GDPR is the European Union General Data Protection Regulation. The GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviors of citizens residing within the EU. Companies are now directly responsible for data protection compliance wherever they are based (and not just their EU-based offices) as long as they are processing EU citizens’ personal data..
The regulation is due to be implemented and become law on 25th May 2018 and the regulation will replace all data protection legislation in EU member states including the UK’s Data Protection Act 1998.
Non-compliance of the regulations can entail a fine of up to €20 million or up to 4% of turnover.
This news item is not intended as a guide to GDPR but to show how some of its main requirements can be achieved using File Stream, Document Management.
Data Protection Officer
A Data Protection Officer is recommended for many larger enterprises especially in the Public Sector. The Data Protection Officer has the overall authority to set up and manage the GDPR
File Stream - The Data Protection Officer will be the, or one of the, controllers of the File Stream Document Management system. The Data Protection Officer will therefore be able to decide on privacy settings, retention times and all aspects of personnel information held by the organisation. The one act of installing File Stream resolves nearly all the requirements of the GDPR.
Controllers and Processors
Controllers establish the data policy and Processors carry the policy out.
File Stream - Controllers can have all or some of the administrator’s rights to the operation of File Stream and the Processors also can be given varying degrees of permissions as to what documents they have access to and what functions they can perform on those documents.
Document Retention and Right to Be Forgotten
- Personnel data held must be minimized
- Personnel data must be made available and shared with the minimum number of people
- Personnel data must remain in the system for the minimum time possible
File Stream - Enables comprehensive retention policies to be set for all documents with destruction dates and automatic notifications of when they are to be destroyed
Data breaches must be reported within 72 hours to the DPA (Data Protection Authority)
File Stream - Can help trace the source of a data breach by looking at the document history to see who has accessed the document and what process they performed on the document.
The necessary transfer of data from one source to another.
File Stream - Documents can be made available for export in a variety of ways:
- Export documents to the desktop or any other location
- Export documents and the index values as a csv file. These can then be entered into another chosen document management system
- Searchable Disk Module allows documents to be exported to media such a CD, memory stick or zip folder and password protected. File Stream search and viewer functionality allows for documents to be viewed, even if the application to open the file does not exist.
Data Protection must be “Designed In” and a PIA (Privacy Impact Assessment) made. Privacy against unlawful access is especially important for Payroll and Customer information.
File Stream - Has Data Protection designed in:
- All files are encrypted
- Passwords are required to enter the system
- Only chosen users can access documents in particular data bases (File Stream Officio).
- A full RBAC (Role Base Access Control) system operates in the enterprise version of File Stream ensuring precise control of document access and product functionality.
- Documents can be redacted
- The full history of a document is preserved if required.
Records of Processing
Records must be kept when personnel data is processed. Also, staff training levels and accreditation levels can monitored.
File Stream - Records such as Date entered / date modified / operator / document history / email properties act are automatically kept. File Stream is regularly used as a solution for keeping all staff detail including accreditation status. An in built diary can be used to notify managers when staff accreditations need renewing.
Records need to be kept with consent for data held especially employee data.
File Stream - As these consents are generated (email / facsimile / Office doc / scanned paperwork, etc), they can be stored securely and easily within File Stream.