Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

A guide to the GDPR and mstore (part 2)

A guide to the GDPR and mstore (part 2)

With the deadline for changes to data protection looming, Arena’s Neil Maude continues his series outlining how an electronic document management solution (EDMS) and mstore in particular can help with compliance.

You can read his first blog here.

A key requirement under the General Data Protection Regulation (GDPR) is for prompt notification of a data breach should one occur and a more timely response to requests from data subjects. So this blog turns attention to the rights of the individual, ensuring protection of data by design and managing subject access requests (SARs), steps 4, 10 and 5 in the ICO’s 12 step guide.

Individuals’ Rights (4)

The GDPR brings a list of right for individuals, as follows:

• the right to be informed

• the right of access

• the right to rectification

• the right to erasure

• the right to restrict processing

• the right to data portability

• the right to object

• the right not to be subject to automated decision-making including

• profiling

Each of these rights may require updated policies and procedures on the part of the organisation. However, mstore can assist with the implementation of polices to meet these obligations.

The right of access – where a data subject asks for a copy of the personal data you hold about them – can be a far quicker process in mstore (search, redact, export) than the corresponding paper-based process. The right to erasure can be actioned by both manual processes and automatically. In the case of a manual process – where a data subject requests that their data is deleted – the process will be to locate the information and use the mstore document delete functions.

Note that at this point you should be considering the legal basis for that deletion – i.e. do you have some other legal obligation to keep the data which will over-ride the request for deletion (e.g. HMRC record keeping requirements will over-ride the GDPR)? In the case of information which you keep for a set period – e.g. HR disciplinary records which may be deleted once expired – the mstore retention tools can be used to remove information based on type and date. As documents are added to the system, a retention date is set and the retention tools (see Compliance panel when logged in as an administrator) can be used to delete documents which have passed their individual retention dates.

Use of these tools within mstore will greatly reduce the time required to comply with these enhanced requirements under the GDPR. However, company policies and procedures do need to be in place as to how these tools should be used.

Data Protection by Design (10)

Whilst it has always been good practice to consider the impact of new technology deployments, this becomes a requirement under the GDPR if processing “is likely to result in high risk to individuals”. And although you may already have mstore in place, you will need to consider the potential impact of using mstore for additional work. Again, this is a policy and process task outside of mstore. However, the security features within mstore are very useful tools to implement safe processes on any personal data added to the system.

Subject Access Requests (5)

Under current legislation (The Data Protection Act 1998), data subjects have the right to ask for a copy of any personal data you hold about them. This is known as a “Subject Access Request” (SAR). Whilst this right is already in place, organisations are allowed to make a charge against the cost of providing this information. Typically, this is a nominal £10 – but that is some discouragement against requests and most organisations will never have received a SAR. However, the GDPR removes this fee and SARs can then be made without cost to the data subject. Therefore, it is likely that there will be many more SARs under the GDPR, possibly with a spike around the implementation date and likely wide GDPR publicity. Note that SARs can be from any data subject – which will include customers, staff and ex-staff. Also, the time limit for responses is reduced to one month.

Regardless of the exposure of an organisation to large numbers of SARs, the GDPR requires that there is a process in place to respond. This could be a simple process (e.g. nominating who will handle SARs and where to find personal data – possibly referencing the information audit results). The process should reference how mstore will be searched for personal information.

The relevant tools within mstore for responding to SARs include:

Searching generally: search by document type and data subject references (names etc). If you have the “full text” modules on your system this will also allow searching within document contents

Redaction: you will be providing a copy of the information back to the data subject, but the document may include personal data for other data subjects – e.g. going back to the HR example of a disciplinary form, you may have notes of an incident between two staff members. You should redact – block out – any information which the requesting data subject should not receive. This can be done with the annotation tools for imaged documents

Export output: using the document export tools, you can provide documents to send to the data subject. This can be individual documents or a batch export, with conversion to standard formats – e.g. PDF.

Ensuring that a particular document is only a click or two away, improved searchability and ridding the organisation of cumbersome paper archives are clearly benefits for any organisation that go beyond the requirements for compliance under the GDPR or any other audit / compliance requirement for a particular sector. The added pressures of the new data protection regulation give greater impetus for any organisation to take steps towards implementing an EDMS or mstore and leveraging the benefits already attainable for those existing customers that already have mstore in place.

You can catch up with my first blog here. My next blog will move on to how to address data breaches and the management of IT more widely in line with the GPDR.

Expert News | Blog

View all news

© 2018 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.