With the General Data Protection Regulation (GDPR) being dubbed as the ‘biggest shake up’ of data protection laws for 20 years, businesses around Europe have until 25th May 2018 to fully comply with the new regulations or face hefty fines.
Ensure you have the right technologies in place, in order to cope with this new legislation.
If you haven’t already done so, now is the time to review the technologies used in your business and decide whether they will be fit for purpose come enforcement day. One type of technology that can help with GDPR compliance is a document management system (DMS).
What is a document management system and how can it help with GDPR compliance?
Put simply, a document management system stores, manages and tracks electronic documents and electronic images of paper-based information captured through the use of a document scanner. DMS software ultimately controls and organises documents throughout an organisation.
A few considerations to think about how you currently work:
- Can you easily find documents? How long does it take? Is it all in one location? Are you confident that you’ve got it all? Do you know how many copies exist?
- Can document access be restricted? Could documents get into the ‘wrong hands’? Are you easily at risk of a security breach?
With a DMS, these considerations needn’t be a worry. Let’s take a look at some of the key elements of the GDPR and how a DMS addresses them:
- The right to be forgotten: The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. With paper files in particular, attempting to firstly locate and then erase all data on an individual could prove a time-consuming and difficult task. E.g. can you be certain to even find all the information, do you know how many copies exist or even who has had access to the files? Information could be quite easily spread over a number of sites and locations, and be duplicated or even lost. With a DMS like Volume, this right can be easily addressed and actioned; all files are stored in one location, and finding the relevant files is a much simpler and efficient process, so you can be confident that all files are sited and can be erased; ensuring GDPR compliance.
- Privacy by design: Privacy by design is a regulatory requirement, so training should be an essential step in its achievement. A DMS can help ensure everyone is working in the same manner and to the same procedures, and can also show strong compliance by evidencing all communications and involvement with a client as well as controlling who has access to what data: E.g. clear audit trails evidence all communications and involvement that a business has had with a client and provide enhanced security for better document regulation. Strict privacy controls govern who has access to what data, with configurable permissions to control what data users can access and what they can do with it. Should the regulator require evidence, a DMS can easily aid with this; showing that steps have been taken to ensure compliance.
- The right of access: Under the GDPR, individuals will have the right to obtain access to their personal data, so that they are aware of and can verify the lawfulness of the processing. The information provided to the individual making the request must be done using “reasonable means” and within one month of receipt. Complying without the use of appropriate technology, such as a DMS may prove difficult. Using a DMS however, information is stored together in one setting, is accessed quickly and easily, and can efficiently be sent to the individual requesting ‘the right of access’ within the set timescale. All user actions within a DMS have audit trails, recycle bins can be included in system-wide searches and documents cannot be accidentally deleted; providing confidence that all the right data is located and can easily be passed on.
- The right to data portability: This right allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. So for example, if an individual wished to leave for a competitor, their data would need to be made freely available to the new firm without undue delay (within one month). Fulfilling this request is made easy using a DMS – be confident all the information will be located, it will easily be retrieved and then available to send it on to the other organisation within the set timescale in an approved format.
- Breach notification standards: The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected, within 72 hours of becoming aware of the breach. In the unlikely event that any breach of data should occur, this can be identified and reported immediately using a DMS; something that is nearly impossible to do when dealing with paper documentation in various locations. With GDPR also stressing privacy, a DMS can ensure data is not accessed erroneously and is stored in a secure manner, where the loss, damage and even theft that paperwork could be subject to, is eliminated. By hosting your data away from your internal servers safeguards it from a malware attack (which would constitute a breach under GDPR). Our cloud DMS solution provides the highest levels of security and compliance, and is ransomware resilient, so you can be rest assured that your operations won’t be hijacked, and you won’t be charged a bounty to reclaim your data. We are also proud to attain the highest of security standards; ISO 27001 – the industry benchmark for secure data management.
Protecting your data, protects your customers and yourself.
If you don’t put the right technologies in place to protect personal data, then you may have to pay – directly to the supervisory authority and indirectly from reputational damage, and loss of goodwill and customer trust.
Where can I find out more information? The Information Commissioners Office (ICO) regularly publish information and they offer expert guidance on their website. You can also visit our other GDPR articles and GDPR landing page, or give us call for more information about document management and GDPR.