General Data Protection Regulation (GDPR)
On the 25th of May 2018, the General Data Protection Regulation (GDPR) comes into force. The most immediate consequences of these EU regulations are that the document management systems for businesses, and especially HR, IT, and Finance departments, must have robust data protection mechanisms, as well as internal data monitoring and reporting systems.
The GDPR will affect organisations of any size, from UK-only SMEs to the multi-national conglomerates. It doesn’t matter how big the business is, if data is held about EU citizens that can be used to identify individuals then GDPR compliance must be assured. This also means businesses that operate outside of the EU who collect and hold data on EU citizens, must also follow the GDPR.
There is a vast variety of data types that can be used in document and record management systems to identify an individual, and therefore must be considered when ensuring GDPR compliance, what’s more, this is likely to grow as more data is gathered on the public.
- IP addresses
- Home addresses
- First and last names
- Financial details
The above list is not exhaustive, but simply a few of the most likely examples of personably identifiable data that is protected under the GDPR.
Any organisation that potentially holds any of the above identifiable personal data (and much more, the list is long and growing) is possibly liable for massive fines if GDPR regulations are not carefully followed. As much as 4% of global revenues can be taken as fines, if internal data protection, monitoring and reporting policies do not sufficiently follow GDPR legislation in the event of a data protection breach
The GDPR also introduces a few other issues:
Time – After the GDPR is live, a data protection breach must be reported to the relevant authorities within 72 hours. Failing to do so can result in substantial fines. This could be difficult for many reasons, firstly a business must have advanced data protection principles in place to even realise a breach has occurred, especially as there are a variety of breach types.
Accountability and Governance – The legislation makes it a requirement for businesses that are a public authority (except for courts), who carry out large-scale tracking of individuals or process large amounts of data relating to criminal offences to appoint a GDPR Data Protection Officer. Additionally, large companies will likely need to appoint a data protection officer, to ensure that the internal data protection policy is sufficiently developed and maintained. There is no lower limit on size for appointment.
User consent, data availability and information requests – The GDPR makes it a requirement that businesses make available specific information about individuals to the individuals themselves. This could be an ex-employee changing their GDPR consent, and making an information request that all information about them is deleted. Potentially, this could be a huge undertaking if the data is not properly catalogued and monitored, as there could be log-in data, financial data from payroll, emails, and address data all readily accessible and easily deleted.
The GDPR is a very detailed and important piece of data protection legislation. It builds upon and greatly develops existing legislations, introducing much more substantial financial penalties for data protection breaches.
So, don’t leave it to chance – with our help you can rest assured that your Document & Records Management System (DRMS) will continue to serve your business, but now with an added layer of data protection and security through the GDPR compliance services that we offer.
At Advanced UK, we have over 25 years’ experience in the document solutions integration sector and are one of the longest serving Xerox partners. Our decades of document management experience make us excellently positioned to help ensure your internal DRMS offers robust data protection to satisfy GDPR regulations, and avoid GDPR penalties. Contact us today to see how our innovative, safe, and secure document management systems can ensure your business maintains full GDPR compliance before May 2018.