Documentation managers, beware!
Much personal data is found in documents, meaning that personal data protection is directly related to the management and archiving of documents.
The EU's General Data Protection Regulation (GDPR) requires data controllers to implement data protection by design and by default, ensure transparent and easily accessible information on data processing, maintain records of processing activities, and conduct data protection impact assessments.
Harmonizing personal data protection with the applicable legislation
The question is to what an extent we already comply with the applicable legislation and how we regulate our relations with contracted data processors. If our current processing and protection practice is already done in accordance with the regulations, we don't need to worry since the needed amendments are not so extensive as to cause any major issues.
In any case, it is advisable to involve all contractual data processors in the GDPR compliance project. Only together we can provide efficient organizational and technological solutions that will bring to our business the highest level of information security and support document management that complies with all statutory requirements.
What must documentation managers do first?
1. Minimize the extent of data processing
The GDPR applies the data minimization principle to data processing. Our data protection tasks will be much easier if we minimize the amount of personal data collected, the extent of their processing, the period of their storage and the number of data processors.
2. Make sure to select reliable contractual data processors
The GDPR explicitly states that we must select reliable contracted data processors. The processors should demonstrate their reliability through appropriate certificates, e.g. the ISO/IEC 27001 information security standard and the ISO 9001 quality management standard. These certificates attest to the regularity of business operations of the contracted data processor and the level of quality and information security in place.
When selecting the data processors, we should not only focus on the trust-worthiness of their security protocols and measures but also their know-how, reliability, resources available to carry out technical and organizational measures, and consistency. A provider specializing in electronic storage and accompanying services will need to combine the knowledge and experience in document and archive protection, IT solutions and security requirements linked to the protection of systems and data, in particular as regards personal data protection.
3. Amend contracts with contracted data processors
The Personal Data Protection Act (ZVOP-1) stipulates that data controllers must arrange a contract with data processors processing the data on their behalf. With the GDPR imposing new requirements regarding the content of the contract, existing contracts will have to be amended. New contracts must set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of data subjects and the obligations and right of the controller.
4. Check and adjust the filing systems catalogue
If we process data regularly, we must protect them, and in order to do that, we first need to know where and what data is kept. The GDPR requires controllers to maintain records of processing activities (Article 30), which identify and list categories of personal data and special personal data. The records shall also contain the information about the legitimate interest of the processing, and, if possible, the envisaged time limits for erasure of the different categories of data. Where possible, the records should also contain a general description of the technical and organizational security measures.
5. Verify the need for impact assessments
Where data processing is likely to result in a high risk to the rights and freedoms of data subjects, the GDPR stipulates (Article 35), the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. The impact assessment is required in particular in connection to automated, systematic processing and evaluation of personal data, as well as in the case of processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences, and systematic monitoring of a publicly accessible area on a large scale.
Want to know more? Contact us!