Getting your documents and data under control is key to GDPR success
GDPR – a definition
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” http://www.eugdpr.org/
GDPR – what does this mean for you?
But you don’t need to become a legal expert overnight to start making a difference. Simple guidelines are available from the ICO and summarised below. And you can make a start by getting the right tools and approaches in place to improve how you handle data that can reduce costs and improve productivity as well as ensure compliance.
There’s great advice and resources available on the Information Commissioner’s website with 12 steps highlighted below:
Make sure key decision makers in your organisation know about the changes to the law around data protection, and appreciate the impact on the organisation.
2. Information you hold
Document the personal data you hold. An information audit is an ideal approach.
3. Communicate privacy information
Review and change your privacy notifications ready for GDPR implementation
4. Individual’s rights
Check procedures. For example, how would you go about deleting personal data?
5. Subject access requests
Requirements are changing; review procedures to ensure you meet them
6. Processing personal data
Look at how you process data, its legal basis and how you document this
You need to review how you are seeking and recording consent to reflect the changes in regulations
How will you verify ages and gather parental or guardian consent for data processing?
9. Data breaches
Ensure you can detect, report and investigate a personal data breach.
10. Privacy access assessments
Check out you will apply the ICO guidance to your organisation
11. Designated Data Protection Officers
Appoint someone to take responsibility and manage governance
If you operate outside the UK, check out which supervisory authority you come under
Find the full information on 12 steps to take now for GDPR from ICO online: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Getting GDPR preparation under control
Understanding and controlling the documents and data held within your organisation is a key requirement. Since your organisation has been gathering and storing data since it began - whether this is job applications, sales enquiries, contracts or student records - a first step is to put tools in place that can quickly analyse large batches of documents. Automatically locating personally identifiable information and classifying it into groupings is far more efficient than manual, paper-based alternatives.
Neil Maude, general manager at Arena Group, explains: “You can start applying automated tools to new documents as they are created within your organisation or arrive in your mailroom, or retrospectively whatever the size of your archive or working file systems. This is the first step to get control of your existing body of information, however it’s currently stored. This can be an efficient way of taking control of your processes and getting a handle on the risks around the data you are already holding.”
One key test for compliance under the new regulations will be how an organisation can ensure every individual’s “right to be forgotten” obligation is enforced, since this is much more onerous under GDPR. Any organisation may be requested to delete all information related to a particular individual. This may be relatively easy within a specialist software application such as a customer relationship management (CRM) system or enterprise resource planning (ERP) business process management software that currently manages some of your back office functions. However, this will be highly labour intensive, time-consuming or near impossible with unstructured data and documents that are typically found in every organisation.
These would need to be located and potentially checked by eye whether they relate to employee records, applications, correspondence, financial transactions or general filing.
These would be searchable, but run the risk of personal folders and the scope of the search being insufficient. Also email attachments would not be found in the email system text search – especially attachments which are scanned images rather than electronic documents.
General file areas are difficult to search. They require a slow one-time search or an expensive indexing process. Also, there is the issue of scanned information which does not appear in the text index, and of omitting an individual’s personal stores of data and documents on local drives.
Effective tools, such as Arena’s mstore software, enable the scanning and storage of documents and data that transform processes into easy to manage and compliant ways of working.
Similarly, changes to GDPR mean that the gathering and recording of consent to use personal contact details, presents new challenges. It will no longer be sufficient to give options to opt out of using personal contact data as is the current common practice. An organisation must ensure that consent for use of personal data is freely given, specific, fully informed and revocable.
In order to continue day-to-day operations, an organisation should be able to collect personal contact details whilst remaining compliant with the requirements of GDPR. Arena’s mstore software offers the opportunity to ensure that current data can continue to be used after the May 2018 GDPR deadline, cleansing current databases so that data can continue to be used for specific purposes.
The ability to record that consent has been given for a specific purpose is also imperative. For example, when a business card is shared at a meeting or trade show, the issue is to confirm and record what consent is and is not being given and for this system to be auditable so consent is proven.
The key message is to start acting now to avoid hitting the May 2018 deadline without the right things in place to ensure compliance. “It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions…. This could have significant budgetary, IT, personnel, governance and communications implications.” ICO
Changing basic ways of working is no longer the preserve of forward-looking organisations looking to adapt processes and working methods to create an edge, reduce costs or increase productivity. Since no organisation is immune to the data protection regulations and the fines for non-compliance are significant, GDPR is a driver for change and investment for every organisation. Introduction of any new technology should also be done with data protection considerations from the outset, so it’s also important to work with a technology partner that is informed, since failing to do so would also constitute a breach of regulations.
However, the imposition of legal enforcement is balanced by the benefits the organisation can realise more widely from making information and data more accessible and efficient to work with. Now is the golden opportunity for ever organisation to become leaner with their work flows, but with how data is being used and managed coming sharply into focus, the need to strengthen defences and protect from costly fines and crisis management to close the gap.
To find out more on how Arena are helping organisations prepare for GDPR, speak to your account manager or contact firstname.lastname@example.org.