How can a digital mailroom help with GDPR compliance?
Written by: Tim Myatt
Publish Date: Apr 16, 2019
Read time: 8 minutes
For anyone responsible for data law compliance, May 2018 was a busy month. From security stress testing, through to the cleansing of mailing lists, organisations saw a flurry of activity in preparation for the arrival of an entirely new data protection framework. The General Data Protection Regulation (GDPR) had finally been implemented.
Even if your GDPR implementation efforts ran relatively smoothly, it is important to remember that compliance is an ongoing process. For any large organisation, there is an ongoing obligation to identify potential compliance weak spots and implement measures to address them.
Highly regulated organisations are increasingly realising the benefits of a digital mailroom. The promise of simplified compliance and improved data safeguarding are big drivers in favour of adoption. Here, we take a closer look at how a digital mailroom can help you achieve continued compliance.
A digital mailroom: How it relates to GDPR
Running to 99 Articles, GDPR is a lot for any enterprise to distill. But at its core, it affects organisations in three main ways:
- The individuals whose data you process must be given the ability to exercise the new and enhanced data rights set out in the legislation. This includes the general subject access right (SAR), the “right to be forgotten” and the right to “data portability”.
- As was the case under the previous Data Protection Act, there’s a general duty to have appropriate data security measures in place. For the first time, however, GDPR ushers in a legislative requirement for businesses to adopt a “privacy by default and design” approach. Rather than treating privacy as an afterthought or ancillary concern, it must now be effectively hardwired into new processes and activities right from the design stage.
- There is a strong emphasis on accountability. New data governance obligations include mandatory security breach reporting, privacy impact assessments (PIAs) and more detailed rules on internal record keeping.
Much of the commentary surrounding GDPR focuses on the growth of the digital marketplace. That said, nearly a quarter of UK organisations receive between 2,000 and 5,000 items of inbound mail each month. From clinical notes through to credit assessment forms, this can represent some of the most sensitive personal data processed by the organisation — exactly the type of information that the architects of GDPR are most anxious to protect.
The mailroom has traditionally been the hub for the processing of this data. It is here that significant security and privacy issues can arise. Documents routinely go astray, they are not matched with their correct files in time or at all — or they end up in the wrong hands.The upshot of this is that, from a compliance perspective — especially in light of GDPR — the mailroom represents a significant weak point.
EDM’s Digital Mailroom gets to the heart of this problem. Through it, all inbound information — both digital and physical — is subject to the same process flow. Physical documents are scanned and all information is categorised using intelligent classification software. Allocation, storage and archiving are all handled by the same system.
For GDPR compliance, this helps on two fronts:
- It substantially reduces the security and privacy risks inherent in a traditional mailroom set-up.
- It assists in your wider compliance strategy, making it easier for data subjects to exercise their data rights and enabling better management of your data governance obligations.
Areas where digital mailroom enables GDPR compliance
Subject Access Rights
The old regime allowed organisations to levy admin fees for data access requests. GDPR now requires that you supply this information for free in most instances — and within 30 days of the request being made.
The data relevant to such a request might include forms, contracts and communications in various formats, scattered across multiple locations. Responding to requests can be time-consuming and your compliance risk is twofold:
- You fail to establish what personal data you hold on an individual and this causes you to provide an incomplete or misleading data record.
- You are unable to respond to the request in time or at all.
With a digital mailroom, all documents and communications containing personal data are fed into a single information management system. From here, they can be matched automatically to their correct file (for example, a customer record or HR file). SLA’s can be applied at document level ensuring inbound communications are prioritised in accordance to the type of enquiry and therefore processed in a timely way.
For each individual who submits an SAR, you can tell at-a-glance precisely what information you hold on them. What’s more, where that data exists in physical form, the integrated archiving process means you can see where it resides.
All this means that dealing with voluminous, complicated requests becomes a lot easier. You can be sure that the information you provide data subjects is accurate — and complying within the time limits becomes much less of a resource burden.
Erasure and data portability
Data subjects can, under certain circumstances, request that their data be deleted or transmitted directly to them or to a third party. But these are not absolute rights, and if a request for erasure or transfer is received, organisations need to assess whether, and to what extent, such a request is appropriate.
A digital mailroom enables clear and systematic categorisation of documentation. If a previous client requests deletion of all records, you can instantly identify the documents suitable for erasure — along with those that you need to hold on to (for example, in accordance with HMRC or FCA requirements).
Organisations are under a duty to restrict data minimisation and storage limitation. They must ensure that the personal data is only processed where necessary for intended purposes and it should only be stored for as long as it is needed.
A digital mailroom can assist on both of these fronts. Automatic categorisation of documents can help to identify those sources of data that are required for specific processing purposes, and those that are surplus to requirements. You can also define set timescales for automatic deletion of both digital and physical records and align this with your organisation’s retention policies.
Data security and privacy
A digital mailroom can strengthen your organisation’s security and privacy stance in multiple ways:
- Risk mitigation - GDPR demands that you adopt a risk-based approach to security, and a digital mailroom directly addresses significant mailroom risks (for example, document loss, destruction and incorrect allocation) that can directly impact the “rights and freedoms” of individuals. Adoption of this technology helps you demonstrate that you have considered these risks and have implemented “appropriate” measures to address them.
- Supporting the use of security tools and techniques - GDPR specifically refers to encryption and pseudonymisation as possible ways for organisations to reduce security risks. A digital mailroom supports this by enabling secure encrypted digital storage via EDM online.
- Designed to support compliance - When introducing any new product, service or process, you must assess to make sure that it enables you to fulfil your data protection obligations, taking into account the principles of data protection by design and default. EDM’s Digital Mailroom has been designed with data protection in mind and comes with comprehensive compliance assurance.
To find out how our Digital Mailroom solution can help your business’ ongoing GDPR compliance, request a free health check (worth £1000) with EDM today.