where we need more stringent classification.

Public is simple. Just assure that you can track who publish what and when externally.

Internal is information shared internally in the company and with key partners, contractors and clients.

Confidential is information shared within a specific group for a specific purpose. Need to be shared both internally and externally.

Secret is information shared with specific persons and is more sensitive than confidential. Need to be shared both internally and externally.

Implementation of information policy

How enforce security and privacy is another matter and we continue with the example.

Different types of media assets (video, photos, sound etc) belongs to the capability Production and the ownership and responsibility is therefore very clear.

Media assets should not be classified as public or internal as it could belong to different clients or key partners. This is why we need to have a higher classification.

The higher security classification the media assets have, the more time consuming and more expensive will it be to manage them.

Normally, confidential will be enough, but in these three cases do we have more sensitive information as it includes sensitive personal information or information under NDA’s with client.

1. Health information for an individual is sensitive personal identifiable information according to GDPR.

2. Nudity is very private, and even if nothing is shown in the released feature in cinemas, we still have revealing clips stored in the footage.

3. There are NDA’s in place and we are not allowed to reveal the participants until client allows this. I.e. after publishing and not before.

This is the reason why I recommend all three cases to be classified as secret information instead of confidential.

The next question is now how to implement this with state of art technology, while still be usable in real life and with a reasonable cost. It’s now time to have a look on this from a enterprise content management perspective.

What is within the scope of Enterprise Architecture? Let us continue with an example from our project list.

Lack of needed contracts is paramount in majority of productions and we need to manage this area to be on the safe side.

The situation now are as:

• We have legal obligation to keep copyright agreements for at least 70 years.

• We have a few architecture principles that guides development of our solutions.

• We have a defined business process in our Production Handbook that require those agreements to be in place before start shooting.

• The agreements includes personal identifiable information as defined in GDPR.

• Agreements are classified as company confidential. If we one day get a Star Wars contract will it be classified as “company secret”.

• The different types of agreements are implemented as Word templates. Unsigned contracts are stored in teams for each production. Each individual contract is printed in two copies and signed by both parties. We also have blank contract on paper with us as a backup if there are late changes in plans.

• The signed document is scanned and stored in Microsoft Teams per production. The signed original is kept in a paper archive, one tab per production, until copyright ends.

• The production code and name, e.g. “10117 Saving Mimosa”, is managed in the financial systems.

• The production code and name, e.g. “10117 Saving Mimosa”, is managed in the media management systems.

• The list of which person is part of which production need to solved by another project as part of pre-production process.

What of above parts are Enterprise Architecture for you? Please explain why and why not.

We follow Greger Wikstrand in to the world of science fiction to talk about AI and privacy