In the previous posts, Bart van Bouwel and Jean-Luc Goedermans, from CDI-Partners, have introduced 7 challenges for securing your company’s documents and files: how to identify documents containing personal data, how to secure these documents and how to control access to these documents.
In this post we focus on the devices used to work with these documents.
People use different devices for different purposes and in different circumstances. Think about your habits: when you work at the office or at home, writing documents and creating content, you will use a computer. But to consult these documents, for instance while you are traveling, you will use a tablet or a laptop.
Although increasingly more people are always connected, storing documents locally on a device is still a common practice. This implies that the protection of these precious documents depends on the security of the portable device.
When an unencrypted portable device – a smartphone or a laptop - is lost or stolen and when there is the possibility that this device contains files with personal data, you will have to report this loss as a personal data breach! The notification to the supervisory authority must contain a description of the likely consequences of the personal data breach. But, how many companies know which files are on which device? My guess, not so many.
So, the challenge has two aspects: how to store the documents in a secure way and how to keep control over these files once they are stored on a portable device.
Securing the storage is not so hard if you can secure the device they are on. You can encrypt hard-disks and memory cards and protect access to the device by password policies. But what if you don’t have control over the device?
And how can you know which files are on the device? And can you limit the possibilities to copy the files to another device like an USB-key or block sending these files by e-mail?
To face this challenge, Xenit is working on securing the content, through the Alfred GDPR Architecture and some features of the two products, Alfred Desktop and Alfred Finder, built on top of the Alfresco functionalities.
Alfred Desktop, a desktop application for Alfresco, keeps track of local content and removes it as soon as the user is done with it. For off-line editing and modification, working copies are created in a download directory. This working copy is under control of Alfred Desktop and it will only exist locally as long as it is needed. However, the corporate desktop policies remain important: local drives that can contain sensitive information should be encrypted at any time.
With Alfred Desktop and Alfred Finder, a web application for finding documents on an Alfresco back end, organizations can set a “GDPR download policy”. In this policy, customers can enforce whether the original document format (Microsoft Office) or PDF should be downloaded.
Additionally, a watermark can be added to a downloaded file. Via the watermark, identification information is attached according to customer requirements. Typically, that covers “who” downloaded, a unique document ID, the GDPR categorization and it might contain consent information whether the document can be distributed outside of the organization.
Alfred Edge allows to handle different types of access control to Alfresco: mobile users can have other policies than desktop users. We can disable downloading documents from a mobile device, but allow the previewing of such documents, while desktop users are allowed to download a document. Note that 'previewing' in many cases does an implicit browser download: customers that want to fully block such risk should explore pure 'streaming' solutions on top of our Alfred GDPR Architecture.
Thanks for reading and keep a lookout to our next challenge: “Detect breaches and take appropriate action". In the meantime, you can contact us for any specific request and we will glad to help you and provide our support.
The series is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.