Most organisations are in the process of readying themselves for the new General Data Protection Regulation (GDPR) which now comes into effect in less than 100 days. The Zurich SME Risk Index has suggested some of the UK’s small and medium-sized enterprises (SMEs) will not be compliant on the GDPR implementation deadline, largely due to a widespread lack of awareness of whether they need a Data Protection Officer (DPO) or not.
Whilst many are thinking of hiring dedicated DPOs to inform and advise them, the reality is that if you’re a public authority, or process personal data on a ‘large scale’, you simply won’t have a choice in the matter: you must have a DPO by law.
While your DPO could be recruited internally, or externally, a recent study published by the International Association of Privacy Professionals (IAPP) showed that at least 750,000 DPOs will be needed worldwide.
And while exacting knowledge of the new regulation is one thing, your DPO must also have professional experience of your business, and the data protection laws pertinent to it. The tech sector, for example, will need people with a background in information systems, computer science or information security; while legal firms will likely emphasise professional qualifications.
Added to the challenges of securing a DPO, he or she then has the pressing task of achieving GDPR – so can you make your organisation more appealing by displaying a level of readiness now? The regulation requires organisations to reliably streamline all personal data held in various documents and emails held across disparate systems, network folders, and sometimes still in paper-based storage.
This throws up the following questions, which a prospective DPO may well ask you about to understand the complexity of the task potentially facing them:
- Can you instantly locate all the documents, emails and phone call recordings for a customer or an employee/customer?
- Are they all stored in one central location?
- Do you know how many copies of the data exists?
- What about paper records: if you have these, how do you plan to transmit those electronically, and within the required time-frame?
- Can document access be restricted to authorised employees to stop company documents get into the ‘wrong hands’ putting the company at risk of a security breach?
If the answers to the above questions aren’t clear – and don’t come with a resounding yes – the role of the Data Protection Officer will realistically not be a straightforward one, especially without the right tools. So is an automated Document Management System (DMS), which stores, manage and tracks electronic documents and electronic images of paper-based information, a critical part of the DPO toolbox? We believe it will enable your DPO to ensure GDPR compliance requirements in three key ways:
Document access control
Under the GDPR, individuals have the right to access their personal data. So what does this actually mean in reality? Firstly, the information provided to the individual must be done using ‘reasonable means’ and within one month of receipt. Secondly, individuals will have the right to data portability, which means that they can move, copy or transfer personal data easily and securely from one IT environment to another.
Using a document management system means all files are stored in one place, and finding the relevant ones is a much simpler and efficient process. In addition, all user actions within a DMS have audit trails and documents cannot be accidentally deleted; providing confidence that the right data can easily be located, retrieved and sent on within the set timescale in an approved format.
The GDPR also introduces a duty on all organisations to report certain types of data breach to the relevant authority, and in some cases to the individuals affected, within 72 hours of becoming aware of it. While a breach can be identified and reported immediately using a DMS, it is nearly impossible to do when dealing with paper documentation in various locations.
Retention and consent
Compliance, as well as nurturing a data protection culture and creating and integrating new policies, procedures and processes, is also a huge part of the DPO’s role. Under GDPR rulings, organisations should only keep personal data for as long as is necessary, and for the purpose for which it was obtained; applicant CVs, for example, must be destroyed once the position has been filled.
Consent rights have also been strengthened for individuals. Organisations must not only be able to prove they obtained permission to store and use data from an individual; but also send electronic copies of private records on-demand. This will be difficult ask without the right management systems in place. An effective DMS can help maintain best practice across the business by flagging-up documents at the correct time frame for deletion.
The GDPR also talks about ‘privacy by design’, whereby data protection is hardwired into the processes and behaviours of the organisation. A DMS can help the DPO ensure everyone is working to the same procedures, as well as ensuring that staff only have access to that information required to do their job.
With or without a DPO on board, preparation for GDPR is a company-wide responsibility – it simply doesn’t reside in IT, Finance, or the HR department for example. Deploying the right systems and the correct expertise now will go a long way to helping your business manage personal data and comply with the forthcoming regulations across your entire organisations – and at the same time, avoid the threat of hefty fines.
Dean McGlone is sales director at V1