One year of EU GDPR: How to avoid costly breaches
May 25, 2018 was not just any day: It was the day the new EU General Data Protection Regulations (EU GDPR) went into force. Even today, the EU GDPR still makes many a company break out in sweat. Which new regulations apply to which kind of information? How can you protect customer and business partner data? How can you ensure its verifiable and complete deletion while still complying with the legal retention periods? And how tough have the authorities been on breaches? Here’s how companies have been handling the new data protection requirements over the past year – and which compliance measures lead to success.
It may surprise some, but only 20% of CIOs and IT/process managers say that they fulfill the requirements of the EU GDPR. This was an alarming result of “ECM Insights”, a study conducted by SER of companies from all industries that generate a minimum of 100 million euros. Even more shocking: Nearly a quarter wasn’t even aware of the EU GDPR! On a more positive note, 80% of the respondents have already launched EU GDPR compliance initiatives.
Companies can’t afford to wait too long to react. The fines for not fulfilling the data protection requirements can truly hurt: up to 20 million euros or 4% of the global revenue is possible — it just depends on which total is higher. Bans on operation are also a possibility. The global law firm DLA Piper published a report on the number of EU GDPR breaches in Europe, revealing that in 2018, “only” 91 fines were imposed, but that more fines are expected to follow over the coming year as the regulators clear the backlog of notifications. One of the highest fines, 80,000 euros, was issued to a company in southwestern Germany. Considering how high the fine could have been, this seems rather mild. But this may be the calm before the storm. Matthias Horn, Senior Consultant Cyber Risk/Risk Advisory at the auditing firm Deloitte, warns that companies shouldn’t rely on the authorities’ leniency for long. “They have to realize that the authorities will be taking action much more often in the future.” So what can and must companies do to prevent penalties?
1. Get an overview of personal data in your company
According to the EU GDPR, companies must protect all personal data and transmit or completely delete this data if requested. This alone causes insecurity among businesses. Many do not know where this kind of information is located. Data is found in CRM and SAP, contracts in file systems, customer requests in emails — the list goes on. If a customer evokes the right to erasure, that’s when big search efforts start. Those that have an ECM system like Doxis in place have it much easier: Doxis identifies, for instance, all documents and processes that contain data related to a specific person. The moment a document is filed, it is automatically labeled to facilitate the immediate discovery, transferal and deletion of personal data — should this be required.
2. Ensure verifiable (physical) deletion
Are you sure you were able to delete all of the personal data of someone? The first hurdle is to find out where the data of a person is located. But deletion isn’t just a matter of pressing a button. Companies must be able to prove the deletion. We give our customers this assurance when they decide for Doxis. Matthias Horn, who helps companies to determine and implement customized deletion classes, confirms: “The ECM software solution Doxis from SER offers functionalities to classify data, which enables companies to fulfill their data protection obligations regarding all data collected through the software. The ECM solution can also automatically manage retention periods and storage deadlines.” All of this means that not only is deletion complete, but it is also efficient and fully documented by the software.
3. Comply with retention periods
One of the biggest dilemmas for companies in relation to the EU GDPR is how to delete personal data and still comply with legal retention periods. Deletion is obligatory — but so is audit-proof archiving! One solution to this dilemma is to gradually remove personal references of data. Using pseudonyms and anonymizing tactics, companies have a way of “blacking out” data. The next solution is to restrict data access, which prevents data misuse. This means companies can safeguard the rights of individuals without ignoring legal retention periods. With Doxis, you can implement the necessary concept for authorizations, deletion and retention for all relevant information. The EU GDPR certification of Doxis gives you an extra layer of security.
Data protection is a top priority — not only with regard to legal consequences, but also when it comes to maintaining the trust of customers and business partners. Why risk any kind of breach?