In the previous posts, Bart van Bouwel and Jean-Luc Goedermans, from CDI-Partners, have introduced 7 challenges for securing your company’s documents and elaborated on having “State of the art security of the documents and the metadata."
Today, we will go deeper into the aspect of responsibility: organizations must prove that they process personal data in a responsible way. And they need proof of having a legitimate purpose or consent to hold documents containing personal data.
Organizations need to ensure that their data processing activities are carried out in accordance with the regulation. In particular, organizations should pay close attention to the principles of transparency and data minimization while implementing new data processing activities.
Article 24 states "...the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”.
Good security is just a first layer, preventing unauthorized access to the data. On top of that, companies must also have internal rules, written down in policies, how personal data is treated. And they must be able to demonstrate that these rules are followed.
When we store documents in Alfresco, we can use the metadata to control who has access to which document. And this can be far more granular than with traditional access rights. Not only the place the document is stored (e.g. the HR-network drive) or the type of document (e.g. a medical questionnaire), but also the content of the document can be used. A rule could be “Exclude all documents where the person requesting access is mentioned”.
These kinds of rules are of course highly dependent on the context of a company or even a specific process within that company. They can control access to specific documents or flag this type of behavior in the audit module. For instance, a local hospital lists all employees accessing medical files of famous patients. This list is reviewed by the management on a weekly basis. Excluding access would interfere with providing care in an emergency situation, but the staff knows that, without a legitimate reason, they face dismissal when accessing these files.
For documents, as for structured data (fields stored in databases), organizations must determine and communicate the lawful basis and the purpose for processing. When storing documents containing personal data in Alfresco, it is possible – and recommended – to store the lawful basis and a reference to the consent application as meta-data. When an opt-out is recorded, all documents that where dependent on the consent of a data-subject can be deleted with one simple instruction.
These functionalities are supported by Alfred GDPR. Alfred GDPR applies a double filtering for GDPR access control. First of all, classical Access Control Lists are used. They assign the right to view or modify documents to groups of users. Access control lists are the base permission management mechanism in Alfresco. Extending this to cope with GDPR would complicate matters a lot.
Alfred Desktop - Permissions
Alfred Desktop - Assigning rights to view or edit a document
Therefore, we have a filtering mechanism in Alfred GDPR that is based upon meta-data and GDPR roles. As an example, your organization can create a “GDPR sensitive” role, assigned to a limited number of people, and only they will be able to perform operations (consult or share) on “GDPR sensitive” documents.
Thanks for reading and keep a lookout to our next challenge: “Make documents available offline in a secure way.” In the meantime, you can contact us for any specific request and we will glad to help you and provide our support.
The series is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR.