1,000 days of GDPR: what have businesses learned?

As private individuals, we benefit from the data privacy and data security protections offered by the EU and UK General Data Protection Regulations (GDPR). We have more certainty and confidence about how companies and public bodies store, use and protect our personal data. We also have more rights over our personal data — we can ask what data a company holds about us, ask for it to be deleted, and more.

For organisations, however, being compliant with GDPR requirements can be challenging. Inability to comply can lead to large fines, not to mention reputational damage and loss of customer trust.



In the 1,000 days since the EU GDPR came into force in May 2018, businesses large and small have been fined for non-compliance. In 2021, more than 130,000 personal data breaches were notified, and fines totalling nearly €1.1 bn for GDPR violations were issued¹. Among the organisations to be fined was Amazon; which, in July 2021, was hit with the largest GDPR fine to date — $887 million — for not obtaining proper consent from users regarding their personal data.²

Although larger companies may face higher fines, small and medium-sized companies have also been fined for non-compliance. The GDPR Enforcement Tracker provides an overview

Why is GDPR compliance challenging for companies?

To comply with GDPR, organisations must be able to respond, within given timescales, to data subject rights — requests by individuals (‘data subjects’) relating to their personal data, such as asking for it to be deleted. Organisations must also be able to meet their data protection obligations, which comprise:

• Knowing what personal data they hold, and how and why it’s being processed
• Protecting that personal data from events like unauthorised access, loss, or inadvertent destruction
• Notifying the authorities and the affected data subjects of any personal data breaches

 

For more details, please click on the fields in the diagram below:

In most organisations, storing and processing personal data about employees and customers is part of everyday work. That often adds up to a large amount of data, which translates into a critical responsibility for a data controller or processor, especially in situations such as:
​

• Data subject access requests from (usually former) employees or customers
• Data leaks or breaches, if personal data is stored in a non-secure repository
• Data breach notifications to data subjects
• Individual compliance, where employees are responsible for personal data they hold in their emails or work documents

An organisation that isn’t well prepared can find GDPR compliance costly in terms of time and resources. Without the right workflows, processes and supporting tools in place, you may be unable to confirm what data you hold about an individual. And if a breach occurs, you may be unsure about what data has been affected, and so unable to meet reporting obligations within the GDPR-mandated timeframes.

How intelligent enterprise content solutions can support GDPR compliance

If you’re in the throes of transforming from paper to digital for information management, it’s a great opportunity to take GDPR compliance into account and get set up for it. Even if your data is already digitised, you may still be challenged to find what you need if data is held in multiple repositories, or is poorly controlled and indexed.

An enterprise content management (ECM) solution (like Konica Minolta’s M-Files) or an enterprise search solution (like our dokoniFIND) can help you streamline data management and GDPR compliance.

Solutions like these help you gain control over the data in your organisation by managing information access and monitoring all your repositories in real time to detect any personal data that shouldn’t be there. For example, credit card numbers mustn’t be stored in email systems. If an occurrence is detected, you’re made aware so you can take swift corrective action.

An ECM solution like M-Files can additionally automate the deletion of expired information.

Responding more efficiently to data subject requests

ECM and enterprise search solutions can help reduce the cost and effort of responding to data subject requests. You no longer have to take employees away from other work or require them to put in overtime.

These solutions make light work of searching through multiple data sources and file formats, automatically identifying personal data across all your data stores (both structured and unstructured sources), extracting it, and enabling you to generate customised reports in just a few clicks. Compared with manual processes, there’s little risk of unwanted data being incorrectly included, or relevant data being erroneously excluded.

Enterprise content management and search solutions also enable you to verify that any required actions with the retrieved data, such as deletion, have been completed in line with the request.

Meeting data breach notification requirements

Enterprise ECM and search solutions like ours also help you more easily meet GDPR data breach notification timeframes and requirements.

If you believe your organisation has suffered a data breach, our solutions help you create reporting on all of the impacted records holding personal data for you to share with the authorities — helping you meet the mandated 72-hour notification window. In addition, you can create the required reporting for sharing with the affected data subjects without undue delay.

Turn GDPR compliance into a competitive advantage

With the right processes, workflows and supporting tools in place, you can more easily and efficiently meet GDPR obligations around storing and processing personal data, responding to data subject requests, and notifying any potential breaches.

 

And with increased confidence in your ability to comply with GDPR, you can present your business as a champion of personal privacy, which can help build and maintain customer trust and loyalty.


 

¹ https://www.complianceweek.com/regulatory-enforcement/report-gdpr-fines-surpass-1b-in-2021-breach-notifications-also-rise/31259.article#:~:text=In%202021%2C%20there%20was%20an,28%2C%20the%20report%20noted.
 

² https://www.techtarget.com/searchsecurity/feature/GDPR-as-we-enter-2022-Challenges-enforcement-and-fines