Awareness of the risk and consequence of data breaches grew rapidly with the introduction of the General Data Protection Regulation (GDPR) in May 2018 that introduced penalties of up to €20m, or 4% of global turnover – whichever is highest.
While enforcement seemed to get off to a slow start, the record proposed £183.38m penalty issued to British Airways and the £99m fine levied at hotel chain Marriott demonstrated the threat the new legislation posed to companies failing in their duty to protect their own, and customer’s personal, data.
So it is concerning that our research report – Risky Business, analysing the state of UK business processes – found that 57% of UK businesses have failed to take the necessary precautions to protect data in line with stricter GDPR requirements.
This is despite 81% of employees who took part in the survey confirming that their business was more aware of the need for data security and stricter privacy regulations than they were prior to GDPR – but had still failed to take any action.
More worrying, however, is that nearly one in 10 employees (8%) claimed their business had carried on as if GDPR had never happened, and had paid no attention to any stricter privacy or security policies they might need to bring in.
The report found that small businesses in particular are walking a tight rope over GDPR fines, with just 29% introducing new GDPR compliant policies for data handling and security. This is despite 60% admitting to becoming more aware of the risks surrounding breaches.
This is compared to 45% of larger companies introduced new policies to help stay compliant with the new regulations.
How to improve GDPR compliance?
One of the key purposes of GDPR is to know what data you have, where it is stored, and who can access it. This creates accountability within businesses and forces organisations to demonstrate how their systems operationally adhere to best practice for data protection.
This includes requiring organisations to create robust audit trails concerning access to documents so they can demonstrate steps taken to protect information if a breach does occur.
It is difficult to know who has seen a paper document without a prohibitive cost to create a manual process to achieve this. The easiest way to document an audit trail on paper documents is by ensuring every employee signs when they access a document, a very time-consuming process.
Likewise, if you deal with digital documents stored either in your file explorer or spread across multiple repositories, it can difficult to see exactly where a document has been and who has accessed it. It is simple if only one or two people have access to a certain repository, but can be impossible to control if more than that.
Additionally, if data is spread across multiple repositories, it can be difficult to work out what the latest version of the document is, resulting in staff working on older versions.
Technology like electronic document management systems can help with both of these by automatically identifying information, categorising it, sending it through an automated workflow and creating a visible pathway to identify where the document or data is, what work has been completed on it and who has access to it.
Essentially, electronic document management software can help with GDPR compliance by helping to identify:
- The nature of the documents held
- If they include “personal identifiable information”
- Where the document is stored
- How many versions of each document exists
- Who can access each document
If you examine some of the key points of GDPR, it becomes even clearer why an electronic document management system is a vital part of remaining compliant, and why it is concerning that so many organisations still haven’t acted.
Attempting to remove information from your database becomes extremely difficult unless you have a form of electronic document management.
Trying to find information (especially personal data) on paper files and then erase it all is a time-consuming and difficult task, and you can never be 100% sure you have located and deleted all the required information.
With an electronic document management system, you can store all information in one easily accessible, searchable location and create access controls, making it much easier to store, protect and find information.
Benefits of electronic document management
As well as improving GDPR compliance, electronic document management can improve business efficiency in general by making it easier for employees to find and access documents in seconds – rather than wasting time scouring multiple electronic systems or filing cabinets.
By creating a single source of information, businesses can keep track of documents, reduce uncontrolled document duplication (also essential for data security and GDPR compliance) and can configure policies to ensure documents are only kept when it can be justified – especially important for GDPR compliance.
But by far the most important aspect of electronic document management is the enhanced security over documents and information (which is needed to be GDPR compliant).
By ensuring robust controls and auditing access to all documents, especially those which contain personal identifiable data, you can ensure you are as compliant with GDPR as possible.