This article is the first of an 8 part series, in collaboration with CDI-Partners, describing the 7 GDPR challenges for unstructured data. We hope this provides additional transparency and helps you better understand our solution to comply to the regulation.
As there are no real examples of data breaches or other GDPR infringements, we have to look elsewhere if we want more insights in the effects of the GDPR. A good place to look for information is the United Kingdom. Although data breach notification is not mandatory, it is considered to be a best practice and close to 3000 breaches are reported each year.
Did you know that most of them are related to unstructured or semi-structured data? Documents, spreadsheets, mails and even paper files? One reason could be that it is far easier to properly protect data that are stored in databases, accessed through applications, than it is to have control over what happens to unstructured data.
Unstructured data are found everywhere, in emails and documents, stored on local or network drives, in the Cloud or on USB Keys. And they are easily copied and distributed. Unstructured doesn't mean chaotic. There can be a structure in the way the documents are stored, easy linking these documents to contracts, offers or individuals. And they are vulnerable. The most common type of data breach is sending these documents containing personal data to the wrong recipient by post, fax or email. Once an email has been sent it is impossible to control it, or is it?
Here a document management system comes in. You no longer send an email, you send a secure link and only users, with appropriate rights, have access.
But this is not the only advantage. Audit trail, usage tracking, retention policies, and legal archiving are just a few advantages that can easily be implemented with a document management system such as Alfresco.
To make this very tangible, here are 7 challenges for securing your company’s documents.
- First, how do you know what documents to protect? How do you know they contain personal data?
- Secondly, you have to adequately protect these documents.
- Then, there is the aspect of responsibility: organisations must prove that they process personal data in a responsible way. And they need prove of having a legitimate purpose or consent to hold the document.
- If data are on a portable device and it is important to work offline, how can this be protected?
- And if something has gone wrong? How to know what data have been lost or stolen?
- Personal data cannot be kept longer than necessary, or must be removed after a legitimate demand to be forgotten.
- Sometimes it is needed to share documents with another party. How will you know who you have shared the document with and for what legitimate reason? And how to inform the 3rd party of a request to be forgotten?
Combined with unique GDPR functionalities of Alfred GDPR, Alfresco is the most appropriate environment to store, modify, archive, and delete your files.
Alfred GDPR is a solution to manage unstructured data:
- GDPR enabling metamodel, adaptable to specific needs
- Discover Personal Identifiable Information in documents
- Tag documents containing different types of Personal Data
- Security rules based upon PII-type (No PII, PII, Sensitive, Medical, Criminal)
- And many other features …
In the next weeks we will cover every challenge in detail. Stay tuned.
The series is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.