Skip to content

Are your employees breaching GDPR regulations during lockdown putting your company at risk?

gavel-unsplash

It would appear that many employees, despite being aware of GDPR obligations and the risk posed to the employer, are failing compliance of GDPR regulations by simply printing documents at home.

You can read the full article that peaked my interest here but it got me wanting to know more about the ‘why’?. What compelled those surveyed to print the documents? 

But then a more important question eclipsed any others:

Why have companies simply not removed the ability for such documentation to be printed in the first place? 

In this author’s humble opinion, I believe the simple answer is probably because those companies are not managing the input, distribution, process and life cycle of their documents – the business has no real control over their documents associated with their business processes. The type of control that a well implemented document management (DM) / enterprise content management (ECM) platform would give any business, for any process within a document’s lifecycle.

A brief, over-simplified example: a document comes into your company containing high-risk data (DOB / address / bank codes). This document needs to be reviewed by several people, potentially commented on and stored for a specific period of time – this is the type of document your business needs to protect from unauthorised access / view / distribution and precisely the type of document subject to GDPR regulation.

Bad Scenario (High risk to the company)

 

  1. The document arrives within the business – let us assume as a physical paper document.
  2. The document is reviewed and an employee (who is in the office) determines a few people need to review the document. The employee uses the copier to scan the document to a PDF stored on a network share.
  3. The employee attaches the document to an email (not just a shortcut to the drive) and sends it to 4 people. That employee then stamps the hard copy and sticks it in a filing cabinet.
  4. All 4 employees messaged collect their email via a web portal, essentially working ‘offline’ from the office network. All 4 of them receive the email attachment and download a copy to their devices! Wait, it gets worse, none of these devices are owned by the company, they are all using personal computers when working at home.
  5. At least 2 of the employees print the documents to review and annotate before replying to the group. One even takes a photo on their mobile device to evidence the annotations and emails that image to the group.
  6. Once all actions are decided (via email) between the group, one of the users responds by letter and emails a copy of that letter to the other 3 as a record of the response.

 

Good Scenario (Low risk to the company)

 

    1. The document arrives…
    2. The document is reviewed and an employee (who is in the office) scans the document into the company ECM. As part of this process, the physical document location (filing box) is recorded as an index to that digital record.
    3. The document enters a configured business process that allows distribution to selected employees. The process sends invitations to 4 employees (via email) to login and review the document.
    4. The 4 employees receive the email and connect to the secure remote access portal (via web browser) to view the document image.
    5. The security controls assigned to the document allow the 4 employees to apply annotations (‘post-it’ notes, highlights, shapes) as an additional layer to the image and submit their approval for any required actions via radio buttons and a comments index. The system prevents printing or downloading of this document.
    6. Once all approvals are made, the business process initiates a task to the group for a response to the sender to be created. This letter is created by template on the ECM platform, updated as required by the task owner and then ‘sent’ via the office print room. An email is also generated with a link to the response in the ECM and sent to the 4 responsible employees.
    7. 7 years later… a task is assigned to the records manager by the ECM business process records management configuration. The employee reviews the document stored on the platform, determines if the electronic record needs to be kept or destroyed and then locates the filing box to destroy the original document. Once the action has been completed, the employee updates the audited records management task.

In the bad scenario there are multiple physical and digital copies of the documents stored across network shares, individual mailboxes, personal computer drives, office filing cabinets and private homes. The company is reliant on individual due diligence to protect the information, delete any digital copies and legally dispose of any physical copies – however with the only record of the transaction being via email, this is unlikely to happen. There is also no set task to manage the record for compliance.

In the good scenario, there are only two copies, 1 physical and 1 digital. Both records are managed, secured, easily accessible to those employees with the correct security credentials and the transaction  / document can be searched for on the ECM platform. The lifecycle of the document is managed and (most importantly) fully audited.

Simply put, with a DM / ECM platform, documents are secure, controlled and managed. Are yours?

profile

Toby Gilbertson, Customer Services Manager. February 2021
,