How can digitisation prepare your organisation for GDPR?
Written by: Kellie Heinze
Publish Date: Oct 14, 2017
Read time: 8 minutes
The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. It is a hugely important change in privacy legislation, covering both data controllers and data processors. The GDPR applies to all processing of the data relating to data subjects residing in the EU – even if the organisation processing the data is not in the EU. Essentially it protects the rights of EU residents as “digital citizens” on a worldwide basis no matter where their data is processed; in effect, this makes it the first global data protection law.
Infringements can potentially result in fines up to €20M or 4% of the company’s global annual revenue; also any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation.
The clock is ticking and this article identifies the risks of GDPR and highlights how digitisation can assist in moving you towards compliance.
What are the risks of GDPR?
With the implementation coming round, the questions on everyone’s mind is simple: what are the risks and how will they impact my organisation? We have highlighted some of the standout risks that can be solved with digitisation and have offered solutions that will enable you to prepare more efficiently.
Outsourcing your customer files
If you don’t store files locally or within your organisation, you maybe be putting personal data at risk. As a business, you can’t be sure that standards of security are being maintained at every branch. With distributed records, it also becomes a problem to respond to subject access requests as this can become an expensive and time consuming process.
Solution: Branch data cleanse
- Audit to assess the state of filing estate.
- Securely collect filing from every branch nationwide and return to the processing centre.
- Categorise filing based on retention policy.
- Digitise, destroy or archive.
- Provide record inventory of archived records.
You need to know what’s in your archived records
If you don’t know what is in your archived records, this will make responding to subject access requests next to impossible. Under the GDPR, subject access requests are free and must be fulfilled within one month under GDPR. Individuals have the right of erasure and rectification; it will be extremely difficult to fulfil this if you don’t know what records you have for an individual.
Solution: Physical record inventory
- Create an inventory of physical records already in storage.
- Align content with retention periods and destroy old records.
- Enabling quicker and more cost effective response to data subject requests for access, rectification and erasure.
- Enables scan on demand services to be provided for faster subject access request responses.
Updating and organising HR records
Every organisation has HR records stored, whether this is on-site or elsewhere. You should only keep personal data for as long as is necessary, and for the purpose for which it was obtained. A typical HR record contains information on different retention policies. This is expensive to manage with paper records and many companies have scanned HR records as a single PDF.
Solution: HR record digitisation & retention policy management
- Scan and index HR records if you hold them in paper.
- Store electronic records in a DMS that supports section level access control and retention policy management.
- Use intelligent capture to classify records at a page level that have already been scanned.
- Delete leaver records.
Be aware of personal data via email in clear text
You shouldn’t send or receive personal information via email in clear text. Sending an unencrypted email containing sensitive data represents a “high risk to the rights and freedoms of the individual” and would be in breach of Article 5.1. Especially sensitive when emails contain scanned documents.
Solution: Customer portals & encrypted email
- Replace email communications with encrypted methods.
- Customer portals/apps with an encrypted upload of information are best.
- Encrypted email is an option, but difficult for customers to engage with
At EDM Group we understand that when you’re preparing for GDPR, you can’t afford to take any risks. That is why our solutions are audited and accredited, focusing on experience, security and scalability. If you’d like to find out more about EDM Group and our digitisation services, find out more here.