Want to know more about GDPR? Check out this recorded webinar

Does the European Union’s new General Data Protection Regulation (GDPR) affect your organization?

If you collect, process, or use the data of individuals in the EU, it does – regardless of where your organization is located.

Why you should care

Organizations that don’t take the appropriate steps to protect personal data under GDPR can face fines of up to 20 million Euros, or four percent of their total annual revenue. Legally, non-compliance is an option only for organizations that never intend to offer goods or services to individuals located in the EU.

As is the case with other information-related regulations, technology is only part of the solution. After all, the best technology in the world will be useless if you have poorly designed processes or untrained workers. The keys to GDPR compliance are systems, people, and processes – all working together.

You also need to be cognizant of the fact that if the personal data your organization collects and manages flows beyond your firewalls to third parties like partners or cloud software providers, you can be held accountable. So it’s essential to make sure you understand and accept their compliance practices.

Data controller, processor, and subject – who is who?

Before we dive into the principles of GDPR, let’s take a quick look at how the new guidelines make distinctions between several entities, each with specific rights and legal requirements.

Data subjects are simply the people whose data is being collected. Data controllers are the organizations that initiate the collection with a specific purpose. Data processors are third-party services or software providers that facilitate the data gathering on behalf of data controllers.

The 7 principles of GDPR

Now let’s focus on the GDPR requirements. To understand them and maintain compliance, it’s helpful to know the seven key principles and how to manage them successfully:

1. Lawfulness, fairness, and transparency

This principle emphasizes transparency for all EU data subjects. When you collect data, it must be clear why you are collecting it and how you will use it. Also, you must provide details surrounding the data when a subject requests that information.

2. Purpose limitation

To begin with, you need to have a lawful and legitimate purpose for collecting and processing the information. Then, you must use that information solely for the purposes you have stated.

3. Data minimization

You must not collect any more data than necessary for your initial stated purpose. Modern organizations tend to collect every piece of customer data possible to better understand their purchasing behaviors and maximize customer value, so this is important.

Based on this principle, organizations must be sure they are collecting and storing only the minimum amount of data required for the stated and consented purpose.

4. Data accuracy

Data controllers need to ensure the information they have collected remains accurate, valid, and fit for purpose. To comply with this principle, your organization must have processes and policies in place to address how you will maintain the data you are processing and storing.

5. Storage limitation

At the end of the stated useful term, you need to either delete data or archive it in a form that no longer allows for identification. You also need to ensure control over the storage and movement of data. This means having data retention policies and technologies that prevent unauthorized duplication.

You must also have the ability to promptly delete or archive data at the end of its retention period, or when subjects request you to do so.

The best way to accomplish this is through fully automated records management system. The right solution will allow you to set and manage retention based on the document type or record level. It should also empower you to trigger retention based on regulatory requirements or a specific event or request.

Streamlining the retention and destruction of documents containing personal data enforces your corporate policies while eliminating penalties associated with accumulating expired records.

6. Integrity and confidentiality

To comply with GDPR, you must protect the integrity and privacy of personal information by making sure it’s secure. This extends to IT systems, paper records, and physical security – including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. Any organization collecting and processing data is now solely responsible for implementing appropriate security measures that are proportionate to the rights and risks of individual data subjects.

To help, you can utilize an enterprise information platform that includes records management capabilities and uses powerful encryption tools to ensure critical information like personal data and documents are protected at every state: At rest, in use, and while in transit.

You can go even further with features like strict password policies and granular rights management that give you control over who can access information and what they can do with it.

7. Accountability

This principle places responsibility for compliance on the data controller. Controllers must implement appropriate technical and organizational measurements to ensure – and demonstrate – that their organizations are processing data in accordance with the new regulations. That means auditability of key data collection, processing, and management tasks.

This is where configurable workflow management and case management software solutions can really help by empowering you to track information about archived documents, provide reminders about upcoming audits, and automatically notify the appropriate parties of possible security breaches or data loss.

And, with automatic distribution of polices, digital confirmation by recipients, and reports that detail acknowledgements and delinquencies, your organization proactively complies with GDPR standards.

Sorry, no ‘magic app’

Currently, there is not a GDPR-compliant certification for software solutions. The effectiveness of any solution in helping you maintain compliance will depend largely on the robustness of the solution, how you configure and deploy it, and the processes and policies within your organization.

Information management technologies have long helped companies meet compliance requirements. In fact, given the exponentially growing volume of business data, it would be virtually impossible for a modern organization to maintain compliance manually, without the help of information management tools to track and automate key compliance tasks.

While there is no ‘magic app’ to make your organization GDPR compliant, a capable enterprise information platform can help you ensure that your processes and users are set up to reinforce compliance, rather than compromise it.

Ready to learn more? Check out our GDPR webinar recording today!

Dennis is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as the Principal of Product Marketing at Hyland Software, Dennis helps connect modern information and process management technologies with the evolving needs of customers across a broad range of industries.
Dennis Chepurnov

Dennis Chepurnov

Dennis is an enterprise technology evangelist with over 15 years of experience in helping organizations improve business processes through better information management. In his current role as the Principal of... read more about: Dennis Chepurnov