GDPR: Citizen rights that bind companies

Content contributed by Fujitsu

There are innumerable cases in which the adoption of new technologies has been driven by the development of a new regulatory framework or a European directive. We can talk about VAT in real time, LexNET, the ENI (National Interoperability Scheme) and a long list of others to which the General Data Protection Regulation (GDPR) will be added, as of the 25th May 2018.

In order to achieve the successful application of the new legislation, governments must inescapably address the two main groups of players affected by it. On the one hand, the citizens and on the other the companies that manage the data and that have to guarantee users that they are complying with the new directive. In addition, there is another fundamental sector affected by it and that is IT services and solutions providers who will provide technological support for this law to be effective. It would be useless to ask companies to apply rigorous compliance with the GDPR if they do not have a technology capable of supporting it.

Benefits / Rights for the user?

As indicated by the AGPD (Spanish Agency for Data Protection), GDPR seeks to solve problems that we have all encountered. To illustrate, I myself have been unable to register with a telecommunications provider because when I gave them my National ID number, it was associated with a person who was already a client, and who was obviously not me. Finally, the issue was resolved through a friend of a friend who worked at the company. GDPR is designed to put a stop to this kind of problem and help us assert our rights.

Basically, the law establishes and defines that “your” data is “yours” and you have the right to “know what” data is being used and “how”, “rectify” it and/or “eliminate it” (the well known “right to be forgotten”) and that organizations are responsible for the data they manage.

Implications for businesses

While on paper all these rights seem common sense, not all companies are prepared to face this great challenge. While there is the necessary technology available to them to be able to comply with the law, the problem is that personal data can flow across organizations in a transversal way and not always in a controlled and structured way. The most worrisome is that the internal culture in many companies is often resistant to change and businesses are not always aware of the serious implications that misuse of data can have.

The role of ICT companies (Information and Communication Technologies)

The risk of fines (of up to 4% of a company’s turnover), and the lack of knowledge about where to start has led many IT companies to some extent to tar everything with the GDPR brush to justify a sales pitch, which has always associated more uncertainty. Obviously everything helps, a firewall, an antivirus or any other measure that can support the management of data security, but in my opinion this should not divert the focus away from the content itself.

We must pay attention to the rights of the citizen to understand the complexity that many organizations face in adapting to the law, which is much more than just saying that the servers are secure. To be able to guarantee the rights of the users, it is necessary to establish processes that provide knowledge and control over information I have about a client, who has access to it within the organization and for what process, and if I have the capacity to eliminate the data.

For more than 25 years now, Document Management has emerged as a discipline of ICT with the aim of ensuring cross-organizational control of documentation in companies. Quickly the world of document management evolved into what can now be called the ECM (Enterprise Content Management) to focus more on the content, and less on the document itself. This change of focus from the archive to its content is key, and only by understanding this will we be able to decide the process that will be followed with it, knowing what kind of information you have, if it is accessible and for whom and to what fields and contents you can access.

Today in the 21st Century there are still many companies where paper information is still the support of many business processes and the photocopier is still used to make copies (just in case). There are also many companies that have large amounts of digitized files without having any information about the content of those archived documents.

In this scenario, very common in our day to day, we are faced with major challenges such as knowing how can I guarantee the rights of a citizen to delete his or her data that I do not have under control or how I can justify that a citizen has given me his or her data for a specific use.

It is possible that we are in the final stretch of the process that will lead us to offices much freer of paper documentation, since its widespread use makes it difficult to comply with GDPR. It is useless to have papers on file with a client’s consent filed away if I am not able to find them to consult them or to eliminate them. The same applies to the vast majority of documentation handled by companies.

How can technology help?

In this scenario, the important thing is “not to lose your temper”, but above all, “do not lose control”, and of course put yourself in the hands of experienced professionals, bearing in mind that technology exists that can permit all tasks to be done in the most efficient way possible.

Step 1: Make an audit: Basically, we should be able to identify which business data is critical for us and affected by GDPR. It would be necessary to identify who has access to it and who processes it.

Step 2: Review/define processes: In case deficiencies or possible processes are found that are not compatible with GDPR, they should be reviewed. Likewise, existing systems must be reviewed, including their storage, security and access policies.

Step 3: Implementation and training: Employees should be trained in GDPR indicating, if necessary, the new policies and associated processes, and affected tools.

Paper and GDPR?

There are many areas of business activity that are still working with paper-based processes, such as Legal, Human Resources, Hiring, Marketing, etc. They are still very fond of paper documents. The handling of the information on paper itself involves a series of risks when it comes to GDPR that could be avoided mostly, either with by digitalising at source or at least digitalising as close to the origin as possible.

Risk 1: Lack of awareness about the information contained – What’s inside?

A curriculum vitae, a certificate for medical leave, an address, a National ID number: these are all data that must be controlled, and which are usually found in business documents. Cataloging information manually and separating documents out by level of confidentiality is very expensive if it is not done by qualified professionals and/or automatic means.

In this sense, the digitalization technologies seem the great alternative, a prior digitalisation with the corresponding OCR process (Optical Character Recognition) and/or indexing will allow businesses to efficiently catalogue information. There is no need for the company to store the information on paper that can be returned to the user.

Risk 2: Who has access?

Before the arrival of mobile devices, the photocopier has undoubtedly been one of the points where most information leaks have occurred. Controlling access to information on paper is not simple or economical if you want to guarantee access control and most companies are not prepared to guarantee it.

It is a reality that exists and it remains difficult to control who accesses the information and/or copies of it, since there is no traceability of who and when has accessed what data. It is very common, precisely due to the working habits of the staff, to find desks full of written documentation with information that should be controlled.

Document management systems allow controlling all types of documentation and have traceability of who has accessed what information and at what time. It is even possible to control what type of data is accessed, whilst not allowing access for all users to the most secure or sensitive data. Obviously the first step is to digitalise the information as soon as possible, followed by its correct indexing and the association of metadata to control access. Furthermore the software included in our professional scanners, such as Paperstream Capture, allow the prior cataloging of information, a necessary step to control.

Risk 3: How do I recover the information?

The right to be forgotten implies that I can access my data. Paper by its nature, is often stored by date of arrival and not by content. This makes the archiving of paper documentation a problem for companies that want to comply with GDPR.

A scanned copy of the document allows the files to be located and kept secure. Therefore, if it is necessary to delete a specific file, access can be done immediately, and a register of its elimination can even be created with little cost to the company. Something very different from physical paper files where in many cases it is not even possible to locate the information.

Our mission as specialists in digitalization is to turn information on paper into manageable and therefore auditable content and data. The latest generation of intelligent scanners ensures integrity that what is scanned is what is archived and the specific software allows indexing the data and cataloging it in accordance to GDPR. Managing written documentation and being scrupulous with GDPR can be a big problem so organizations should look for mechanisms so that the information arrives digitally from origin and if it is received on paper, digitize it immediately and return the originals to the user to avoid risks within the organization. It seems that finally that GDPR could be the key to improve business processes and achieve an office with less paper.