Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

A guide to the GDPR and mstore (part 1)

A guide to the GDPR and mstore (part 1)

As we head towards the implementation of the General Data Protection Regulation (GDPR) on May 25th of this year, it is natural that users of Arena’s mstore will be asking how their electronic document management solution (EDMS) can help with compliance.  After all, the purpose of the EDMS is to store information, and this information may well be personal data which will fall under the scope of the GDPR.  

Further, many organisations are taking this opportunity to check their general security situation, especially in light of the GDPR requirement for prompt notification of a data breach should one occur. In this series of three blogs, Arena’s Neil Maude provides a guide to how mstore contributes to your GDPR compliance activities.

Before we make a start on this guide, remember that the GDPR applies only to personal data and although the definition of personal data is expanded, this is only a subset of the data you will hold in your organisation.

Further, it should be kept in mind that compliance with the GDPR – or any standard for that matter – will require a combination of people, process and technology.  There is no piece of technology – not even mstore – that will make an organisation compliant with legislation, unless that technology is accompanied by appropriate awareness, training and processes.

This approach is highlighted in the Information Commissioner’s Office (ICO) document Preparing for the GDPR – 12 steps to take now. This document is an excellent starting point for a compliance project and shows the different types of considerations and potential actions which may be required.

Of these areas, mstore is particularly relevant to the following;

·        Information you hold (ICO step 2)

·        Individuals rights (ICO step 4)

·        Data Protection by Design (ICO step 10)


A further area where mstore may assist is subject access requests (ICO step 5) and you may also find that the audit tools within mstore aid in data breach investigations relevant to data breaches (ICO step 9).

The remaining steps are people and process issues – such as raising awareness and updating privacy notices – which are not so directly linked to using an electronic document management system.

This first blog in a series of three will discuss how mstore can be used in the key areas listed above, as well as the position of mstore in your wider IT considerations.

Note that nothing in these blogs should be treated as legal advice.  Achieving compliance with the GDPR remains entirely the responsibility of the organisation. 

Should you feel that you require legal advice, Arena can put you in touch with law firms who have this expertise and are well placed to provide guidance for your specific needs.  Please contact your account manager for more details. 

Information you hold (Step 2)

The GDPR requires that you know what personal data you hold, where it came from and how it is accessed.  Beyond this, the ICO’s 12 steps document recommends that you consider an information audit.  I strongly recommend that you do this information audit, so that you have a complete list of the personal data that you are holding.

The information audit should cover data held within mstore and generally within the organisation – including paper-based, server file areas and e-mail systems holding documents and ERP/HR/Payroll systems holding database records about individuals.

However, considering just mstore as a system, the following are the key tools and activities which will help you to understand where information is held:

  • Within mstore, documents are held in a structure of cabinets and document types.
    • Each cabinet should[1] relate to a business area or group – e.g. HR, student records, case or deal file
    • Each document type within a cabinet should contain information of a specific type – e.g. new starter form, permission slip, signed contract etc..
    • Using this structure, you should document how you use each cabinet and document type, if that cabinet/document type is used to hold personal data.
    • You should include a note here of where the documents come from, prior to getting into mstore – e.g. arrive by post and scanned, arrive by e-mail and stored, automatically captured from e-mail etc.
    • You should also document the legal basis for holding this information and how long you will retain it (see “Individuals’ Rights” in my next blog)
    • Within mstore is a Security Report (see the Compliance panel, when logged in as an administrator)
      • This report shows the security permissions granted to individual users against a given document type
      • Running this report and storing the output (PDF) will provide a record of who has access to the information stored within that type
      • Note that running this report may highlight areas for short term security update actions – e.g.  removing accounts for users who have left the organisation
      • Finally, you should document any processes for sharing information with other organisations
        • If users have access to print/export/e-mail documents, how these features are used should form a part of your policy for handling personal data

Documentation produced from the process above will form part of your information audit process, but you will obviously need to widen the scope to information which is not held within mstore (or add that information to mstore, to make management easier).

The mstore elements described above (structure, security tools, security report) are all part of the core solution and have been for many years.  No new tools have been provided for the GDPR. This underpins the value of replacing unstructured paper-based processes with an EDMS such as mstore.  

In my next blog, I’ll go on to describe how mstore assists with managing individuals rights including responding efficiently to subject access requests (SARs) and other queries, and tackle the requirement for data protection by design, steps 4, 5 and 10 in the ICO’s 12 steps guide.

You can also read my recent insight paper that provides an overview of the GDPR, or view our sector specific webinars on practical insights on the GDPR for schools and car dealers.

[1] Note: we say “should”, as this is configurable by the end user and therefore depends on the way the system was originally commissioned and has been used.



Expert News | Blog

View all news

© 2018 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.