On 25thMay 2018 the General Data Protection Regulation (GDPR) will come into effect and organisations who have customers, staff or contractors within the European Union and process their personal information are examining what information they current hold. The GDPR will be the single biggest change to data protection legislation since 1998 giving individuals greater rights in understanding who is processing their personal information, what personal information is being processed and why it is being processed. As Data Controllers or Data Processors it will be important, if you are processing an individual’s personal information, you understand how and why this is being conducted to ensure the processing is legal and the risk of a data breach is minimised.
The Information Commissioners Office (ICO) recommends organisations maintain records detailing several aspects of processing including purposes, data sharing and retention. To help with this, they have produced templates to aid the information audit and data mapping which, once complete, gives the data controller/processor an overview of the personally identifiable information they are holding, why they are holding it and how they are holding it. If you have been considering digital transformation and information management, this mapping of data and completing the ICO template will make the process much easier.
Risks to the Organisation
For some organisations, the data mapping will highlight how dispersed the personally identifiable information is that they retain and what the potential risks of their current processing activities are. Documents will be spread across filing cabinets, mail/file servers and cloud storage which makes the information difficult to manage and control. The main risk to this data are –
- How does the organisation manage who can access these documents?
- How does the organisation know what happens to these documents when they are accessed?
- Is there an audit trail including version history for these documents?
- How are the retention periods managed?
- How are the documents secured in both transit and storage?
By using the findings of the data mapping, organisations have the beginnings of the classification and metadata required for an Information Management solution which would act as a single digital document repository used across the business. Organisations are enabling data protection by design/default as the solution would ensure documents –
- Can only be accessed by the appropriate people within the organisation with controls as to what the user can do with a file when they access it
- Will have full version control and audit history of all stored documents
- Encryption for documents in both storage and transit
- Retention policy to ensure the organisation are not holding any information longer than required
If an organisation receives a subject access request or a data subject requests that their information is rectified or deleted, the time required in searching for all the requested/effected information will be greatly reduced. An Information Management solution ensures all documents are stored in one location and are easily retrievable. Even if a document is misfiled due to user error, the document will be fully text searchable. This is one of the reasons why the ICO believes ‘most organisations will benefit from maintaining their records electronically’.
If you are in the process of mapping your data as part of GDPR and would like to learn more about digital transformation and how it will help your organisation with compliance, please contact Calvert Office Equipment via firstname.lastname@example.org