GDPR enforcement 8 months on… how do you ease administrative burden?
We’re now 8 months into GDPR enforcement, which saw significant changes to the way businesses process and secure personal data. Businesses from the mighty to the small have hit the headlines in their droves thanks to potential non-compliance, and Google has been handed a fine of €50 million (£44 million) by French regulator CNIL for a lack of transparency in the way it processes consumers’ data.
Google certainly won’t be the only company to be penalised in 2019; a recent Talend survey found that 74% of surveyed UK businesses failed to respond to subject access requests (SARs). This is understandable, as research conducted pre-GDPR found that complying with GDPR subject access requests alone would take 172 hours a month for small-to-medium-sized businesses, rising to a staggering 1259 hours per month for larger enterprises (defined as having over 250 employees).
This equated to one employee solely dedicated to the task (smaller businesses) or 7.5 employees (larger enterprises), and is calculated based on the number of SARs businesses of varying sizes are expected to receive. For the companies at the smaller end of the scale, 89 enquiries a month are expected. From that, employees will search an average of 23 databases to look for the individual’s Personally Identifiable Information (PII), with each search taking an average of 7 minutes.
As you’d expect, larger enterprises will receive significantly more subject access requests; the estimate for big businesses is 246 per month. But with more databases to search, this will take almost 7 times longer. Much of this time comes from manual, error-prone processes that could be automated, or at least streamlined. It can feel like a daunting task with little value beyond avoiding a financial penalty, but the good news is that there is an alternative.
That alternative is a cloud document management solution.
Sharepoint is one of the most well-known and comprehensive electronic document management systems (EDMS), and for good reason. As Microsoft continues to evolve Office 365, which has many apps built upon a solid SharePoint foundation, its capabilities have only grown stronger. Importantly, SharePoint Online is a cloud-based solution that is accessible anytime, anywhere, offering businesses mobility; essential in the digital-first world.
A key feature of a SharePoint EDMS is, particularly in relation to processing GDPR-related requests, its searchability – also known as findability – functionality. As long as your documents are saved in SharePoint EDMS, it doesn’t matter whereabouts the document is – you can find it with a simple search. SharePoint’s findability has been likened loosely to Google’s search, so powerful is its internal search engine. Saving all documents in a SharePoint environment, which would be a requirement of having a document management solution in place, means any documentation with a subject’s personal information would be instantly returned.
Of course, for any business implementing a solution to support GDPR compliance, it’s essential that the solution is regulated and comes with its own policies. SharePoint allows users to set a high variety of policies, from large global policies to ones specifically related to certain documentation.
A key example is a personal information policy, whereby you can dictate that any documentation that holds personal information – like full names, email addresses, phone numbers or even financial information – cannot be shared outside of your organisation. At the moment someone tries to share this document such as via email, SharePoint scans it for the criteria, in this case personal information, and blocks the sharing of the document; this safeguards against the inappropriate sharing of sensitive customer or employee information.
A comprehensive EDMS solution offers more than just a streamlined way to process GDPR requests; it’s also equipped to help you streamline a number of related processes. The revision of policies and processes is a key tenant of the GDPR, in particular policies related to data processing and retention. It’s vital to cascade these policies to employees to ensure GDPR compliance is embedded in your company culture.
A SharePoint EDMS solution allows you to disseminate key GDPR policies to your staff and track whether or not they’ve been read and accepted. Notifications can be triggered once a document is read, or if employees miss the deadline. SharePoint can even be used as an online learning management system (LMS), with policies added to courses that have a quiz to pass to ensure the information is taken on board.
A comprehensive document management system will also ensure that your key stakeholders will be working on one version of the truth. Functionalities like version control and audit history allow multiple parties to work on the same document – even at the same time with the cloud-based SharePoint Online – without losing important updates to the document.
As businesses continue to adapt to GDPR, there’s no doubt that processes could be streamlined and there’s still a lack of understanding around what constitutes a breach; self-reported breaches to the Information Commissioner’s Office increased five-fold in the months following the deadline, with the majority not constituting reportable breaches.
It’s essential that organisations reduce the strain on already-overstretched resources when it comes to GDPR compliance. Implementing an electronic document management system – or utilising an existing one, which will likely be the case for specific sectors like housing and legal – is one of the most viable options, significantly reducing time spent on complying with subject access requests and securely managing documentation with personal information.