EU GDPR: Are you prepared?
Which new compliance requirements does the EU GDPR place on your information management system? How can you fulfill them? You'll find the answers here.
Is your company prepared for the EU GDPR?
Source: SER study, ECM Insights, n = 1,826 CIOs, process managers and IT managers from companies from all industries with over €100 million in revenue
What is the EU GDPR?
The EU General Data Protection Policy (EU GDPR) is a new EU regulation that affects companies in all EU member states. It harmonizes the rules according to which companies and public authorities across the EU handle personal data.
Which penalties are possible in cases of non-compliance?
The introduction of the EU General Data Protection Policy (EU GDPR) increases the liability risk for data breaches not only for companies, but also for business leaders, employees and internal data protection officers.
If a company does not comply with the EU GDPR, starting May 25, 2018, it will face a penalty of up to 20 million euros or 4 percent of its total revenue (whichever is higher). What's more, those responsible for data protection can be held liable and face compensation claims and fines.
Find out how ECM can help you comply with the EU GDPR
What kind of requirements will your company face?
The EU GDPR also stipulates that when handling personal data, companies must protect it from manipulation using the appropriate technical and organizational measures.
- The right to erasure (Article 17, EU GDPR)
- The right to data portability (Article 20, EU GDPR)
- Security of processing (Article 32, EU GDPR)
The right to erasure (Article 17, EU GDPR)
Customers, employees and business partners have the right to erasure, which means they have the right to demand the deletion of their personal information if it is no longer obliged to be stored.
The right to data portability (Article 20, EU GDPR)
The right to data portability stipulates that individuals have the right to obtain personal data from a contract partner and to transfer this to a different partner, e.g. if a new contract is made.
Security of processing (Article 32, EU GDPR)
The EU GDPR also stipulates that when processing personal data, companies must protect it from manipulation using the appropriate technical and organizational measures.
Which company areas and processes does it affect?
Since customers, partners and employees have the right to access, correct, retract consent or request the deletion of their personal data, companies need the right IT systems to fulfill these new requirements. According to a current Commvault study, more than every second company does not know how long it needs to find personal data and respond to a request to, for example, delete data. This may take several days. It's not surprising, considering that millions of personal documents are often stored in several different locations, for instance on file servers, in email mailboxes or in the cloud. With a certified ECM system such as Doxis4, you can easily eliminate these information silos and manage personal data in a uniform, centralized and secure manner.
The EU GDPR also requires that your company implement a more comprehensive data policy. This enables your company to handle personal data in compliance with the EU GDPR and to fulfill the new requirements regarding transparency, documentation and reporting. In this regard, a certified ECM system such as Doxis4 provides support throughout the process — from drafting, revising, releasing and enforcing the data policy, to accessing and storing data policy documents, and then archiving them in an audit-proof way.
In light of the steep penalties for non-compliance, it is crucial that data processing is seamlessly documented. This enables you to prove compliance, to identify risks early on, and to effectively react to security problems in conformity with the law. Doxis4 helps you to fulfill these documentation requirements.
The most important questions about the EU GDPR
What you can do: Five ways to ensure compliance with EU GDPR
Time is running out. Act now and avoid penalties when the deadline comes. Don't push off dealing with the EU General Data Protection Policy. Here are five steps that will help you:
- Start investigating:
Find out which personal data and documents are in your company and where they are stored.
Get rid of those information silos and migrate all personal data to a centralized ECM system.
Determine how personal data should be used and who can access it. After all, you have to be able to identify, release and, if requested, delete data at any given time.
Set up security and control mechanisms to prevent, identify and react to vulnerabilities and data protection breaches.
Start storing required documentation and manage data inquiries and notifications regarding data protection breaches.
What is personal data?
Personal data is all information relating to an identified or identifiable natural person. This includes names, mailing addresses or bank/account information and social security numbers. Documents containing personal data may be contracts, orders, invoices or emails.
According to a Trend Micro study, there is a certain level of uncertainty about which data is personal and therefore must be protected:
- In one survey of respondents in Germany, only 35 percent were certain that the birth date of a customer is classified as personal data.
- Furthermore, only 64 percent think that only a marketing database contains personal data.
- About 34 percent do not consider a customer address as being personal data and 23 percent do not see an email address as personal data. These assumptions are, of course, wrong.
We can help you comply with the EU GDPR — with Doxis4!
A certified ECM system such as Doxis4 is a solid basis for complying with the EU GDPR. It enables you to store the personal data of your customers and business partners in a centralized and audit-proof manner, while also protecting it from manipulation or theft.
Delete personal data in a traceable way
Doxis4 gives you a way to automatically and traceably manage retention rules and deletion deadlines for personal data, such as contract data. Furthermore, it is also possible to set up deletion locks for an unlimited period of time for a document. If the retention period of personal data is unknown, the EU GDPR-certified Doxis4 protects the personal documents from modifications, even if they have no retention deadline. (Art. 32 – EU GDPR).
If customers or employees invoke their right to erasure (Art. 17 – EU GDPR), you can lift the deletion locks at any time once the legal retention period has ended. Furthermore, you can be sure that data deletion is automated, complete and physically traceable.
Protect and transmit personal data
If needed, Doxis4 can also provide customers, employees, and business partners their sensitive personal data and documents in a structured and machine-readable form. You are thereby also able to provide proof of who accessed and modified which personal data and when. As required by the EU GDPR, data is provided in a structured and machine-readable format (Art. 20 – EU GDPR).