Your financial statements, your email correspondence, your address and other contact details... - Most organizations have multiple systems that store data, known as Personally Identifiable Information (PII), relating to their customers, employees and in the case of public sector organizations, their citizens.
For the last few months here at Nuxeo, we've been working with customers across many industries, financial services in particular, to help them find the best way to get ready for the European General Data Protection Regulation (GDPR). GDPR comes into force next May and seeks to harmonise data protection laws across the European Union (EU).
So, we thought it might be a good time to share our insights on the topic.
Indeed, under GDPR, all organizations will be responsible for identifying the lawful basis for any PII data they collect, the purposes for which it can be used and the length of time it should be retained.
If you think GDPR doesn't apply to your organization, think again! GDPR applies to any organization that collects or processes data relating to EU residents regardless of whether the organization is based within or outside of the EU.
Financial risks for non-compliance are high! Failure to comply with GDPR can lead to significant fines of up to €20 million or 4% of annual worldwide turnover.
How Ready is Your Organization for GDPR?
Whilst it seems that most organizations are aware of GDPR, many are only just starting to do something about it. It's time to think about your GDPR implementation strategy.
Lately, our discussions with customers in EMEA have been centered on how a Content Services platform can help comply with GDPR?
"There is currently a great deal of confusion surrounding GDPR and it is often difficult for organizations to know where to start their compliance projects. The offerings from Nuxeo help to clear this confusion by providing a solid set of deliverables to assist organizations in meeting the new data protection requirements." Says Peter Blenkinsopp, GDPR Consultant.
Here's one example of how Nuxeo can help your organization with GDPR compliance.
Your Customers' Right to Have Access to the Information You Hold About Them
One area we have been working on relates to Subject Access Requests (SARs).
SAR is a process by which individuals have the right to obtain access to the PII that an organization holds about them. Currently, in the UK, organizations can charge a fee for processing SARs, but under GDPR, this information must be provided free of charge and is likely to mean an increase in the number of SARs companies are required to process. In addition, an organization will have a maximum of 30 days under the GDPR to respond to such a request.
This process has significant implications for organizations with many systems to check, particularly for those organizations that don't have suitable records management and retention policies in place to remove information on time.
We have used Nuxeo's Case Management capability to create a solution to help capture, process, manage and monitor Subject Access Requests, enabling organizations to collate PII from multiple systems and produce a personalized report for the customer.
The customer has the right to ask for information to be removed and this can simply be a follow-up process managed by Nuxeo.
Other Use Cases
By providing comprehensive Content Services capabilities, there are other areas in which Nuxeo can help with GDPR compliance including:
Documenting and managing GDPR related procedures including those that relate to security breaches where PII is stolen or lost. GDPR provides legal obligations for notifying local Supervisory Authorities in the event of such breaches.
Secure management of customer related documents such as statements, quotes, correspondence and scanned images (passports, bills, driving license, etc.).
If you'd like to discuss how Nuxeo can help with GDPR compliance please get in touch.