In a recent post, we offered an overview of the General Data Protection Regulation (GDPR), the European Union’s sweeping new regulatory framework for the protection of personal data. To be implemented in May 2018, the GDPR imposes new obligations on businesses – anywhere in the world – that collect personal information from individuals residing in the EU, or that use or process such personal information.
Here, we’ll take a closer look at some of the GDPR’s specific mandates for how the personal data of EU residents is handled, and what that will require of your organization in managing any and all documents that may contain such personal data.
In keeping with its objective of giving control of their personal data back to EU residents, the GDPR specifies a variety of new or expanded protections. These include:
- Easier access for individuals to their own personal data
- The right to rectify and remove data, including the so-called “right to be forgotten”
- Data portability – the individual’s right to transfer his/her personal data when changing service providers
- Clear consent from the individual – an “opt-in” approach — required in order to collect, store, and process personal data
- Access to more and clearer information about how personal data is processed
- Limits on the use of automated processing of data to make decisions, e.g. through profiling
- Stricter safeguards for the transfer of personal data outside the EU
- The right to notification if personal data is compromised
Complying with these requirements could be a daunting challenge for your company, if it targets consumers in any of the 28 countries that make up the European Union, or plans to.
The challenge is compounded by the explosive growth in overall data creation (163 zettabytes of new data every year by 2025, according to IDC); by the scope of data that the GDPR considers personal, including online financial information, medical records, social-media posts and personal images; and by the sheer difficulty of discovering and tracking all of the personal data your organization currently holds.
Where’s our data?
The GDPR expects that, in order to avoid stiff penalties for noncompliance, organizations that maintain personal data will adopt a broad security strategy that includes monitoring and preventive controls. But beyond securing their IT infrastructure and taking inventory of their hardware, many organizations do not clearly understand what personal data is stored where, and who has access to it.
Business documents are a logical place to focus, since they typically store more than 60 percent of customer information – which means they likely contain personal data protected by GDPR. These are documents that appear as paper or digital files, which can be stored in a dizzying assortment of portable drives, file cabinets, personal files, shared folders and document-management systems.
New rules for the road
A handful of GDPR rules have direct, and specific, impact on how organizations treat their business documents. Key considerations are:
- Encryption and anonymization: Businesses need to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” of breach. Encryption is given as a specific example of such a measure. If documents are made unintelligible to unauthorized readers, the obligation to notify data subjects (individuals) about a breach can be eliminated.
- A rule of least privilege for data access: Under GDPR, data processing is only permitted for a limited and defined purpose. The most effective way to control this is by limiting access to personal data, ensuring that only the people who need the data are able to read and use it.
- No non-essential personal data: Similarly, the GDPR introduces the concept of ‘data minimization’: organizations should only store the personal data that is essential for its processing. This is also an effective way to reduce your organizational risk, by removing data that holds little or no value but remains your responsibility to secure.
- Increased transparency: Companies holding personal data are required to act transparently, to authorities and data subjects (individuals) alike. On an ongoing basis, you must report on and demonstrate your compliance with GDPR. In the event of a breach, you must notify the supervisory authority within 72 hours. In addition, within one month of a request, you must allow individuals to review the data you hold on them, free of charge.
In our next installment in this blog series, we’ll discuss strategies for making sure that your business documents meet these new GDPR demands. We will also examine technology solutions that can help any organization meet the GDPR requirements for secure capture, processing, management and storage of personal data.