Document Management with GDPR
With the start of the European Union’s (EU) General Data Protection Regulation (GDPR) on May 25 of this year, data privacy has a new meaning – and a new global respect. GDPR sent many American companies scrambling to achieve compliance as it implements sweeping changes on businesses that deal with customer data – which may even include yours. In other words, GDPR compliance isn’t just for EU-based companies.
The GDPR was established to protect the personal data of EU residents and affects any business that has customers located in the EU. There is no restriction based on location, company size or scope of business, meaning any entity with an internet presence will be affected. Fines for non-compliance will be high. Data protection watchdogs can impose a fine of up to £20,000,000, or four percent of your total annual worldwide turnover. Any service offered to an EU resident – regardless of whether the service is free and which country hosts its servers – has to play by the rules. For all the information on the GDPR, visit its website, GDPREU.org.
A Major Difference
At issue is the major differences in the approach to collecting personal data in the United States and the EU. In the U.S., personal information is often collected as a matter of course, with only an ‘opt-out’ offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative ‘opt in’ consent must be obtained that clearly specifies how the data will be used. Privacy policies must match.
Once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right ‘to be forgotten.’ Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests could be difficult. As an organization, you need to know how GDPR will affect your paper documents. This is where a document management system (DMS) can come in to help make your business GDPR-compliant.
A document management system manages, stores, and tracks electronic documents and electronic images. With the use of document management scanning, paper-based information can be captured and managed in a much more secure and efficient way. You can use a DMS to organize and control documents across your organization, which helps make your business GDPR-compliant.
With data breaches on the rise, businesses can’t do without content security. As a business, you need to protect your company information and customer details. Be it your company information, customer information, financial details, research, training, intellectual capital, corporate secrets, or securing your mobile data for BYOD purposes, you need to make sure that your data remains secure, both at rest and in motion.
Also, it’s difficult for companies to know how many paper documents actually exist. Duplication on photocopier, removal of documents from your office and insecure disposal of documents can all lead to the existence of several copies of the same document, which is again a problem according to GDPR standards.
- What kinds of documents you possess, and do they include personal information?
- Are you able to find documents easily?
- How long does it take to locate them?
- Are all of your documents stored in one place?
- Are you sure you have all the documents?
- Are you aware of the number of copies that exist for each document?
- Can your documents get into wrong hands?
You should keep in mind three things with document management and GDPR. Here are three things with regards to document management and GDPR, courtesy of Create Ts and Cs:
Encryption – A ransomware virus can easily access your organization’s data, which could include your staff records as well as customer bank details. But, with the DMS in place, all of your files are encrypted on entry, and held as images. A DMS ensures that your data and documents are kept safe even at the time of an attack. If you want to be GDPR-compliant, you need to use a DMS because it encrypts your data.
Role-based access control – According to the GDPR standard, you need to make sure that information and data are locked down. It should not only be kept safe from the outside world, but also within the organization. Your employees should not have access to all the information; it should only be need-based. You don’t need your sales manager to know your customer’s bank details. You can put in place rules with a DMS which can restrict access control.
Retention control – As an organization, you also need to keep in mind that you store data for an appropriate period. You cannot and should not hold on to the information beyond the stipulated time. When you start using a DMS, it makes sure that it stores personal data correctly, and flags documents that need deletion.
How DocuServe document management can help with GDPR
As mentioned earlier, an efficient DMS can help you comply with the GDPR. That is where DocuServe’s document management comes into the picture. DocuServe is a secure cloud-based content distribution and protection system that can keep your digital content safe. DocuServe provides you with complete control over your content, right up to the document level. Because DocuServe is a cloud-based technology, your documents, video, and other shared files don’t exist on the user’s device – which makes it easy for you to withdraw and manage access – also helping your organization’s GDPR compliance.
DocuServe ensures content security because the content is encrypted between the application and the operating system and within the document, which ensures greater security. This is another GDPR requirement which states that an organization should ensure that personal data is kept secure at all the times. With DocuServe, you can delete, eliminate, and remove your data as and when required – another important GDPR requirement.
Other ways in which DocuServe ensures GDPR compliance include:
- Security (including mobile) at rest and in motion.
- The right to be forgotten by deleting or removing personal data on request.
- Privacy by design (everyone in the organization works in the same way and to the same procedures).
- Data retention (securely delete information in part or incompletely).