In our most recent post in this series, we reviewed how the General Data Protection Regulation (GDPR) – the European Union’s sweeping new regulatory framework – strengthens the protection of personal data for EU citizens and residents. We looked at the GDPR’s specific mandates for how the personal data of EU-affiliated individuals is gathered, processed and stored, as well as what that requires of any organization whose documents may contain such personal data.
In this article, we’ll summarize the GDPR rules that directly affect the handling of documents, and show how key capabilities of document capture and workflow solutions can directly address the new rules.
Among the 260+ pages of the GDPR, there is a handful of new rules that have specific impact on how organizations treat their business documents. These include:
- Encryption and anonymization: Businesses need to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” of a breach of personal data. Encryption is given as a specific example of such a measure, as it can make documents (containing personal data) unintelligible to unauthorized readers.
- A rule of least privilege for data access: Under GDPR, processing of personal data is only permitted for a limited and defined purpose. The best way to do this is to attempt to limit access to just the people who need it. Admittedly, this can be a challenging task.
- No non-essential personal data: Similarly, the GDPR introduces the concept of “data minimization”: organizations should only store the personal data that is essential for its processing.
- Increased transparency: Companies holding personal data are required to act transparently, to authorities and data subjects (individuals) alike. On an ongoing basis, they must report on and demonstrate their compliance with GDPR. In the event of a breach, they must notify the supervisory EU authority within 72 hours, or face stiff penalties.
Tools with a track record
Business documents are very likely to contain personal data that’s protected by GDPR, since they typically store more than 60 percent of all customer (and prospect) information. Fortunately, advanced document capture and workflow solutions – which have a proven track record of meeting similar challenges for document security, access, privacy, and transparency – are available.
Here are five key capabilities of these solutions that are well-suited to meeting the new demands posed by GDPR:
1. Digitalization: Getting documents out of paper and into digital files, which are more easily secured and stored in central repositories, is an essential first step toward GDPR compliance. Today’s capture and workflow solutions are capable of converting large quantities of documents to protected digital formats, quickly and efficiently.
The benefits for GDPR: Heightened security of documents (containing personal data), reduction in number of copies of a document, and secure transport of documents between users and offices.
2. Encryption: The best capture and workflow solutions make encrypting documents – preferably with 128-bit or 256-bit AES encryption, and permissions settings to control the viewing, printing, and modification of files – a fast, frustration-free process. (Learn more in a Nuance white paper: “Use PDF Tools for More Secure Document Workflows.“)
The benefit for GDPR: Documents can be secured throughout a business process or workflow, to ensure personal data is protected every step of the way.
3. Content screening: When documents are shared electronically, between and among employees and business partners, the risk of GDPR non-compliance soars. Capture and workflow solutions address this risk by screening documents to validate the sender and recipient; and by searching content for keywords, phrases, and patterns, as well as attributes and barcodes. Documents deemed to be at risk are quarantined, and notifications are sent to the sender, supervisor and security.
The benefit for GDPR: Directly addresses the regulation’s mandate of “least privilege for data access.”
4. Redaction: Advanced capture and workflow solutions automate the redaction of personal data. Documents sent electronically – whether by email, or a networked printer or copier – are closely monitored for personal data. When it’s identified, personal data is automatically redacted, and the redacted content is stored and logged for further monitoring.
The benefit for GDPR: All of this directly addresses the regulation’s mandate of “minimizing non-essential personal data.”
5. Integration throughout an entire workflow: Business documents are used throughout an organization’s processes and systems, which compounds the challenge of protecting the personal data within these documents. Today’s capture and workflow solutions are designed to integrate seamlessly wherever data protection is needed, from line-of-business applications to groupware and collaboration systems, file, fax and email services, office and production printers – even personal and mobile devices.
The benefits for GDPR: More control of how documents containing personal data are used, as well as a thorough audit trail, as evidence of your compliance with GDPR.
In our next installment in this series, we’ll look at ways to mitigate the risks for GDPR non-compliance posed by a corporate asset you might not suspect: your printers.