Featured Product
This Week in Quality Digest Live
Management Features
Alberto Castiglioni
Technology combinations from FARO help users to focus more on actual measurement and less on measurement processes
Katia Savchuk
Management practices account for 20% of production variation for some firms
Scott Cowen
The best know how to balance passion with patience and conviction with calmness
Paige Needling
The need to move beyond security is more than semantics
Fabian Schumann
Pink-slipping employees whose jobs were automated and hiring others with high-tech skills may be a losing strategy

More Features

Management News
Workers more at ease about job security. Millennials more confident regarding wages.
46% of creative workers want video games in the office
A guide for practitioners and managers
Provides eight operating modes and five alarms
April 25, 2019 workshop focused on hoshin kanri and critical leadership skills related to strategy deployment and A3 thinking
Process concerns technology feasibility, commercial potential, and transition to marketplace
Identifying the 252 needs for workforce development to meet our future is a complex, wicked, and urgent problem
How established companies turn the tables on digital disruptors
Streamlines shop floor processes, manages nonconformance life cycle, supports enterprisewide continuous improvement

More News

Himanshu Singh

Management

Leveraging Your Document Management Solutions for GDPR Compliance

Document management solutions are based on the principles of privacy by design

Published: Tuesday, October 8, 2019 - 12:03

The most noteworthy and significant change in data privacy regulation in more than 20 years recently came by way of the General Data Protection Regulation (GDPR) in the European Union (EU). Being GDPR-compliant has become an important consideration in the way data are stored, handled, and processed. Here, we will discuss how document management solutions (DMS) can keep you on the right side of GDPR.

Let’s first begin by understanding GDPR and its implications.

The GDPR is based on the privacy by design school of thought. It enforces common-sense data security ideas such as minimizing the collection of personal data, deletion of personal data that is not required any longer, restriction of access, and data security during the entire life cycle. It is a uniform law applicable across the EU and beyond that prescribes requirements that regulate how data are collected, recorded, stored, and processed. Heavy penalties incur for violations.

In other words, the GDPR is a law that singularly enforces European data protection rules and regulations and also the right to personal data protection. GDPR is enforceable on both data controllers as well as processors. The increased liability and heavy fines compared to the previous Data Protection Act serve to shift focus on preventive measures and audits regarding how and where data are stored and destroyed.

What makes GDPR especially significant is the enforcement of extraterritoriality. The GDPR is also applicable on all personal data collected from an EU citizen that is transferred outside the EU. Companies remain liable even if they are headquartered outside the EU, and even if the company has absolutely no offices or servers in the EU. In light of the data security concerns that have emerged from web services such as search engines and the social network in recent times, the GDPR becomes especially important.

What type of data are protected under GDPR?

The GDPR aims to safeguard personal data such as names, phone numbers, addresses, account numbers, other personal data documents, and even email and IP addresses. Such information is typically stored by business entities as customer information in customer relationship management solutions, as employee information in human resources management systems, and as documents stored in document management software.

What are the fine levels?

The GDPR has a tiered penalty structure. Violations of certain articles could lead to a fine of €10 million or up to 2 percent of the worldwide annual turnover of the proceeding year, whichever is higher. Penalties for violation of certain other articles could be as high as €20 million or up to 4 percent worldwide annual turnover of the proceeding year, whichever is higher.

Now that we understand GDPR, let’s explore how you can remain GDPR-compliant.

Data vulnerabilities that risk GDPR noncompliance

Data can be vulnerable in any organization, big or small. All kinds of organizations can fall prey to a cyberattack. Whether you store paper documents or digital files, here are some questions you need to ask:
• What is the nature of the various documents that you hold?
• Do these documents include personal, identifiable information?
• Can you find and retrieve these documents easily?
• How long does it take you to retrieve these documents?
• Are all your documents stored in one location?
• Are you confident that none of your documents are missing?
• Do you know how many copies of each document exist?
• Can you restrict access to these documents?
• Can the documents find themselves in the wrong hands?
• How vulnerable are your documents to a security breach?

The answers to these questions will reveal quite easily how secure your documents are and will give you an idea about the extent to which you are risking GDPR noncompliance.

Document management solutions

DMS organize and control documents throughout the organization. They store, retrieve, manage, and track electronic documents as well as scanned images of paper documents. They keep track of the document life cycle and also the audit trail. Automatic document workflows ensure that all the documents are approved in a timely manner.

GDPR compliance with DMS

Let us take a closer look and discuss the key elements of the GDPR rules. As we discuss each element, we will also talk about how a DMS will help you address them.

The right to be forgotten. Individuals reserve the right to request the deletion or removal of personal data when they see no compelling reason for its continued processing. If you use a DMS, you can handle requests such as these quite easily and in a timely manner. Because all files are stored in a central location, finding the relevant files is simple. When you are reasonably confident that all your files will be found and can be erased without having to keep a track of how many copies exist, you remain true to this element of GDPR compliance.

Privacy by design. GDPR puts businesses under a specific obligation to give data privacy due consideration all through the initial design, maintenance, and operational phases of information systems. This includes training employees to handle documents consistently, following standard procedures and protocols. A DMS ensures that the same processes and protocols are followed across the board. It also maintains clear audit trails regarding every activity that has taken place with regard to the document. Also, privacy controls and permissions restrict document access to authorized personnel only.

The right of access. GDPR enforces that individuals have the right to obtain access to their personal data so they can ascertain the lawfulness of the processing. This information must be provided to the individual within one month of the receipt of the request.

When you use DMS, information can be accessed quickly and easily, and can be sent to individuals exercising their right of access within the stipulated period. Moreover, audit trails for documents, including access to recycle bins in systemwide searches, make it possible to retrieve documents that are accidentally deleted, further ensuring that these data will always be easily retrievable in order to be passed on quickly.

The right to data portability. GDPR gives individuals the right to move, copy, or transfer personal data easily and securely from one IT environment to another, should they choose to switch to a different organization. GDPR requires that these data are made freely available to the new firm within one month of such a request. As we have already discussed, a DMS will ensure that companies can fulfill this requirement within the mandated time period.

Breach notification standards. One of the most important GDPR rules is that organizations must disclose any personal data breaches to their supervisory authority within 72 hours of detection. In some cases, if there is an actual risk to the rights and freedom of an individual, the individual must also be notified. A DMS can detect such breaches and will report them immediately.

Data retention. GDPR rules do not stipulate any time periods for retaining personal data. However, the law does require that personal data must be retained only so long as it is necessary for processing. Organizations are therefore required to base their retention policies on the nature of their business and their industry. Data must be used only for the intended purpose when they were obtained and should not be retained indefinitely. DMS can be configured to securely delete information or a part of it that is no longer needed.

Conclusion

A document management system is critical not only for streamlining access to information and improving efficiency, but also for meeting compliance obligations. DMS today are based on the principles of privacy by design. Therefore, by using a DMS, you automatically remain compliant. There is no debating the fact that this is much better than trying to manage increasingly large data sets using manual and decentralized means.

Discuss

About The Author

Himanshu Singh’s picture

Himanshu Singh

Himanshu Singh is a Marketing Specialist at SoftwareSuggest, He is well versed in software platforms like eCommerce platforms, project management, invoicing software. He is also interested in domains like Machine Learning and Semiconductors. In his spare time he enjoys Guitar, Badminton, and Photography.