Written by Ricardo Álvarez, OpenKM USA staff member on November 20, 2020
The European General Data Protection Regulation's primary purpose is to ensure each individual's ability to control who collects and processes their data, what the data is used for, and guarantees that it is handled as safely as possible. The law applies to worldwide companies who interact with citizens within the boundaries of the European Union.
It is worth noting that there are several rules from the GDPR that only apply in certain scenarios, and you should check with an expert to make sure your company is complying with GDPR. Without further ado, here are the main requirements all organizations need to take to comply with the GDPR:
Keep an information audit that states the purposes and details of the data processing.
Be specific about what kind of data you process, who has access to it, including any third parties, your current data protection systems, and state your users' data lifecycle, including when your company plans to erase it.
Users have a large number of rights about the data you store about them, but the user's primary rights are the following:
Users have the right to know what personal data you have about them, how you use it, how long you plan to store it, and the reason for keeping it for that length of time.
Users can request updates to their personal information at any time. You need to present a transparent system for accurately and safely updating their data.
Users can request the partial or complete deletion of the personal information you have of them. There are only a few exceptions on which you can deny the request, which you should address with a legal expert.
Overall, you need to establish a clear communication line that enables you to comply with each request within a month, and you need to be sure to verify that the user's identity is correct.
Implement the necessary technical measures to ensure data protection at all stages. These measures include file encryption, organizational standards, limiting the amount of collected personal data, employee training for document management, establishing data lifecycles, and enforcing manual or automated data deletion after it is no longer useful. You can address most of these technical protection procedures by using a secured document management software.
According to Article 33 of the GDPR, if you notice a data breach that compromises any of the entities covered under the GDPR law, you are required to notify a supervisory authority within 72 hours. There are no specifics for what authority to reach for non-EU-based organizations.
It may be wise for US-Companies to notify the Office of the Data Protection Commissioner in Ireland due to the language similarity. You are also required to communicate data breaches to your data subjects unless the security breach is unlikely to put them at risk.
You need to sign a data processing agreement with any third-party services that handle your data subjects' information. There are multiple standard agreements online, which outline each party's rights and obligations under the GDPR compliance, but the specifics must be addressed in each scenario.
Finally, you should make sure there is a person in charge of GDPR compliance; this guarantees your company's ability to evaluate its data protection policies, procedures, status, and enforces accountability for document security.
The following concepts are crucial to understanding how the GDPR law affects your business.
Please visit our general outline of the General Regulation Of Data Protection Of The European Union and our GDPR Guide For Businesses for more information.
To collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose, erase, or destroy personal data from data subjects is considered a data process event. In other words, any customer's data usage is deemed to be data processing and needs to be covered under the data protection regulations.
The natural or legal person, public authority, agency, or anybody that processes personal data on behalf of the controller.
The General Data Protection Regulation defines data subjects as any "identified or identifiable natural person" (1). In other words, the principles of data protection apply to all companies dealing with information from EU citizens and any non-EU citizens who are living or traveling to the EU.
The data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. In other words, the data controllers are those who choose the specific reasons behind data collection, usage, and the way this information is processed, regardless of whether they do it themselves or not.
Understanding the basics of data protection and privacy does not require a GDPR specialist. It will undoubtedly save you countless troubles and perhaps even help you improve the way you understand and interact with your customers.
There is not a specific tool that is necessary to comply with the GDPR laws. Nevertheless, using a DMS can help your organization set some document control rules, data access boundaries, automated processes, and standardized procedures for document management to reduce your risks for data breaches. All in all, implementing a Document Management Software to handle your company's documents can ensure that your organization actively protects your customers' data and helps you avoid non-compliance fines.
North America: Please call +1 646 206 6071.
Monday - Friday: 08:00 am - 17:00 pm EDT for immediate assistance. Currently, it is Thursday 11:15 am in New York, USA.
Europe Spain: Please call +34 605 074 544.
Monday - Friday: 09:00 am - 14:00 pm, 16:00 pm- 19:00 pm CEST for immediate assistance. Currently, it is Thursday 17:15 pm in Palma de Mallorca, Spain.