GDPR and Document Management

Why is there the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a European law that guarantees European citizens’ privacy. GDPR creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.

The GDPR sets high standards in terms of privacy, security and compliance. Organizations that do not comply with the GDPR may receive fines of up to € 20 million or 4% of their worldwide sales.


What are the guidelines for the GDPR?
The GDPR sets strict requirements on how personal data is processed and stored in your systems like ERP, CRM, or DMS. As an organization, you need to comply with these guidelines that have been drawn up around these 6 principles:

  1. Transparency requires how personal data is processed and used;
  2. Processing of personal information is limited to specific and well-founded purposes;
  3. The collection and storage of personal information is for intended purposes only;
  4. Individuals have the right to personally correct or remove data;
  5. Storing personally identifiable data is limited to the intended purpose and only for as long as necessary;
  6. Personal data must be protected by appropriate security methods.


What kind of personal information is it?
The GDPR refers to the collection, storage, use and sharing of personal information. This is all data that is being redirected to a ‘natural person’. These data may include, for example:

  • customer databases;
  • filled in contact forms;
  • e-mail content;
  • pictures;
  • recordings of security cameras;
  • HR or CV databases.

This person has broader rights of access, a right to be forgotten, a right to object to marketing profiling, and has rights to data portability.


Reporting within 72 hours
Next to reporting and logging data internally, you need to take action when a data breach occurs. Within 72 hours after becoming aware, and throughout the chain. Your vendors (processors) must report events to your business. Your controllers must report to the authorities, and your business may also need to report to the individuals effected.


Impact GDPR for European and non-European organizations
GDPR affects any organization processing the data of European (EEA) residents irrespective of where they are located in the world. The GDPR has already been adopted by the European Parliament in April 2016, but from 25 May 2018 the law will also be enforced and monitored by local national supervisory boards.


For organizations it is therefore important to take measures
This begins with the mapping which personal data is within the organization. This is done by your newly required Data Protection Officer (DPO). After that, it is important to set clear guidelines on how to handle these data and to set up measures to prevent and detect data networks. E.g in your Document Management System (DMS). Finally, it is important to keep track of any data requests and to make the right reports.


Epona LegalWord Document Creation, DMS, and GDPR: Canaries in the Coal mine

GDPR and Document Management

Discover, Manage, Protect, and Report. These are the 4 standard steps which are advised in your GDPR journey. Epona advises a fifth element: Document Creation. You users will be the canaries in the coalmine. When users create documents, and save them into their DMS, they should be aware of the privacy rules, and company consequences. Our software LegalWord provides you with tools, resources, and features to help you address the requirements of this step.


Bart van Wanroij

GDPR is known in the Netherlands as the Algemene Verordering Gegevens Bescherming (AVG).