In The Wild Ride Starts Now – Data Governance Challenges in the New GDPR I wrote about the need to get serious about the forthcoming European General Data Protection Regulation. May 2018 is just around the corner, and many organizations are simply not prepared.
According to the Digital Clarity Group, “The GDPR could be a mortal threat to your company’s existence — and it makes fundamental decisions about data collection, processing, and storage into key strategic business issues. An adequate response requires C-level (and even board-level) attention and involvement immediately.”
This is not a trivial statement! But where to start?
The Linklaters law firm has prepared two valuable core resources: a “GDPR Survival Guide” and a summary “at-a-glance brochure”. Check them out.
Linklaters notes, “The threat of fines of up to 4% of annual worldwide turnover or €20 million means data protection will need to be taken more seriously. There is a risk of taking this too far and chilling innovation….In the short term, privacy advice is going to need a little more thought, a good deal of pragmatism and a pinch of courage.”
Pragmatism and a pinch of courage. I like that.
Under the Regulation, you must not only comply with the six general principles, but also be able to demonstrate your compliance (in other words, provide documentation).
The six principles state that personal information shall be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant, and limited to what is necessary.
- Accurate and, where necessary, kept up-to-date.
- Retained only for as long as necessary.
- Processed in an appropriate manner to maintain security.
So far, so good. But let’s think about a few of the specific document and data challenges created by GDPR.
For example, “The Regulation largely preserves the existing rights of individuals to access their own personal data, rectify inaccurate data and challenge automated decisions about them. The Regulation also retains the right to object to direct marketing. There are also potentially significant new rights for individuals, including the ‘right to be forgotten’ and the right to data portability. The new rights are complex and it is not clear how they will operate in practice.” For purposes of the GDPR, any semantic differentiation between “data” and “content” is largely irrelevant.
Each organization must have a person or persons charged with guaranteeing compliance -- the data protection controller.
If you act as a data Controller, you must keep a record of the following information:
- your name and contact details and, where applicable, any joint controllers, representatives and data protection officers;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients, including recipients in third countries or international organizations;
- details of transfers of personal data to third countries (where applicable);
- retention periods for different categories of personal data (where possible); and
- a general description of the security measures employed (where possible).
- If you engage a data Processor, you must contractually ensure that THEY also do similarly.
And on and on. These are just a few examples.
If you ever needed a solid reason to deploy a document management solution – the GDPR is it. In fact, I argue that trying to comply with the complex requirements of the GDPR without automated processes is impossible. Whether all of this will actually do anything to improve privacy – technology marches on, after all – is a moot point.
Whether you are a European company or an organization that only has European customers, the basic assumptions governing document and data privacy and security are changing radically. Which means you need to get serious about digital document management.
Get a demo of DocuWare to see how running a faster, smarter business is within reach today.