How can a document management solution help with GDPR compliance?

Updated August 2018.

When the General Data Protection Regulation (GDPR) came into force on 25th May 2018, businesses faced the biggest shake-up of data protection laws for 20 years. Those who don’t comply risk facing hefty fines.

If you haven’t already done so, it’s a good idea to review the technologies used in your business and decide whether they are fit for purpose in helping your business to comply. This is where a document management solution (DMS) can significantly help with GDPR compliance.

If you are not already aware, a document management solution stores, manages and tracks electronic documents and electronic images. Through the use of document scanning, paper-based information can also be captured and managed in the same way. Utilising a DMS will then enable you to control and organises documents across your entire organisation.

When reviewing how you currently work, you should ask yourself these questions:

  • What is the nature of the documents you hold?
  • Do they include personal identifiable information?
  • Can you easily find documents?
  • How long does it take?
  • Is it all in one location?
  • Are you confident that you’ve got it all?
  • Do you know how many copies exist?
  • Can document access be restricted?
  • Could documents get into the ‘wrong hands’?
  • Are you easily at risk of a security breach?

If we look at the main key elements of the GDPR rules, you can see how a document management solution will help you to address them.

The right to be forgotten: Under the new rules an individual has the rights to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

If you can’t find this information in your paper documents, then how are you going to comply with the GDPR?

Under this element it is important that you ask yourself; How long would it take you find information stored in paper files? Do you know how many copies exist? Who has had access to the files? Do you even know where the information is? Are these files in the building or are they in storage? Are you even sure you still have them? All of this searching of paper files or unstructured electronic files for that matter is incredibly time-consuming, difficult and costly.

Through the use of a document management solution, request such as these can easily be addressed and completed in a timely fashion. All files are stored in one location, and finding the relevant files is a much simpler and more efficient process, so you can be confident that all files can be found and erased thereby ensuring GDPR compliance.

Privacy by design: Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design and maintenance of information systems and mode of operation. Therefore training employees must be an essential step in its achievement.

A document management solution will help ensure everyone is working in the same manner and to the same procedures. It will also show strong compliance by evidencing all communications and involvement an organisation has with a customer in addition to controlling who has access to what information and data. It will also provide clear audit trails of all communications and involvement that an organisation has had with an individual and provide enhanced security for better document regulation.

Through strict privacy controls, you can govern who has access to what data, and configurable permissions to control what data users can access and what they can do with it. A document management solution can easily provide evidence showing that steps have been taken to ensure compliance.

The right of access: Under the GDPR, individuals will have the right to obtain access to their personal data, so that they are aware of and can verify the lawfulness of the processing. The information provided to the individual making the request must be done using “reasonable means” and within one month of receipt.

Being able to comply without the use of appropriate technology, such as a document management solution may prove very difficult. However, by using a DMS, information is stored together in one setting, can be accessed quickly and easily, and can efficiently be sent to the individual requesting ‘the right of access’ within the required timescale.

In addition to this, all user actions within a document management solution have audit trails, recycle bins can be included in system-wide searches and documents cannot be accidentally deleted. Thus providing confidence that all data is located and easily be passed on.

The right to data portability: This right allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. Should a customer wish to leave for a competitor, their data would need to be made freely available to the new firm and within one month of the request. The use of a document management solution will ensure you are able to comply with this element and in the required timescale. You will also be confident that all the information will be located, easily be retrieved and available to send on and in an approved format.

Breach notification standards: Under the new GDPR rules, organisations are required to disclose any personal data breaches to your Supervisory Authority (SA) within 72 hours of detection. And where the risk to the rights and freedoms of an individual is “high”, the individual must also be notified.

In the event of a data breach, a document management solution will enable you to easily identify and report immediately. If an organisation is still using paper records, this is something that is nearly impossible to do especially if files are stored in various locations.

With privacy at the forefront of the GDPR rules, you can ensure data is not accessed mistakenly and is always stored in highly secure manner, thus eliminating loss, damage or even theft

Data Retention: Although the GDPR rules do not set out any specific minimum or maximum periods for retaining personal data, it does state; Personal data must be kept in a form such that the data subject can be identified only as long as it is necessary for processing.

An organisation will have to review their retention policies according to their own industry rules and business requirements. How long you should keep personal data depends on the purpose for which it was obtained and its nature. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used.

A document management solution will enable you to securely delete information or part thereof that is no longer needed, in line with the new rules.

YourDMS has over 10 years of experience with working the Invu Document Management Solution and is a Microsoft Cloud Partner. Book a consultation today to discuss your Document Management needs and let’s talk.