Best practice

Attention, shared folder users and email enthusiasts – here comes the GDPR

  30. 03. 2018

The key challenges in ensuring the compliance of personal data protection lie in designing appropriate personal data management processes and establishing accountability for such processes. Companies often experience difficulties because, under pressure from ongoing operations, they don’t establish a comprehensive overview of all the personal data they process.

Personal data in shared folders, e-mail, or cloud storage

Personal data now appear in all key business processes, and as a rule in documents arising during implementation. Some of these are adequately protected and stored, while others are often exchanged by email, Dropbox, and other cloud storage services, or stored as common folders on a network drive.

Even in more regulated companies, the compliance of personal data protection can’t be guaranteed if employees are unaware of the importance of personal data, if they don’t understand or accept the need to ensure confidentiality, and if they don’t take into account the rights of data subjects. Therefore, personal data protection cannot be the sole responsibility of lawyers or IT departments, but requires a comprehensive approach and the involvement of stakeholders in various fields.

Challenges of ensuring IT systems compliance

The issue of the GDPR compliance of dedicated problems is probably the quickest and easiest to solve. This is also confirmed by Mikrocop’s experience both as a contractual processor of personal data for a range of clients and in providing advice on ensuring data protection compliance. Nevertheless, we recommend that companies not underestimate the challenges of ensuring compliance in this area.

Verify how and whether personal data are secured during transmission in such a way as to make their disclosure impossible. Are personal data adequately protected in databases and in file storage, or do employees exchange personal data via e-mail or cloud storage? Are the roles and permissions of IT systems users set up in such a way that only authorized persons can access personal data? How do individuals exercise their right to be forgotten, if the conditions are met, and how comprehensive is the audit trail of users, administrators and other systems?

These and other related challenges are particularly important when a company decides to use new software solutions. At that time, consideration should be given to the selection of appropriately certified tools and services; otherwise, these issues must be kept in mind during changes to the company's information system, as well as employee turnover.

The certified InDoc EDGE platform and process solutions

The InDoc EDGE platform combines the capabilities of document management systems (DMS), business process management (BPM) and electronic storage. Users configure their own process solutions, and can use them to respond to key business challenges in the company – from simple day-to-day tasks such as distribution of incoming mail or settlement of incoming invoices to more demanding tasks involving various media and, as a rule, including automated decision-making based on operational rules.

An efficient user experience and legal compliance are key priorities for InDoc EDGE development. For example, users can simply flag whether a document contains personal information, and if necessary, the collection of personal data is automatically updated accordingly. The company can also decide whether to request that users indicate the purpose for accessing personal data before said data is displayed. Such access information is later reflected in numerous pre-prepared reports on personal data use, as well as in the comprehensive audit trail.

Use of InDoc EDGE process solutions reduces the day-to-day operational risks, which businesses face. The platform is certified by the administrative authorities and responds to the challenges of GDPR compliance. Therefore, InDoc EDGE solutions represent a secure, reliable, legally complaint alternative to shared folders and file exchange via e-mail or cloud storage, while also contributing to greater transparency and operational efficiency.

Sanja Žaubi, Data protection officer at Mikrocop,
Klemen Novak, Business development manager at Mikrocop