Be updated, subscribe to the OpenKM news

How GDPR could affect your company customer's data collection

Written by Ricardo Álvarez, OpenKM USA staff member on November 20, 2020

The European General Data Protection Regulation's primary purpose is to ensure each individual's ability to control who collects and processes their data, what the data is used for, and guarantees that it is handled as safely as possible. The law applies to worldwide companies who interact with citizens within the boundaries of the European Union.

 GDPR Requirements

 It is worth noting that there are several rules from the GDPR that only apply in certain scenarios, and you should check with an expert to make sure your company is complying with GDPR. Without further ado, here are the main requirements all organizations need to take to comply with the GDPR:

Information Audit

Keep an information audit that states the purposes and details of the data processing.

Be specific about what kind of data you process, who has access to it, including any third parties, your current data protection systems, and state your users' data lifecycle, including when your company plans to erase it.

Privacy Policy

According to Article 12 of the GDPR, you need to have a public privacy policy that states the reason for data collection. In this policy, you should address your data capture's purpose, how the data is processed, who has access to it, and the security measures you use to keep it safe. This information needs to be as transparent as possible, and it must be presented at the exact moment you intend to begin collecting the user's data.

User Data Rights

Users have a large number of rights about the data you store about them, but the user's primary rights are the following:

1. User Knowledge

Users have the right to know what personal data you have about them, how you use it, how long you plan to store it, and the reason for keeping it for that length of time.

2. User Data Update

Users can request updates to their personal information at any time. You need to present a transparent system for accurately and safely updating their data.

3. User Data Deletion

Users can request the partial or complete deletion of the personal information you have of them. There are only a few exceptions on which you can deny the request, which you should address with a legal expert.

Overall, you need to establish a clear communication line that enables you to comply with each request within a month, and you need to be sure to verify that the user's identity is correct.

Data Protection Measures

Implement the necessary technical measures to ensure data protection at all stages. These measures include file encryption, organizational standards, limiting the amount of collected personal data, employee training for document management, establishing data lifecycles, and enforcing manual or automated data deletion after it is no longer useful. You can address most of these technical protection procedures by using a secured document management software.

Data Breach Notification System

According to Article 33 of the GDPR, if you notice a data breach that compromises any of the entities covered under the GDPR law, you are required to notify a supervisory authority within 72 hours. There are no specifics for what authority to reach for non-EU-based organizations.

It may be wise for US-Companies to notify the Office of the Data Protection Commissioner in Ireland due to the language similarity. You are also required to communicate data breaches to your data subjects unless the security breach is unlikely to put them at risk.

Data Processing Agreements

You need to sign a data processing agreement with any third-party services that handle your data subjects' information. There are multiple standard agreements online, which outline each party's rights and obligations under the GDPR compliance, but the specifics must be addressed in each scenario. 

Data Protection Role

Finally, you should make sure there is a person in charge of GDPR compliance; this guarantees your company's ability to evaluate its data protection policies, procedures, status, and enforces accountability for document security.

GDRP Key Concepts

The following concepts are crucial to understanding how the GDPR law affects your business.

Please visit our general outline of the General Regulation Of Data Protection Of The European Union and our GDPR Guide For Businesses for more information.

What is Data processing?

To collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose, erase, or destroy personal data from data subjects is considered a data process event. In other words, any customer's data usage is deemed to be data processing and needs to be covered under the data protection regulations.

Who is the Data processor?

The natural or legal person, public authority, agency, or anybody that processes personal data on behalf of the controller.

Who are the Data subjects?

The General Data Protection Regulation defines data subjects as any "identified or identifiable natural person" (1). In other words, the principles of data protection apply to all companies dealing with information from EU citizens and any non-EU citizens who are living or traveling to the EU. 

Who is the Data controller?

The data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. In other words, the data controllers are those who choose the specific reasons behind data collection, usage, and the way this information is processed, regardless of whether they do it themselves or not.

Takeaway

Understanding the basics of data protection and privacy does not require a GDPR specialist. It will undoubtedly save you countless troubles and perhaps even help you improve the way you understand and interact with your customers.

There is not a specific tool that is necessary to comply with the GDPR laws. Nevertheless, using a DMS can help your organization set some document control rules, data access boundaries, automated processes, and standardized procedures for document management to reduce your risks for data breaches. All in all, implementing a Document Management Software to handle your company's documents can ensure that your organization actively protects your customers' data and helps you avoid non-compliance fines.