3 Techniques to Ensure Compliance
With GDPR, every business worldwide that markets to EU customers will have new responsibilities and liabilities for how it manages its documents – digital as well as paper-based. Here, we take a close look at the changes GDPR is expected to impose on the way organizations manage documents containing personal data, as well as strategies for making sure business documents meet these new demands.
The GDPR (General Data Protection Regulation) – which will take effect in May 2018 – is designed to give control of personal data back to European Union residents. It imposes significant new obligations on businesses anywhere in the world that collect and process the personal information of EU citizens in 28 countries. The volume of data collected and the increased variety of data considered “personal” has added to the challenge.
In order to avoid stiff fines, many companies needing to comply have been focused on securing IT infrastructure by ensuring customer databases and ERP systems are impenetrable to outside hacks. This is a good and necessary start, but personal data stored in documents – both paper and digital files – also demands attention. Fortunately, there are relatively straightforward techniques organizations can use to ensure their business documents meet the new GDPR demands.
Digitization of Paper
The first step in the process is to reduce the volume of physical paper through digitization. Contrary to popular belief, GDPR does affect paper documents. For example, if a customer requests his or her “right to be forgotten,” how can you guarantee complete data erasure if this data exists on paper long forgotten or misplaced? While electronic documents are certainly not 100 percent airtight, they are innately more secure (largely because they cannot be physically lost). Also, thanks to retention policies, digital files are unlikely to “live forever” like paper documents often forgotten in file cabinets.
Transitioning to a more “paperless” or “paper-light” way of working by increasing digitization is a key to improving document security for GDPR. Scanning in bulk and using employee mobile capture are two ways organizations can more efficiently convert vast piles of paper-based information to electronic format. Once digitized, these documents are ready for inclusion in automated workflows, which are not only more secure, but create new efficiencies. Still, automated workflows, as well as digitization technologies themselves like scanning, require special measures and precautions.
When documents are shared electronically, the risk for GDPR noncompliance soars. One tenet of GDPR is “the rule of least privilege for data access,” which enables processing of personal data only for limited and defined purposes. One of the best ways to ensure adherence to this tenet is limiting access to personal data only to workers who need it. For example, an insurance claims adjustor may not need to see personal customer data when he/she processes a claim. There are numerous ways organizations can ensure sensitive personal data is shared only with those workers who truly need it. These include:
- Encryption – Businesses need to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” of a breach of personal data. Encryption is one example, where entire documents can be made intelligible only to authorized workers.
- Redaction – There are sometimes cases where a worker needs to see a document, but not specific personal data within that document. Business analysts, for example, may not need to see personal customer data from survey results as they tabulate the surveys for management. When personal data is identified in a document, it can be automatically redacted (censored or obscured) and stored elsewhere, accessible only to those who truly need it.
- Content Screening – In email correspondence, documents can be screened by searching content for keywords, phrases and patterns that may signify sensitive information (for example, the word “confidential”), and then validating the sender and recipient. Documents deemed to be at risk are quarantined, and notifications are sent to the sender, supervisor and security.
Multifunction Printer (MFP) Controls
Today’s MFPs do a lot: printing, copying, faxing and scanning documents. They’re a vital holding pen for documents as they transition from electronic format to print and vice versa. When an MFP is not carefully monitored and controlled, it can be a dangerous off-ramp for sensitive personal data to the outside world. Paper documents are highly prone to security lapses – take for example someone printing a sensitive document to the wrong printer or leaving a document in the paper tray.
One way to address this is called “follow-me printing,” which holds documents in a secure print server until the user authenticates himself/herself at the network MFP of choice. By authenticating before printing and accounting for all output activity, organizations can better protect personal data residing in paper documents. Similar capabilities can be applied for scanning, including requiring authentication prior to scanning and creating an audit trail that tracks who scans and prints what documents and the destination of files. There are even features that allow text identified as sensitive to be automatically redacted as documents are scanned. All of these features can safeguard printing and scanning from the MFP and aid in GDPR compliance.
GDPR Blind Spots
In summary, the focus of GDPR is often placed on cybersecurity threats, server hacks, database vulnerabilities and data stored on and transmitted between servers and networks. While no one is disputing the importance of this, documents – both paper records as well as electronic – are often overlooked or deprioritized, putting citizens’ personal information at risk. GDPR is requiring organizations to implement tighter controls in document management, and the techniques described above cover blind spots that organizations have in the area of document security.