Be updated, subscribe to the OpenKM news

General Regulation of Data Protection of the European Union - GDPR

Written by Ana Canteli on 5 january 2017

May 25th 2018 will be a date to remember for companies and organizations of all kinds (located in the European Union or not) that control or process data of citizens of the EU.

That day will come into force the New General Regulation of Data Protection of the European Union, better known as GDPR.

If in 2016 exchange market of goods rised to 362 billion €¹; and that of services to almost 226 billion, only for the EU-US bloc; we can get an idea of the economic, social and real impact that this legal provision will have for the most developed economic regions of the world.

Because this directive of the European Union, is applicable not only in the EU countries, but their guarantees protect the processing of data of natural persons and therefore citizens of any EU member. Regardless the country in which the company that owns such information is.

To make effective these measures of protection of personal data, the general regulation of data protection contemplates fines of up to € 20 million or 4% of the total sales volume of the organization. In short; the breach or violation of this regulation, can take out from the market even the largest and best established companies in the sector.

Therefore, the first questions that arise in this new scenario are: Am I affected by compliance with the new regulation? And What do I have to do to fulfill it?

In the coming months, you will appreciate an increase in information regarding software that will publicize compliance with the general data protection regulations. Faced with these affirmations, one must be careful and realistic.

By itself, no software, application or computer tool (document management system, enterprise content management system) will make our company comply with the requirements of control, processing, treatment or protection of personal data, as required by the GDPR.

This new regulation that will come into force, aims to respond to the new threats that the digital era pours on the security and privacy of people.

Historically for the European Union, the right to privacy is an immutable and specially protected principle. Privacy is considered a fundamental right of human beings (Article 7 of the Charter of Fundamental Rights of the European Union). While in other countries such as the United States; the concept of privacy is different depending on the business sector, or the sensitivity, or commercial value that is given to the protected information.

Depending on the country, sector of activity, habits and customs; the appearance of this new regulation can suppose a big change in the way to manage data of physical people, and carry out the treatment of the same ones.

What is personal data in the GDPR? Basic concepts

The definition of the concept of personal data is broader than in the previous legal framework; since it incorporates all information capable of allowing personal identification. "Personal data" is considered to be any information related to a natural person that can be used to directly or indirectly identify a person. It can be anything: an IP address, a photo, a video, a name, an e-mail, banking information, social media publications, health information, etc.”

The GDPR also stipulates which organizations are subject to the regulations "shall apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing is carried out in the EU or not." A controller is the entity that determines the purposes, conditions and means of processing personal data. While the processor is an entity that processes personal data on behalf of the controller.

This means that cloud storage, big data technology or predictive analytics applications must also comply with regulations.

As well; "Shall apply to the processing of personal data of persons residing in the EU by a controller or processor not established in the EU, when the activities refer to offering goods and services to EU citizens (regardless of whether payment is required for that reason) and the monitoring of the behavior that takes place within the EU. Non-EU companies that process data for EU citizens will also have to designate a representative in the EU. "

News of the General Regulation of Data Protection

• Clear, concise and affirmative consent: include pop-ups with the "I accept" option already selected or extracts included in privacy policies; it will no longer be enough to comply with the new regulations. This more developed standard affects for example, the storage of cookies designed to identify the device or the person through the web.
• The figure of the data protection officer is mandatory: any organization that deals with data that "involve a systematic and periodic control of data on a large scale, or when the entity performs a large-scale treatment of "special categories of personal data" must designate agents responsible for data protection.
• Governance of information: the organization must establish who should authorize access to personal data located in the systems or applications of the company; who must access the data and limit the access permission.
• Regular controls: audits and revisions will be required on regular basis, to ensure compliance with the new regulations on safety.
• Location and transfer of data: the user must be informed that their data are being stored in the EU and if they are transferred to other non-secure country.
• Shared legal responsibility: both, the data processors and the controllers share the obligation and direct legal responsibility, in case of data breach.
• Right of access to your personal data: the user has the right to know if their personal data are being processed, where and for what purpose. The person in charge must provide a free digital copy of the personal data.
• Respect and global application of the privacy principle: privacy must be taken into account from the conceptual beginning of the product or service that the company wants to offer, passing through each and every one of the phases and elements that are part of the final result.
• Right to be forgotten: people have the right to have their personal data delete from the entity responsible for the processing of them, stop disseminating them and prevent third parties from proceeding with their processing. It must be borne in mind that the controllers can avail themselves of the "public interest in the availability of data" when processing these requests.
• Evaluation of data protection: companies must evaluate the effectiveness of the data privacy policy with which they comply with the regulation, especially in cases where the risk of violation is high; to minimize the impact and resolve those security breaches.
• Notification of data breach: if a breach of personal data is detected, the organization must notify it to the data protection authority within 72 hours; unless there are exceptional causes that justify the delay.

How OpenKM can contribute to compliance with the GDPR

We have already said that by default, any system can hardly cover all the cases that occur in the company. In this aspect, the OpenKM Document Management System is sufficiently versatile, customizable and adaptable to allow organizations from different sectors to use the software to manage the documents and information of the entity; so  they meet the requirements of the New General Regulation of Data Protection of the European Union.

For example, depending on the sector of activity, metadata management must be done under encryption; circumstance that in turn can be subject to different levels of security. In other scenarios, the company may not have to encrypt the metadata, but it must do so with the physical files.
The dilemma occurs not only in relation to access to information; but in making information management possible, so that system administrators - for example in areas of restricted access to information, such as in the health sector - can carry out their work, ensuring that even they can not access data of a certain nature. The communications between the user's computer and the application are encrypted by SSL.

In addition, the business content management system that is incorporated into the suite of programs of the company must be able to integrate with the rest of applications. In this sense, OpenKM offers SDK's for JAVA, PHP and .NET that allow the integration of the software in a way that allows the company to manage the knowledge accumulated in it. Taking into account aspects such as the type of data that hosts each of the applications, what level of access is necessary to define. Is it necessary to encrypt the data? At database level? Of operating system?...

Implementation of the General Regulation of Data Protection of the European Union in the company: Good practices.

In the scope of application of the new regulation, it would be advisable to apply a series of good practices:

• Failed access control to the document management system.
• Connection between the browser and the application made through SSL, ensuring the transmission of data.
• Carry out a complete audit of all the actions carried out by the user; from the login until the log out. It allows the traceability of both the activity of the user and the life cycle of the document; since it is created, through the different stages - OpenKM from the “History” tab allows access to the versions of the same file and also allows you to compare them to see the differences between them - how many users have intervened in it, what they have done, etc.
• Application of security at granular level. With OpenKM we can make users access the document management system adapted to their needs; so that they access the work areas they need, and within them, the functionalities they use. At node level (folder, revord, email, document) we can also manage security independently. Users, both at the group and individual level, may or may not execute certain privileges - reading, writing, deleting, downloading ... - depending on the privileges to which they have access. The settting of metadata assigned to each document may be visible completely or not, depending on who accesses the file. It is even possible that within the group of metadata, some fields are accessible and others are encrypted.

In any case, an element without which you could not aspire to apply any legislation or law; it is the architecture model of the company's information. The more robust the model is, the more developed the controls that sustain the systems are and therefore, the easier it will be to apply and fulfill the GDPR in the long term.