14. February 2018
Guest Post: New EU Data Protection Regulation (EU GDPR) in 2018
Contribution by Markus Olbring from comdatis it-consulting with comments by Jens Büscher, CEO AMAGNO.
The transitional period ends on May 25th, 2018 and the General Data Protection Regulation (GDPR) as well as Germany’s new Federal Data Protection Act (BDSG) will apply to companies.
“Companies are required to be able to react very quickly to the regulation, e.g., the Right to Erasure, (aka The Right to be Forgotten), as long as by doing so they do not come into conflict with other laws. The sheer amount of paper documents, files and emails make it hard for companies to analyse the relevant data they possess quickly. We see Enterprise Content Management (ECM) software such as AMAGNO as an essential cornerstone for companies who wish to achieve EU-GDPR compliance. AMAGNO can search for keywords such as name, customer number, or date of birth, in practically any file source whether physical or digital, identifying and highlighting the full-text from almost all file formats in a matter of seconds. This enables businesses to find the information they need to, destroy it, anonymise it or edit it as required.”
Keywords such as “Privacy by design” and “Privacy by default” mean that software manufacturers must also become active and provide data-protection-friendly functions.
What can users expect and what do software vendors have to do?
“As well as making working with digital documents enjoyable, and ensuring a high degree of automation, the security aspects of digital documents are at the heart of our software development. The basic default settings of our software are already set up to prevent access to data. Users cannot see or access content, structures, and folders without specific additional configuration, which is also the case at the database level: this built-in security measure automatically affects all clients and the Restful API. In addition to numerous data storage security measures, all files (emails, documents, receipts, etc.) with personal data in AMAGNO are encrypted and anonymised.”
The following table provides a brief overview of the requirements that software manufacturers should meet by May 25th, 2018.
Requirement | Significance |
Data Minimisation | - The user should be able to administer the software in such a way that only required data fields are used for specific purposes.
“These are standard functions, and organisational requirements should also be specified at this point. This has the benefit of allowing rapid evaluation of these data fields by authorised persons.”
|
Technology-related data protection (privacy by design/privacy by default) | - The development process should consider the requirements of data protection during release planning for new/changed functions and bug fixes.
“AMAGNO documents the entire development cycle from planning, implementation, quality assurance and documentation to support cases. This is part of the IDW PS 880 certification.” - Compliance with data protection requirements must also be ensured for third-party software components.
“To the extent that the GDPR applies to the software components.” - Protocol logging and record keeping (referring to personal data) should be comprehensibly documented and appropriate.
“AMAGNO outlines automatically generated protocols related to persons, e.g., deletion protocols.” - Data protection-friendly default settings must already be activated at the outset (software side).
“Until relevant permission settings are configured, users are blocked, i.e. they do not have the “read” permission for files within the system, as standard.”
|
Data Portability | - The software manufacturer should provide functions that allow the export of personal data in a machine-readable format.
“AMAGNO allows authorised users to create reports as well as export as XML or CSV, e.g., for use in Excel.” - The description of the software should include an overview of where which personal data is stored.
“AMAGNO provides the database storage locations and furthermore is designed in such a way that the pure meta-data contained in the databases, if not encrypted, can only be brought manually into context with other data using special tools with a high level of expertise and with considerable effort. And at this level, the operating company should also possess or implement other organizational and technical measures, apart from AMAGNO.”
|
Delete function | - The software’s delete functions should be clearly available and documented.
“AMAGNO’s specific search functions make it possible to quickly find and delete the required data and files, as long as it is not protected technically on a legal basis, e.g., long-term user-definable file storage.” - Functions for the anonymisation / pseudonymisation of personal data should be available.
“As an alternative to deletion, user accounts can be made anonymous/pseudonymised.” - DMS solutions should include manageable retention periods.
“These legal requirements are standard functional scope for compliance with other laws and standards, i.e., within GoBD (German Federal Ministry of Finance principles for the proper management and storage of books, records, and documents in electronic form, as well as data access) framework.”
|
Data Security | - The documents and their properties in a DMS solution must be stored with sufficient security.
“AMAGNO includes this as standard and has been tested and certified to IDW PS 880 level.” - Encryption methods used (e. g. data connections, access from external sources, storage of documents) must be traceably documented.
“AMAGNO includes this as standard and has been tested and certified to IDW PS 880 level.” - Critical data fields (e. g. passwords) must be stored in encrypted form.
“AMAGNO includes this as standard and has been tested and certified to IDW PS 880 level.” - The software manufacturer’s documentation must include information regarding data protection.
“AMAGNO includes this as standard and has been tested and certified to IDW PS 880 level.” - The software must contain functions that enable an appropriate permissions structure for enterprise use.
“AMAGNO includes this as standard and has been tested and certified to IDW PS 880 level. AMAGNO supports extremely flexible permission concepts, e.g., dynamic read access via confidentiality stamps or certain document parameters.”
|
Rights of interested parties | - The software should contain functions that support the user in evaluating personal data.
“Among many other functions, it is worth mentioning that AMAGNO can search through and identify the full-text from almost all document types from files, emails and scanned documents; enabling search results within seconds and supplementing freely definable metadata.” - If necessary, it should be possible to lock or delete data fields and documents selectively.
|
Contractual arrangements | - The software supplier should have contractual regulation under Art. 28 of the GDPR in the event of order processing.
“These organisational aspects are possible and of course necessary in the case of AMAGNO’s cloud option.” - Subcontractors must be listed transparently by the supplier.
- The supplier has created a directory of processing activities for order processing.
- The supplier has, if prescribed, appointed an internal or external data protection officer.
- Certification (e. g. IDW PS 880, ISO 27001) enables the provider to prove the correctness and conformity of the solution. Even if a certification according to IDW PS 880 by an auditing firm is not directly related to data protection, audit certificates can provide important information. In addition to the software development process, important software functions (e.g., permissions structure) are also evaluated from the data protection point of view.
“An external audit has certified AMAGNO version 5 according to IDW PS 880 (for further information, please read “AMAGNO receives GoBD software certification”)..”
|
By enabling the location and viewing of all document sources in a company, DMS solutions can be used very well for the implementation of the GDPR. These collect the documents and information at a central point and can be used from there for the implementation of the GDPR.
A DMS solution is also a suitable tool for the obligation to create documents resulting from the GDPR, to ensure that changes made to documents are verifiable via versioning.
“Due to the EU-GDPR, in addition to the German Federal Tax Ministry legal requirements, e.g., GoBD, AO, etc., all businesses are required to implement a solution such as AMAGNO. The benefits of AMAGNO include its extremely fast usability, the option to import documents from all sources as well as the powerful search engine, and the extensive security concept.”