GDPR came into effect from May 2018. It changed how businesses and public sector organisations can handle their customers. It expands the rights of individuals to control how their personal data is collected, processed, and places a range of new obligations on organisations to be more accountable for data protection. Read on, to find out more about GDPR and how the use of a document management system such as FileDirector can help you!
What is GDPR?
GDPR is the General Data Protection Regulation, a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occurs within EU member states and Non-compliance could cost companies dearly. It standardises data protection laws across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII), it also extends the protection of personal data and data protection rights by giving control back to EU residents.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA –the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved of your obligations where a processor is involved, the GDPR places further obligations on you to ensure your contracts with processors comply with GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer foods or services to individuals in the EU.
Under GDPR, the data protection principles set out the main responsibilities for organisations. Below are 7 privacy principles which form the fundamental conditions which organisations must follow when collecting, processing and managing the personal information data for all European citizens. Article 5 of the GDPR requires that personal data shall be:
Lawfulness, fairness and transparency – “a) processed lawfully, fairly and in a transparent manner in relation to individuals;” – personal information collected to deliver a good or service must be done so lawfully and fairly, and individuals must be told what their personal information will be used for. Personal information can only be collected with the individual’s consent, and a record of this consent must be kept
Purpose limitations – “b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;” – personal information may only be collected for a specific and legitimate purpose and not for a new, incompatible purpose (unless consent for this new purpose is gained)
Data minimisation – “c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;” – the processing of personal information needs to be limited to what is necessary in order to achieve the processing purpose
Accuracy – “d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;” – personal information must be collected accurately and kept up to date in order to avoid risk to the individual. Inaccurate information must be erased or corrected without delay
Storage limitations – “e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and” – personal information may be stored only for as long as necessary in relation to the processing purpose, with the expectation that it will be kept longer for scientific purposes and/or archiving purposes in the public interest
Integrity and confidentiality – “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” – holders of personal information are responsible for keeping it secure from internal threats such as unauthorised use, accidental loss and damage, as well as external threats such as cybercrime
Accountability – Article 5(1) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” – holders of personal information need to implement technical and organisational measures to ensure that processing activities are carried out according to the data protection regulation
The introduction of the ‘accountability’ requirement to the new regulation is perhaps the most significant advance since the Data Protection Directive 1995, and compels holders of personal information to be 100 percent answerable for the way they collect, process and store it.
These 7 principles give an overview of the areas covered by the new regulation, however they do not delved into nuances of consent and other articles of GDPR, nor the complexities of data flow mapping, lineage and coordination activates association with implementing a programme to meet GDPR compliance.
What information does the GDPR apply to?
The GDPR’s definition is more detailed than the DPA and makes it clear that information such as an online identifier (e.g. an IP address) can be personal data. A wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
Basic identity information such as name, address, email address and ID numbers
Web data such as location, IP address, cookie data and RFID tags
Profiling and analytics data
Sensitive personal data:
GDPR refers to sensitive personal data as “special categories of personal data” these categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specially include genetic data, and biometric data where processed to uniquely identify an individual.
Health and genetic data
Trade union membership
Biometric data (facial recognition, fingerprint)
Racial or ethnic data
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals:
1. The right to be informed - the right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. The information you should supply about the processing of personal data must be:
concise, transparent, intelligible and easily accessible
written in clear and plain language, particularly if addressed to a child
free of charge
2. The right of access – the GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing. Information must be provided without delay and at the latest within one month of receipt. Under the GDPR, individuals have the right to obtain:
Confirmation that their data is being processed
Access to their personal data
Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
3. The right to rectification – Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible, you must also inform the individuals about the third parties to whom the database been disclosed where appropriate.
4. The right to erasure – the right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
Where the personal data is no longer necessary is relation to the purpose for which it was originally collected/processed.
When the individual withdraws consent
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
The personal data was unlawfully processed (i.e otherwise in breach of the GDPR)
The personal data has to be erased in order to comply with a legal obligation
The personal data is processed in relation to the offer of information society services to a child
5. The right to restrict processing – under the DPA, individuals have the right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not future process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. You will be required to restrict the processing of personal data in the following circumstances:
Where an individual contests the accuracy of the personal data, you should restrict the processing until you have verified the accuracy of the personal data
Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual
When processing is unlawful and the individual opposes erasure and requests restriction instead
If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
6. The right to data portability – the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applied:
to personal data an individual has provided
Where the processing is based on the individual’s consent or for the performance of a contract
When processing is carried out by automated means
7. The right to object – if you process personal data for the performance of a legal task or your organisation’s legitimate interests. Individuals must have an objection on “grounds relating to his or her particular situation”. You must stop processing personal data for direct marketing purposes as soon as you receive an objection. There are no exemptions or grounds to refuse. Individuals have the right to object to:
Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
Processing for purposes of scientific/historical research and statistics
8. Right in relation to automated decision making and profiling – the GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the GDPR. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. Individuals have the right “not to be subject to a decision” when:
it is based on automated processing
it produces a legal effect or a similarly significant effect on the individual
You must ensure that individuals are able to:
obtain human intervention
express their point of view
obtain an explanation of the decision and challenge it
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, altercation, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. You only have to notify the relevant supervisory authority of a breach when it is likely to result in a risk to the rights and freedom of individuals – for example, result in discrimination, damage of reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. This has to be assessed on a case by case basis.
How FileDirector helps comply with GDPR:
Using a document management system (DMS) can help with GDPR compliance. A Document management system stores, manages and tracks electronic documents and electronic images of paper-based information captured through the use of a document scanner (our sister company Scanner Superstore sells scanners such as Canon and Brother, click here to view the range of scanners we offer). DMS ultimately controls and organises documents throughout an organisation. One of our most popular DMS is FileDirector. FileDirector is the future for the administration, and distribution of information, because it decreases considerably the time taken to manage and access all of the information within an organisation, allowing you to become more efficient and productive, whilst reducing costs. Security in any document management solution is vital, therefore FileDirector lets you have complete control over document access, activity auditing, revision control, retention control, and automatic storage of documents and emails.
When it comes to fulfilling a subject access request under GDPR FileDirector has a build in web interface which allows documents to be shared securely through an online portal. This can be placed on a company website and accessing the required documents would be a case of sharing a one-time use login with the person making the request and uploading their documents for them to access. When fulfilling a subject access request under GDPR the documents could be sent by post and email however this is less secure, more costly and is not a good long term solution for sharing thousands of documents.
The right of access – under the GDPR, individuals will have the right to obtain access to their personal data, so that they are aware of and can verify the lawfulness of the processing. The information provided to the individual making the request must be done using “reasonable means” and within one month of request. Compliance without the use of appropriate technology, such as a DMS may prove difficult. By using a document management system such as FileDirector, information stored together in one setting is accessed quickly and easily and can efficiently be sent to the individual requesting ‘the right of Access’ within the set timescale. All user actions within FileDirector have audit trails, recycle bins and can be included in system-wide searched and documents cannot be accidentally deleted; providing confidence that all the right data is located and can easily be passed on. At the point of scanning, key index fields can be collected from a document, information such as order numbers and dates as well as personal information such as D.O.B, names and addresses can all be indexed to allow easy but secure access to customer documents. FileDirector makes this easy by allowing hundreds of documents to be complied through simple use of index fields which can then be sent to the person making the request.
Privacy by design – privacy by design is an approach that promotes privacy and data protection. Data controllers must put technical and organisational measures such as pseudonymisation (the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) in place – to minimise personal data processing. Using FileDirector can help ensure everyone is working in the same manner and to the same procedures and can also show strong compliance by evidencing all communications and involvement with a client as well as controlling who has access to what data e.g. clear audit trails. Strict privacy controls govern who has access to what data, with configurable permissions to control what data users can access and what they can do with it. Should the regulator require evidence, a DMS can easily aid with this; showing that steps have been taken to ensure compliance. FileDirector allows you to assign individual users or departments into groups giving them permissions to view or edit certain documents.
Breach notification standards – the GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected within 72 hours of becoming aware of the breach. In the unlikely event any breach of data should occur, this can be identified and reported immediately using a DMS such as FileDirector; something that is nearly impossible to do when dealing with paper documentation in various locations. FileDirector, can help streamline investigations with its revision and access control features allowing you to monitor who has accessed documents and what changes have been made. With GDPR also stressing privacy, a document management system can ensure data is not accessed mistakenly and is stored in a secure manner, where the loss, damage and even theft that paperwork could be subjected to is eliminated.
If you need any more information on how FileDirector or one of our other document management systems could help you comply with GDPR, please contact us or call us on 01785 785 650 to chat to one of our experts.