Dutch data privacy campaigner Marleen Stikker had a revelation of the ‘Big Brother’ potential of digital technologies in 1994, just ten years after the iconic date of Orwell’s 1984. As a founder of Digital City – Europe’s first virtual community – Stikker was offered a demonstration of the dark side of what were then emerging technologies.
Enforced by the Information Commissioner’s Office, it will replace the current Data Protection Directive 95/46/EC, which regulates the processing of personal data within the European Union (EU). GDPR will reshape the way organisations across the region approach data privacy by giving greater protection and rights to individuals.
For many companies, the pressure is now on to make the necessary changes to the way in which they operate and manage risk to ensure they abide by the new regulations.
With misinformation spreading as organisations look to understand the implications of GDPR, KYOCERA Document Solutions debunks common myths around the regulation and explores why the implementation of a document/content management system can be part of an effective solution.
OUR OFFICES ARE BASED OUTSIDE OF THE EU, THEREFORE I AM NOT LIABLE UNDER GDPR
The purpose of the new regulation is to strengthen and rationalise data protection for all individuals within the EU. Since it is applicable to EU citizens on the whole, it is non EU border specific – this means that that it will also apply to organisations outside Europe i.e. wherever it may be stored and/or processed.
The GDPR also imposes restrictions on the transfer of personal data out of the EU, to third countries or international organisations, in order to ensure that the level of protection of individuals is not undermined.
MY COMPANY OUTSOURCES ITS DATA STORAGE , THEREFORE WE ARE NOT LIABLE UNDER GDPR
Under the old regulation, there was no obligation on processors (i.e. service providers) of data/information. Under GDPR however, both controllers and processors are equally liable and must demonstrate compliance of GDPR by adopting detailed processing of records.
This has a particular impact on Cloud providers that provide services containing EU residents’ data. The effects of the above can be mitigated by implementing an enterprise content management system, using an appropriate document management system, that can help organisations manage and control system and data processor information, policies and processes.
Companies should use GDPR as a cornerstone for a risk mitigation process. There is no longer a limitation of liability, as now both the controller and subcontracted processors are equally liable for a data breach.
I NEED TO APPOINT AN INDEPENDENT AND QUALIFIED DATA PROTECTION OFFICER (DPO)
The three main criteria under which you must appoint a DPO is if an organisation is dealing with:
- ‘Large scale’ systematic monitoring of individuals;
- ‘Large scale’ processing of sensitive data; or
- Is a public authority
The DPO does not have to be a full-time employee of the organisation. This function can be outsourced, if required. If an organisation does not fall under the above criteria, it means that an external person does not have to be appointed.
If a DPO is required, the role can be fulfilled by an employee either on a part-time basis or combined with other duties. It is important to note, however, that the DPO must have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference. The appointed person must be a data protection professional with ‘expert’ knowledge of data protection law and practices to perform their duties and ensure the organisation achieves and maintains compliance. The person appointed should ideally implement a strategy and project, with the key objective of meeting or exceeding minimum levels of GDPR compliance. Any project they implement should incorporate organisational, procedural and technical measures to demonstrate compliance.
I HAVE IMPLEMENTED A DOCUMENT MANAGEMENT / CONTENT MANAGEMENT SYSTEM, THEREFORE I AM GDPR COMPLIANT
Unfortunately, GDPR does not provide much exact guidance in terms of which technology and/or security to use, instead citing only that the “appropriate” and “state of the art technical protection measures” be implemented. This may be vague on purpose, as technology “evolves”, so too the technology deployed should “evolve”. This may ultimately have to be debated in a court of law, as to what is “state of the art” at the time of a potential breach.
Although vagueness in this area makes interpretation of the regulation difficult, it could be argued that the implementation of a technical solution, such as a content management system, will make compliance with GDPR, easier and more efficient when compared to manual processing.
But it must be stressed that having a content management system does not imply compliance with GDPR. Without a focus on what GDPR refers to as “the embodiment of the concept of privacy by design”, or the correct processes in place and even organisations with relatively new systems are at risk of being fined.
I HAVE ALL MY SYSTEMS ENCRYPTED, THEREFORE, I AM GDPR COMPLIANT
In terms of fines imposed, GDPR does provide important exceptions based on whether appropriate security controls are deployed within organisations.
For example if an organisation is breached, but it has rendered the data unintelligible through encryption to any person who is not authorised to access the data, then the organisation is not mandated to notify the affected record owners.
But while encryption of data will go a long way to assisting with compliance of GDPR, simply utilising encryption methods does not guarantee compliance. For example, if the encryption keys are potentially vulnerable to loss or exposure, the security benefits can be negated. That’s why other considerations, such as strong key management capabilities should be taken into account.
Ultimately, the important lesson here is that no organisation should consider itself compliant without due diligence to ensure that all bases are covered. The companies that are most likely to meet GDPR requirements will have identified each process where personal data is involved and implemented a series of robust security and content management measures.
Image attribution: Diliff