Seven questions and seven issues finance directors must consider about GDPR
Six months from now, in May 2018, the General Data Protection Regulation (GDPR) replaces the current Data Protection Act. Described as the ‘biggest shake up’ of data protection laws for 20 years, the new rulings will change how organisations store and use personal data, while extending the responsibilities of organisations to protect it. Are you prepared – indeed, do you see this as relevant to you?
Achieving GDPR readiness requires organisations to reliably streamline all personal data held in various documents and emails held across disparate systems, network folders, and – worryingly – sometimes still in paper-based storage. It goes without saying then, that finance directors will need to be extremely vigilant to ensure they meet the new regulation.
However, it’s not all gloom and doom. This also represents a major opportunity for financial directors to transform their approach to privacy, harness the value of data, and ensure their organisation is fit for the digital economy. Now is the time to review current technologies and decide whether they will be fit for purpose come May.
Seven questions finance directors should be asking themselves now:
- Can you easily find documents?
- Are they all in one location?
- Do you know how many copies of the data exist?
- Do you know how long each document should be kept for legal reasons?
- Can document access be restricted?
- Could documents get into the ‘wrong hands’?
- Are you easily at risk of a security breach?
An automated document management system (DMS), which stores, manage and tracks electronic documents and electronic images of paper-based information, will ensure Finance departments meet GDPR compliance requirements by providing traceability on all documents. This can help with a range of issues that this will throw up, for example:
The right to be forgotten
With paper files, firstly locating and then erasing all data on an individual, is a time-consuming and difficult task. Information could easily be spread over many different sites and locations, and be duplicated or even lost. Using a document management system means all files are stored in one location, and finding and erasing the relevant ones is a much simpler and efficient process.
Under new GDPR rulings, organisations should only keep personal data as long as is necessary, and for the purpose for which it was obtained. It’s therefore prudent to introduce new best practice processes so that documents are automatically removed to be kept only for the statutory period. This will mean finance directors must regularly ‘prune’ data; a tricky and time consuming job without the right systems in place.
Consent rights have been strengthened for individuals under the GDPR. Of critical importance to finance professionals will be that organisations must not only be able to prove they obtained permission to store and use data from an individual; but also electronic copies of private records on-demand. This will be difficult ask for organisations without the right systems to manage the process.
Privacy by design
The GDPR also talks about ‘privacy by design’, whereby data protection is hardwired into the processes and behaviours of the organisation. A DMS can help ensure everyone is working in the same manner and to the same procedures, and can also show strong compliance by evidencing all communications and involvement with a client, as well as controlling who has access to what data.
The right to access
Under the GDPR, individuals have the right to access their personal data. The information provided to the individual must be done using ‘reasonable means’ and within one month of receipt. Using a DMS means information is stored in one setting, can be easily accessed, and efficiently sent to the individual within the set timescale. All user actions within a DMS have audit trails and documents cannot be accidentally deleted; providing confidence that the right data can easily be passed on.
The right to data portability
This allows individuals to move, copy or transfer personal data easily and securely from one IT environment to another. Fulfilling this request is made easy using a DMS – all the information can be easily located, retrieved and sent on within the set timescale in an approved format.
Breach notification standards
The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant authority, and in some cases to the individuals affected, within 72 hours of becoming aware of it. A breach can be identified and reported immediately using a DMS; something that is nearly impossible to do when dealing with paper documentation in various locations.
Preparation for GDPR is a company-wide responsibility and frankly will affect every department in the organisation. Although finance is a focus for many initially – hence our advice here – the reality is that it needs to cover every department holding data – from sales and marketing, IT and HR; areas we will address in more detail in future blogs.
There simply is no room for complacency. May 2018 is not far away and with considerable work to be done by the majority of organisations, it’s vital that finance directors get on the front foot now. To gain greater insight, we’re carrying out some research into awareness and readiness – so take part and we’ll report back on the findings. Thanks in advance for taking part.Seven questions and seven issues finance directors must consider about GDPR by Dean McGlone