Is your business in line with the new European Data Protection Directive?

Information technology has made progress in recent years, which has also changed the way in which individuals and organizations communicate with one another and share information. Development has led to an increasing use of data in the Member States of the European Union (EU). In order to achieve harmonization among all countries, the General Data Protection Regulation (GDPR) was adopted, which will enter into force on May 25, 2018 and represents the most important change in the past 20 years in the field of personal data protection.

The Regulation brings changes that will have implications for companies of all sizes who process personal data of European citizens, in or outside the EU. New concepts and approaches will come into force, but they may lead to coordination problems.

Among the most important changes in the Regulation are:

• extended territorial scope, including the EU, as well as non-EU companies,
• higher penalties and a wider scope of powers for the national data protection authority,
• wider rules for notification of violations.

GDPR also extends the rights of individuals and gives them:

• the right to object to profiling,
• the right to a copy of the collected personal information about them,
• and novelty, the right “to be forgotten.

Enterprises operating in the EU will have to carefully monitor the new arrangements in the coming months, and it will delude the way in which data have been managed so far. Although GDPR is very clear about the protection of personal data, it does not describe the processes and technologies that companies must use to secure this protection.

Mikrografija offers you an approach that takes advantage of the metadata to ensure security and necessary management for the protection of personal data. Metadata can play an important role in helping companies meet the requirements of the GDPR. As a leverage within the ECM (Enterprise Content Management), metadata can help companies categorize and manage personally identifiable information (OPI, personally identifiable information) according to GDPR.

For example, we take contracts and accounts. They both contain sensitive data about costumers. The ECM system can handle a file that is labeled as “contract” or “account” as an OPI. It is crucial to determine the person whose information is in the file, as citizens now can request companies from the OPI data index that the company keeps about them. Once the file is highlighted as a file containing personally identifiable information (OPI), the ECM system can automatically initiate other measures to ensure the proper handling and processing of information under the new regulation:

• encrypting all files and objects that contain OPI both during download and hibernation,
• the use of access control and administration of licenses to provide access only to authorized users,
• enforcing containment and deletion rules to ensure that data is not kept longer than necessary,
• the prevention of files or objects containing OPI unintentionally or deliberately being transmitted or otherwise transferred outside the organization,
• the audit trail of all the changes,
• audit trail of all accesses.

Automated approach to the protection of OPI, brings order, consistency and efficiency of the task, which makes it faster and easier to meet the requirements of GDPR. Because of the severe penalties prescribed by the GDPR it is clear that companies will have to prepare a plan to meet all the requirements. The introduction of the ECM system is a step that leads to meeting requirements and providing protection against the OPI.