Skip to the main content

0344 863 8000
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

A guide to the GDPR and mstore: part 3

A guide to the GDPR and mstore: part 3

In this final blog in a series of three from Arena’s Neil Maude, Neil looks more specifically at data breaches and wider security issues, and an electronic document management solution (EDMS) and Arena’s own mstore in particular can help with compliance in line with the ICO’s 12 steps. Click through to read his first and second blogs.

Data Breaches (9)

Clearly, the aim is that the organisation does not have a reportable personal data breach. Using the structure and security model within mstore will assist in keeping personal data secure, as the information is contained within a structured system rather than in unstructured file storage or paper form.

Further, mstore includes auditing of user activity at a system level (logins) and at the level of document actions (views, prints, exports etc). This information is available via the Document History reporting tool (see the Compliance panel, when logged in as an administrator) and can be used as an interactive view into system activity.

For example, you can see document views within a given date range, drill down to a specific user and then to the documents which that user has been viewing. Should the worst happen, this audit trail will provide good evidence of the activity which has taken place within the system.

Security Generally

As with any IT solution, the security of the mstore system depends on the implementation and on-going maintenance of the system. This can be a complex process, but the level of security is significantly improved over paper-based systems . Some key security considerations within mstore are as follows:


  • The core platform is a very standard Microsoft Server platform, with Microsoft SQL-Server as the database engine
  • This will be supported by your in-house IT team and should be kept up to date as for any IT system – e.g. apply Microsoft security patches as and when released o Backups are also the responsibility of your in-house IT tea

Application Security

  • User permissions are granted either to the user or via a “role based access control system” – these permissions should be sufficient for the business roles, but grant no more access than the minimum necessary
  • Desktop users should login using “Windows Authentication” – where mstore uses the current Windows login as the login for mstore – this will allow you to gain the benefits from single sign-on (e.g. regular password updates, strong passwords, one place to manage leavers) policies and security enforcement
  • Web client users can have either “Windows Authentication” or password strength/changes enforced by mstore. • Network Considerations

The mstore web client supports HTTPS and this should always be used (in preference to HTTP)

  • The mstore desktop client does not have direct access to document files, instead using a secure file broker component to communicate with the server and request images – this process also supports HTTPS which should be used in preference to HTTP 
  • Legacy versions of mstore which did use direct file access should no longer be used (note: this would be versions in excess of 10 years old) With these basic considerations in place, the mstore solution will be a secure location in which to hold sensitive information.

Process Management

The discussions above detail the use of mstore as an electronic document repository, principally for storage and retrieval. However, the system also has a workflow and business process management capability. This is typically used for general business processes – e.g invoice approval, HR on-boarding, purchase approval and organisation-specific processes. However, this workflow capability can also be used to control processes for the GDPR.

Consider the case of SAR receipts – the process would be triggered by the receipt of the SAR into mstore (stored as a document) and the workflow would route this request to one or many relevant people who would collect data and add it to the SAR response. The workflow toolset is configurable to support many document-driven processes and may well provide a cost-effective means of implementing your specific GDPR-related process requirements – noting, of course, that these processes need to be defined by the organisation as part of the GDPR compliance activity.


The GDPR is a risk-based approach to compliance and no single product will allow an organisation to “buy” compliance. However, your investment in mstore puts you in a good place to start, as information stored within mstore is in a secure structure already.

You will need to create and document your policies and procedures around this structure, as well as confirm that the basic IT elements are in place.

Should you want to explore how mstore can further enhance your GDPR compliance processes, or have still to implement mstore or EDMS in your organisation, please speak to your account manager or contact in the first instance.

Expert News | Blog

View all news

© 2018 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.