+45 7070 7470
In May 2018, a new regulation on the protection of personal data came into force in the EU – the General Data Protection Regulation (GDPR). This legislation has far-reaching consequences for private companies as well as public-sector institutions which have to formalise how personal data is processed.
Below you can read more about how the OnBase platform can contribute effectively to complying with the requirements.
Security and data protection:
The GDPR requires businesses to put in place reasonable data protection measures for sensitive and personal information. High security has been part of the design of the OnBase platform from the outset – all the way from development to subsequent support. A dedicated security team at Hyland constantly maintains and optimises the security protocols. Combined with powerful encryption, key information (such as personal data and documents) is secured and protected at all levels: in its passive state, during use and in transit between servers. Built-in functions such as strict requirements for access codes and classified rights management provide an accurate overview of who can access information, and what can be done with that information.
Right to erasure and case documentation: Organisations can use OnBase to manage individual rights to protect personal data by storing, protecting or erasing the information securely. This supports the GDPR privacy rules, e.g. a person’s right to have his/her data erased (“the right to be forgotten”). Using pre-defined rules, OnBase can automate this process management, all the way from creating documents to documentation in connection with final erasure. This automated management of the archiving or destruction of documents containing personal data makes it easy to avoid incorrectly retaining expired cases/documents, with the attendant risk of penalties. It is possible to set retention periods, or to automatically trigger file erasure in response to a particular event or request.
You can ensure proper compliance with GDPR-related processes with configurable automation of workflows and different case management functionalities. These include tracing of information about archived documents, reminders about upcoming audits, processing of the different steps involved in obtaining consent, fulfilment of the “right to be forgotten” as well as notifications to relevant parties about security breaches or data loss.
All solutions can be designed to trace records of inspections, audits, results, deviations and corrective actions, with reporting panels for access in these areas with a view to continuous improvements. OnBase can also help organisations to manage internal policies and procedures that support the GDPR. With automated distribution of policies, digital approval from recipients and reports about acceptance and breaches, the organisation ensures that employees stay abreast of the latest data security standards.
Data processing and file finding: The GDPR requires organisations to manage personally sensitive data effectively and securely – and the key to this is the ability to find accurate, relevant data in time. OnBase makes it possible for organisations to tag content with related metadata. Information can be stored together with the actual document and used to dynamically link all related content, and to equip users to be able to quickly find all the information about a particular customer, case, incident or request.
Audit and reporting: To help organisations in their GDPR compliance work and in the preparation of any audits, OnBase automatically logs every instance of a user accessing, viewing, editing or handling a document or data item. Authorised management personnel have access to audit logs to ensure that everyone who has access to sensitive personal information follows applicable standards. Audit information can even be made available to external auditors via a secure website, helping to avert unnecessary, costly penalties.
What is the GDPR and when did it come into force?
The EU General Data Protection Regulation (GDPR) serves to protect the privacy of EU citizens, enforce standardised legislation for the protection of personal data throughout the EU, and to reformulate the way organisations in the EU process and manage personal data. The GDPR supersedes the EU Data Protection Directive of 1995, and came into force in May 2018.
Does the GDPR apply only to businesses in the EU?
No; every organisation that collects or processes personal information in the EU, or offers goods or services to individuals in the EU, is subject to the GDPR.
Is the GDPR related to a particular industry? Does it apply to data storage in the cloud or locally?
The GDPR is not industry-specific, and applies to both cloud-based and local data processing and data storage.
What are the key terms of the GDPR, and how do these apply to organisations?
Personal data: Any kind of information related to an identified or identifiable physical person. This includes identification details such as name, ID number, location data, online identification information or other factors specific to the person’s physical, physiological, genetic, mental, financial, cultural or social identity.
Data controller: An individual, entity or public authority that determines the purpose and methods for processing personal data.
The data subject: A person whose personal data is processed by or on behalf of a data controller.
Data processor: A person, entity or public authority that processes personal data on behalf of a data controller
What are the key requirements of the GDPR?
The requirements of the GDPR can be traced back to seven basic principles of data processing, described in the Regulation. These principles all seek to protect the privacy of individuals in the EU:
Legality, fairness and transparency: Organisations must carry out data processing in a legal, fair and transparent manner.
Restriction of purpose: Organisations may only process data for the purpose communicated to the data subject.
Minimisation of data: Only a minimal amount of data may be collected, sufficient for the purpose stated.
Data accuracy: Collected data must be kept up to date and accurate for as long as it remains with the data controller, and inaccurate data must be erased or corrected. · ·
Restriction of data storage: Organisations should only retain data for as long as necessary.
Integrity & confidentiality: Data must be processed in such a way as to suitably protect the data using technical and organisational safety precautions to prevent unauthorised or unintentional publication or damage.
Accountability: The data controller has the primary responsibility for ensuring compliance with all principles, including when transferred to a data processor.
What happens in the event of non-compliance with the GDPR?
Organisations that fail to put in place suitable measures to protect personal data under the GDPR may face penalties of up to EUR 20 million or 4% of their combined annual international turnover. These penalties are in addition to any compensation that the organisation may owe to individuals. Other potential consequences may include suspension or restriction of data flows, public prosecution and general loss of reputation.
Does the GDPR prescribe any specific technologies, processes or systems?
No: In establishing the comprehensive set of standards and requirements, the GDPR does not prescribe any particular technologies, processes or systems. Companies can freely opt for technical and organisational measures of their choice for compliance with the regulation.
How can OnBase help you to administer the GDPR?
OnBase Enterprise Information Platform is tailored to support your organisation’s work of fulfilling the requirements of the GDPR. A broad spectrum of out-of-the-box functionalities, flexible configuration settings and built-in security checks provide the necessary flexibility to be able to navigate the new data security landscape.