The GDPR is an EU regulation with consequences that extend beyond European borders. Its purpose: Protect EU citizens from data and privacy breaches by harmonizing data privacy laws across Europe. Companies that breach the legislation risk severe fines. Here’s a breakdown of what the GDPR is, how it can potentially affect Canadian-based businesses and how a Canon software solution, Therefore™ information management, may help users with their GDPR compliance efforts.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that strengthens personal privacy rights. In theory, it’s a European law; in reality, the global reach of an online presence means companies based elsewhere are equally affected. It gives consumers more rights over how companies use their personal data. Companies must now have consumers’ explicit and informed consent to collect their data, and they must make it easy for consumers to withdraw that consent. It applies to any company—regardless of where it’s based—with customers in the EU.
What does it mean for consumers?
Consumers, rather than companies, now have greater control over their personal data. It’s now their choice to opt in to sharing data or receiving information. Companies must provide an active way for consumers to consent; the GDPR specifically states that silence, pre-ticked boxes or inactivity don’t constitute consent. Consumers can access and request a copy of what personal data a company has on them, and find out where and how the information is being used. And they have the right to be forgotten; that is, to ask a company to delete all data it has on them.
What constitutes personal information?
It’s basically anything and everything that could identify an individual. This includes direct identifiers (such as name, address and social insurance number), indirect identifiers (such as credit card info, email address, phone number, occupation and employer) and online identifiers (such as IP address and cookie data.) Meta data connected to an individual is also included. Other privacy data protected includes that related to health and genetics, race and ethnicity, biometrics, political opinion and sexual orientation.
How does it affect Canadian businesses?
The regulation explicitly extends to those without a bricks-and-mortar presence in the EU. It protects customers anywhere their data travels; therefore, any company, regardless of where in the world it’s located, with a database that includes EU citizens must comply.
Therefore™ information management software allows users to capture, secure, access, automate and analyze all of their business information. Users can place information into Therefore™ in three ways: by using a document scanner, by directly uploading existing electronic documents or by using the Therefore MFP (multifunction printer) Application. The software, which works with Canon business equipment, not only securely stores documents but also offers complete control over their access; permission settings determine who can view and/or modify any given document. The software is verified and certified to facilitate GDPR-compliant data management, and may help users protect themselves from breaches and heavy fines. Here are some of the ways.
It helps users store, organize and find personal data held by their company.
Once users place their information in Therefore™, they can also customize how they categorize this data, making it simple to pull individual information or specific case files. The software makes it easy to create workflows for fulfilling Subject Area Requests (SARs), exporting data, responding to data breaches and retaining personal information.
It helps create a more secure data management environment.
With Therefore™, users can limit who has permission to open and edit documents and data, including meta data. The software can create regular security reports so information managers can review who has access to what. Users can even manage access when someone steps away from their desk; if an open session stays inactive for a pre-set length of time, the system automatically logs the user out.
It helps companies “forget” consumers.
Consumers now have the right to request companies delete all data they have on them. Therefore™ makes it easy to export or erase data from the system, and to set reminders for when documents need to be deleted on their own.
It helps ensure secure data transfer to third parties.
Under the new regulation, any third-party data processor a company uses must also be GDPR compliant. With Therefore™, users can transfer private or sensitive information in either proprietary or open file types with customizable permission settings; before transferring, users can allow or deny individual receivers the right to read, edit and/or delete any document, have administrative access or be granted any other special permission.
It helps companies meet the GDPR’s reporting requirements.
Once a company receives a SAR—a consumer requesting their personal data—it has 30 days to respond. By controlling workflow, including how data is organized, Therefore™ makes fulfilling SARs as easy as clicking a case folder. The software can also create timely reports detailing SARs completed and those in progress, which adds another layer of detail to documentation should regulators ever come calling.
It helps track compliance efforts.
Maximum fines for non-compliance are steep. However, if a company is found in breach of the GDPR, regulators will consider their compliance efforts (response times, provisions in place, etc.) when determining the penalty. By storing all documents related to security measures within Therefore, users can answer important questions for every version: who edited it; when did they edit it; and what revisions did they make. Users can go one step further and set permissions for who can edit and delete a given document, and track who did and did not read a given document. Therefore™ can even configure an audit trail to track every action that users perform.