This is the seventh and final post in our blog series about the European Union’s General Data Protection Regulations, which came in to full effect on 25th May this year (2018).
Throughout this series we have looked at what these new regulations mean for businesses that collect, store and use personal data. And most importantly what can be done to avoid non compliance, which under GDPR can result in severe penalties of up to €20m (around US$23,000,000) or 4% of worldwide revenue, whichever is higher.
While we’ve concluded that much of what is contained within the GDPR is not new, we do note that when taken as a whole, the new regulations mark a distinct move away from the implicit nature of previous data protection legislation with its ‘best practices’, towards an explicit set of legal requirements that companies must adhere to.
In the series so far we’ve looked at what constitutes ‘personal data’, how under the new regulations the processing of this data must be ‘lawful’ and ‘transparent,’ and how capturing customer preferences and consent information is key to this. We’ve looked at fine and coarse grained records management and how organizations must ensure that enterprise content management and archiving systems, where personal data is stored, are compliant and able to support the new rights that individuals have under the GDPR and what to do if they’re not. Most recently we’ve examined ways to ensure customer’s personal data is kept secure within these systems when documents need to be accessed by internal stakeholders through the use of page level encryption. This time we look at other ways companies can keep their customer’s data protected and secure particularly when customer documents are in transit.
All businesses and organizations need to send and exchange customer documents from time to time but this carries the risk of the inadvertent disclosure of confidential information. Communications must be able to flow unhindered to enable various business processes, and a number of solutions are available to mitigate these risks.
For example, not every recipient of a document needs to know or view the sensitive or confidential information contained within it, and the redaction of personal data in this instance can provide an appropriate solution. Historically with printed documents, redaction meant simply placing a black mark or box over the personal data to obscure it from the viewer. Today, with digital communications, sophisticated redaction software enables sensitive text to be removed completely from the document or scrambled to achieve the same outcome.
Alternatively, if a complete document does need to be sent, a signed PDF, where a PDF is created and a hash of its contents placed into a digital signature, will cause a warning to be issued if the PDF is tampered with or modified by someone prior to it being opened by the intended recipient, thus alerting the parties to a potential security breach which can then be acted on expediently to ensure the protection of the customer’s data.
Under the new General Data Protection Regulations, organizations have a clear responsibility to ensure that they have the appropriate security measures in place to protect the personal data that they hold, whether at rest or in transit, and there is clear accountability surrounding what measures they have adopted and how the associated security risks have been assessed and managed too.