This article considers how GDPR will impact Document Management usage in business today.
Document management systems have been deployed to implement:
- Structured organisation and control for documents
- Deliver search and find results
- Achieve Security, audit, version and rendition management
- Provide the capability to manage retention
All of the following document management systems have been recognised by industry analysts and are in wide spread use across the UK.
- Hyland - OnBase
- IBM – Content Manager
- Kofax Perceptive
- Microsoft SharePoint
- Newgen OmniDocs
- OpenText – Documentum, Vignette, Hummingbird
- Oracle - WebCenter
- SER Doxis4
- Xerox Docushare
The current state of the GDPR discussion is that for most business some of the documents being created, stored and handled will come under the scope of GDPR as they will contain elements of “Personal Information”. Items such as personnel records and correspondence will be in scope but it could be much wider.
GDPR requires control over access, importantly that excess access, such as the ability to obtain large collections of documents needs to be prevented. Good security policies will often have applied this type of restriction but to meet the expectations of GDPR the access that systems administrators have to the documents will need to be reviewed. Similarly, the access available to helpdesk or support staff to view production documents may need to be checked.
GDPR requires encryption at rest, that is for storage of the documents. For most document management systems that is feature of the software or it can be implemented through the storage management system of the data centre. When documents are “Checked out” and being worked on, it can often involve local storage on a laptop or mobile device. This local storage should be checked to ensure that it is encrypted.
As documents exist in production document management implementations, they also exist in Disaster Recovery (DR) locations and on the back-up copies kept in archives. The same level of protection will be required in these locations.
During the implementation of new versions of document management software and custom integrations, it is normal to operate a number of development and test environments. In some situations, documents from the production system are copied into these other environments in order to provide a realistic sample of test material. If this does occur, the GDPR policies will need to continue to apply for the documents. In some scenarios, it may be possible to apply some “Anonymise” activity to the material so that it has less restrictions in the test environments.
The challenge of control to meet GDPR is complicated when staff work remotely (e.g. from home), as they could be accessing documents using a “Personal PC / Laptop / Tablet”. This creates a potential exposure where copies of documents might be left accidentally. A variation on this scenario is where staff with good intentions make use of file sharing tools like “Dropbox”, but such facilities retain a copy of the documents after the initial use. The growth in the use of such sharing tools has partly been in response to a lack of “User Friendly” features for the accessing of traditional document management software products.
Of course, manging the control of access to documents is an on-going activity, as new staff join, existing staff leave or change roles within an organisation. Procedures to handle such changes are not a new requirement of GDPR, but the lack of good implementation may cause a GDPR issue.
With the need for the control of documents comes the reporting requirement of GDPR to notify the ICO within 72 hours of a breach. Looking at some of scenarios above, if just one member of staff placed a handful of documents they could reasonably have access to work with on a file sharing tool like “Dropbox”, all of the protection an IT department had put place would have failed and the breach would need to be notified to ICO.
GDPR fines are expected to be proportional to action / in-action that has taken place rather than always at the maximum. Organisations that have followed industry good practice and made reasonable efforts will be in a better position that organisations which have done nothing, ignored known problems, or made only “token” efforts to address issues.
It is likely, that the “Data Protection Officer” for each company will need to have developed some action plans to mitigate any breaches that do occur, so that a positive dialogue can be started with the ICO at the start of an incident.
Anybody who is using “Network shared Drives” for the storage of documents is clearly exposing the organisation from a GDPR perspective, as good industry practice has justified the use of a document management system for years.
The above has focussed on controlled access, but there are three other elements of GDPR which will require appropriate processes for the documents.
- GDPR requires “Right to know what is held” – Being able to find and declare all relevant documents
- GDPR requires “Right to be able to transfer material” – Being able to supply a copy of relevant documents in a general format such that another organisation could process them
- GDPR requires “Right to be forgotten” – Being able to find and remove all appropriate information, although there will be a legal basis to retain documents for appropriate purposes
In summary, GDPR should be the stimulus to look at any existing document management system implementation and consider whether it is aligned with current industry standards and good practice. If it is an old version of software and no longer supported, the GDPR position is weak and plans for improvement will be needed.