Written by Ana Canteli on 5 january 2017
May 25th 2018 will be a date to remember for companies and organizations of all kinds (located in the European Union or not) that control or process data of citizens of the EU.
That day will come into force the New General Regulation of Data Protection of the European Union, better known as GDPR.
If in 2016 exchange market of goods rised to 362 billion €1; and that of services to almost 226 billion, only for the EU-US bloc; we can get an idea of the economic, social and real impact that this legal provision will have for the most developed economic regions of the world.
Because this directive of the European Union, is applicable not only in the EU countries, but their guarantees protect the processing of data of natural persons and therefore citizens of any EU member. Regardless the country in which the company that owns such information is.
To make effective these measures of protection of personal data, the general regulation of data protection contemplates fines of up to € 20 million or 4% of the total sales volume of the organization. In short; the breach or violation of this regulation, can take out from the market even the largest and best established companies in the sector.
Therefore, the first questions that arise in this new scenario are: Am I affected by compliance with the new regulation? And What do I have to do to fulfill it?
In the coming months, you will appreciate an increase in information regarding software that will publicize compliance with the general data protection regulations. Faced with these affirmations, one must be careful and realistic.
By itself, no software, application or computer tool (document management system, enterprise content management system) will make our company comply with the requirements of control, processing, treatment or protection of personal data, as required by the GDPR.
This new regulation that will come into force, aims to respond to the new threats that the digital era pours on the security and privacy of people.
Historically for the European Union, the right to privacy is an immutable and specially protected principle. Privacy is considered a fundamental right of human beings (Article 7 of the Charter of Fundamental Rights of the European Union). While in other countries such as the United States; the concept of privacy is different depending on the business sector, or the sensitivity, or commercial value that is given to the protected information.
Depending on the country, sector of activity, habits and customs; the appearance of this new regulation can suppose a big change in the way to manage data of physical people, and carry out the treatment of the same ones.
The definition of the concept of personal data is broader than in the previous legal framework; since it incorporates all information capable of allowing personal identification. "Personal data" is considered to be any information related to a natural person that can be used to directly or indirectly identify a person. It can be anything: an IP address, a photo, a video, a name, an e-mail, banking information, social media publications, health information, etc.”
The GDPR also stipulates which organizations are subject to the regulations "shall apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing is carried out in the EU or not." A controller is the entity that determines the purposes, conditions and means of processing personal data. While the processor is an entity that processes personal data on behalf of the controller.
This means that cloud storage, big data technology or predictive analytics applications must also comply with regulations.
As well; "Shall apply to the processing of personal data of persons residing in the EU by a controller or processor not established in the EU, when the activities refer to offering goods and services to EU citizens (regardless of whether payment is required for that reason) and the monitoring of the behavior that takes place within the EU. Non-EU companies that process data for EU citizens will also have to designate a representative in the EU. "
We have already said that by default, any system can hardly cover all the cases that occur in the company. In this aspect, the OpenKM Document Management System is sufficiently versatile, customizable and adaptable to allow organizations from different sectors to use the software to manage the documents and information of the entity; so they meet the requirements of the New General Regulation of Data Protection of the European Union.
For example, depending on the sector of activity, metadata management must be done under encryption; circumstance that in turn can be subject to different levels of security. In other scenarios, the company may not have to encrypt the metadata, but it must do so with the physical files.
The dilemma occurs not only in relation to access to information; but in making information management possible, so that system administrators - for example in areas of restricted access to information, such as in the health sector - can carry out their work, ensuring that even they can not access data of a certain nature. The communications between the user's computer and the application are encrypted by SSL.
In addition, the business content management system that is incorporated into the suite of programs of the company must be able to integrate with the rest of applications. In this sense, OpenKM offers SDK's for JAVA, PHP and .NET that allow the integration of the software in a way that allows the company to manage the knowledge accumulated in it. Taking into account aspects such as the type of data that hosts each of the applications, what level of access is necessary to define. Is it necessary to encrypt the data? At database level? Of operating system?...
In the scope of application of the new regulation, it would be advisable to apply a series of good practices:
In any case, an element without which you could not aspire to apply any legislation or law; it is the architecture model of the company's information. The more robust the model is, the more developed the controls that sustain the systems are and therefore, the easier it will be to apply and fulfill the GDPR in the long term.
North America: Please call +1 646 206 6071.
Monday - Friday: 08:00 am - 17:00 pm EST for immediate assistance. Currently, it is Wednesday 10:16 am in New York, USA.
Europe Spain: Please call +34 605 074 544.
Monday - Friday: 09:00 am - 14:00 pm, 16:00 pm- 19:00 pm CET for immediate assistance. Currently, it is Wednesday 16:16 pm in Palma de Mallorca, Spain.