The General Data Protection Regulation (GDPR) is coming. Are you ready?
In May of 2018, a new sweeping legislation will impact data privacy and corporate obligations in the European Union (EU) and beyond. Now is the time to act to ensure compliance by the time the regulation goes into effect.
How can OnBase help you meet your GDPR compliance objectives?Organizations can use the OnBase enterprise information platform to create solutions that support their GDPR compliance initiatives. A variety of out-of-the-box functionality, flexible configuration options and built-in security controls offer the agility needed to help navigate the changing data privacy landscape.
OnBase helps organizations support their GDPR compliance initiatives, including:
Security and data protection: GDPR requires companies to take reasonable data protection measures for sensitive and personal information. The OnBase platform is highly secure by design – from development to post-launch support – with a dedicated application security team that continuously enhances and improves security protocols. Together with powerful encryption, our security practices ensure critical information like personal data and documents are protected at every state: while at rest, while in use and while in transit between servers. Built-in features like strict password policies and granular rights management provide control over exactly who can access information and what they can do with it.
Right to erasure and records management: Organizations can use OnBase to uphold individual privacy rights by securely storing, protecting and destroying information. This supports GDPR privacy mandates, such as an individual’s right to have their data erased (‘right to be forgotten’). Using pre-defined rules, OnBase can fully automate the records management process, from document creation to record declaration through final disposition/removal. Streamlining the retention and destruction of documents containing personal data enforces corporate policies while minimizing or eliminating penalties associated with accumulating expired records. Organizations can set retention time periods based on regulatory requirements or automatically trigger disposition based on a specific event or request.
Streamlined compliance-related processes: With configurable workflow automation and case management functionality, you can improve GDPR compliance-related processes. These include tracking information about archived documents; providing reminders of upcoming audits; processing the steps to obtain consent and fulfill the ‘right to be forgotten’; and notifying appropriate parties of security breaches or data loss. Solutions can be designed to track registration of controls, audits, results, deviations and corrective actions, with reporting dashboards for insight into these areas to continuously improve. OnBase can also help organizations manage internal policies and procedures that support GDPR. With automatic distribution of policies, digital confirmation by recipients and reports of acknowledgments and delinquencies, organizations ensure employees are trained on the latest data privacy standards.
Data management and findability: GDPR requires organizations to securely and efficiently manage individuals’ sensitive and personal data – and the ability to produce specific data on demand to fulfill a request is key. OnBase enables organizations to tag content with related metadata. Information can be stored alongside the document itself and used to dynamically link all related content – equipping users to quickly find all information for a particular customer, case, incident or request.
Auditability and reporting: Assisting organizations in working toward GDPR compliance and preparing for audits, OnBase logs every time a user accesses, views, edits or acts on a document or data record. Authorized executives and managers have access to review audit logs to ensure anyone accessing personal information is following organizational or industry standards. Audit information can even be made available to external auditors via a secure website, helping to avoid costly penalties, streamlining audits and supporting corporate and industry compliance measures.
What is the GDPR and when does it take effect?
The GDPR, or the General Data Protection Regulation, is designed to protect the privacy of EU citizens; enforce standardized data privacy laws across the EU; and reshape the way organizations in the EU and beyond process and manage personal data. The GDPR replaces the EU Data Protection Directive of 1995 and will go into effect in May 2018.
Does GDPR apply only to companies in the EU?
No; any organization that collects or processes personal data of individuals in the EU or that offers goods or services to individuals in the EU is subject to the GDPR.
Is the GDPR specific to a certain industry? Does it apply to cloud or on-premises data storage?
The GDPR is not industry-specific and applies to both cloud and on-premises data processing and storage practices.
What are some of the key terms of GDPR, and how do these apply to organizations?
Personal data: Any data related to an identified or identifiable person. This includes identifiers such as name, an identification number, location data, an online identifier, or any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Controller: A person, entity or public authority that determines the purposes and methods of processing personal data.
Data subject: A person whose personal data is processed by or on behalf of a controller.
Processor: A person, entity or public authority that processes personal data on behalf of a controller.
What are the main requirements of the GDPR?
GDPR requirements can be traced back to seven principles of processing outlined in the regulation. These principles all seek to protect the privacy of individuals in the EU:
Lawfulness, fairness and transparency: Organizations must conduct data processing in a lawful, fair and transparent manner.
Purpose Limitation: Organizations may process data only for the purpose for which it was collected and communicated to a data subject.
Data Minimization: In processing, the minimal amount of data should be collected to achieve the stated objectives.
Data Accuracy: Collected data should remain accurate for as long as it’s with the controller, and inaccurate data should either be removed or rectified.
Storage Limitation: Organizations should store data for only as long as necessary.
Integrity and Confidentiality: Processing should be done in a manner that appropriately protects the data using technical and organizational safeguards and preventing unauthorized or accidental disclosure or damage.
Accountability: The controller maintains primary responsibility for ensuring these principles are met, including when they are delegated to a processor
What’s the impact of noncompliance with GDPR?
Organizations that don’t take appropriate steps to protect personal data under the GDPR may face fines of up to 20 million Euros, or 4% of their total worldwide annual turnover. These fines are in addition to any compensation they may owe to individuals. Other potential impacts could include suspension or limitation on data flows, public reprimand and reputational damage.
Are there specific technologies, processes or systems dictated by the GDPR?
No; while establishing an extensive set of standards and requirements, the GDPR does not specify certain technologies, processes or systems. Companies can choose the technical and organizational measures they use to comply with the regulation
How can OnBase help you meet your GDPR compliance objectives?
Organizations can use the OnBase enterprise information platform to create solutions that support their GDPR compliance initiatives. A variety of out-of-the-box functionality, flexible configuration options and built-in security controls offer the agility needed to help navigate the changing data privacy landscape.