Back office processes compliant with the GDPR
According to a survey made by Kantar Public commissioned by GIODO, 72% of companies are not familiar with the details which must be implemented in connection with the entry into force of the GDPR. What should be focused on while adjusting business processes related to the processing and storing of information to the new requirements?
The General Data Protection Regulation extends the protection of personal data as defined in the previous act. From theviewpoint of entities dealing with the processing and storage of customer data, major changes concern two issues: introducing the possibility of “being forgotten” and introducing the storage and processing of data to the extent necessary to carry out a given type of business. It will be prohibited to store any information beyond the necessary extent, i.e. to prepare a credit offer, settle a claim, or provide a telecommunications service. However, the thing that has been bothering many entrepreneurs is a significant increase in the amount of penalties imposed on units that do not comply with the new requirements.
How do I interpret the new regulation?
Once the provisions of the GDPR enter into force, any natural person may demand their data, stored both in paper and electronic form, to be deleted from any and all systems and carriers used by a given company. There is, however, an exception to this rule. In cases where the consumer redress period has not passed, a given entity would still be allowed to process personal data but only to an extent corresponding to the actual needs.
Despite the fact that the GDPR will come into force on 25 May 2018, in Poland no regulations incorporating or amending related acts have been introduced yet. According to recent information, the implementing act is supposed to be drawn up in July, but e.g. the regulations to 160 acts concerning the insurance sector will probably be approved as late as at the end of the year.
This is an additional obstacle for businesses. Up to the entry into force of the GDPR, companies must remove all the date whose processing period came to an end. Due to lack of precise guidelines, this requirement raises a lot of doubts – says Dagmara Sender, business development manager at ArchiDoc from the OEX Group.
According to applicable regulations for archiving of paper documents, there was a minimum period of their storage. As for the GDPR, a maximum storage period will be indicated.
Our customers usually decide to have their documents removed if they are certain that such documents cannot be stored any longer. The market is still waiting for uniform guidelines in this respect. I often notice that companies from the same industry have different guidelines from their lawyers concerning the same issues – comments Dagmara Sender.
The change in the archiving period from “no less than” to “no longer than” calls for a change in the way paper documents are packaged. In order to optimize the process, it is worth placing them in archive packages in line with their retention period, e.g. pack together documents with a 5-year storage period, but separate those which need to be archived for 10 years. The status of each document may change during the storage period if it is used e.g. as part of judicial proceedings.
As for electronic data, companies are obliged to introduce safeguards which call for significant investments in the equipment or IT. The protection of personal data is supposed to be increased through, inter alia, pseudonymisation and anonymisation, i.e. processing information in a way which does not allow for identification of a specific person. Pseudonymisation is reversible, but anonymisation involves an activity which does not allow for a subsequent data reconstruction. Such activities need to be taken into consideration also in workflow systems which already are used or still being implemented at companies.
While defining document flow, it is critical to remember that the anonymisation of specific customer data needs to be ensured in each process – says Dagmara Sender.
To adjust processes related to the processing of data and documents to the new regulations, companies can seek advice from entities specialised in back-office support. Such support involves a detailed analysis of a given process, types of documentation and IT systems.
Every company and industry has their own nature. The key here is to develop an optimal document processing model that not only will be compliant with the GDPR but also allow the customer to expand his business – adds Dagmara Sender.
External companies also provide support related to manual labour, i.e. the preparation of documents for the new provisions, e.g. recording documents intended for removal or separating them from the archives.