Preparing for GDPR compliance
The General Data Protection Regulation (GDPR) is something concerning organisations and businesses of all shapes, sizes and capacity, and has drawn huge amounts of attention from all quarters. With the deadline for GDPR compliance looming on 25th May, preparation for compliance is the prime focus of thought, and takes the form of a few major points of consideration.
Understanding GDPR fully
Being totally aware of what GDPR is and what it requires of organisations is absolutely vital to preparing for it. With stringent and significant fines possible for those not adhering to the regulations, ignoring it is simply not an option and businesses are being urged to find out exactly what they need to do. Some businesses may have a system in place which simply requires a few alterations to make sure that personal data being kept is all GDPR compliant. Others may find a radical overhaul of their entire working process is needed.
Looking at where problems may lie
Finding out exactly what personal data is held by your organisation, in what capacity and where it is stored is important. This could involve a complete and thorough audit, with all steps of the process fully recorded. Issues may arise around data sharing with third parties; something that GDPR is very specific on, as well as where data may be spread across various geographic locations.
Letting customers know
Updating customers on privacy notes and what you intend to do with their data is necessary. While many organisations have privacy notices in place, especially those with an online presence, they may need to be altered and amended to take in the additional requirements of GDPR which include how data will be used, how long it will be kept for and on what basis it is being kept.
The ‘right to be forgotten’ aspect of GDPR, which allows individuals to request the removal of all their data if there is no compelling reason for it to be held, means that a process will also have to implemented to make this possible.
Customers will have to be informed this has taken place, and all relevant data will have to be found and removed in an efficient and thorough manner. It is also important to know and be aware of what reasons any organisation has for holding and processing data.
In a similar manner, individuals are able to request information on what data is being held about them and why. A process needs to be set up where this too can be done, in the time frame of a month that GDPR specifies.
If an organisation plans to use an individual’s consent as their lawful basis for using personal data, a way in which that is obtained needs to be developed. GDPR has explicit rules on what constitutes consent, and states that it can’t be implied and must be expressly and actively given. Children under 16 cannot give consent, meaning that adults will need to be consulted and informed appropriately.
Use of a Document Management System
When preparing for GDPR, using a Document Management System (DMS) can be a massive help. When faced with the ‘right to be forgotten’, as mentioned above, the ability to find the data needed is rendered swift and easy. Systems can be searched, and all information found in a thorough manner.
Whereas physical documents might be spread over various locations, with a DMS this is not an issue. If an individual wishes their data to be removed, a DMS can ensure that everything is found.
Whereas physical items mean some may be missed, or even lost, which could result in serious implications under the rule of GDPR, DMS does not encounter such problems.
Watermark Technologies has two GDPR compliant document management systems – the locally-hosted solution, Volume, and cloud-based document management solution, Papercloud. You can find out more about the benefits of each solution at our software overview page.
Adopt a suitable process for data breaches
Reporting data breaches is something GDPR stresses, yet something many organisations may not be familiar with. Procedures need to be established that deal with the issue, should it happen. Methods also need to be in place to guard around such instances occurring, and sufficient technical expertise or services might need to be found internally or externally.
Data breach impact tests might be something many organisations decide to undertake, which could again require the services of experts.
Establishments of a certain size are required to employ a data protection officer in order to oversee the many privacy aspects that GDPR requires.
So after conducting an audit of your data storage processes, you may find that you need to adjust your way of working to comply with GDPR. Switching to a document management system protects you from losing or duplicating personal data in paper form.