On May 25, 2018, a new European Personal Data Regulation became active; The General Data Protection Regulation (GDPR), the most significant change to European data protection regulations in 20 years.
The GDPR replaces the outdated Data Protection Directive (DPD) and aims to simplify and harmonize data protection laws in Europe and give EU citizens control over their personal data. There are significant fines for non-GDRP compliant companies, up to € 20m, or 4% of global annual revenue for the previous financial year.
Do your document management practices meet these 10 Data Privacy requirements*?
Document management with M-Files makes it easy to meets all 10 requirements of advanced Data Privacy regulation, including complying with GDPR. M-Files is a global and recognized provider of document management and ECM (Enterprise Content Management) systems.
M-Files is distinguished by a 100% metadata concept that allows the user to configure a solution that meets the relevant requirements for managing documents and other information. M-Files calls it Intelligent Information Management.
As a platform, M-Files meets all the requirements of the GDPR (Personal Data Regulation) and you can configure your work processes and other metadata to comply with the Personal Data Regulation. According to a comprehensive classification by Devoteam (one of the leading experts in document management practices) of 10 requirements for systems to comply with, M-Files fulfills all requirements as follows:
1. Access control
The system must be able to work with systems for managing user roles and rights, so that access to certain types of information can be restricted.
M-Files has comprehensive access control that can be managed in M-Files itself, through AD domains or through Federated Authentication (SAML) against identity providers such as Google, AD FS, Azure AD and the like. Access can be controlled based on the individual user, standard user groups or specific lists of users.
Furthermore, the degree of access can be defined on any metadata that the individual company has defined (Customer, Project, Case, etc.) as well as individually on document types defined (Contracts, development interviews, applications, etc.). In addition, access rights can be expanded / restricted as defined work processes reach new steps. Thus, there are no restrictions on how access to information can be controlled.
2. Logging of access
It should be possible to log access to personal data so that the approach can be documented.
M-Files logs any change of data, including documents, metadata or other data stored in M-Files (customer information, employee information, etc.). M-Files logs any download or upload of documents as well as any changes. The desired number of events can be stored directly in the M-Files Event log and filtered and searched in the event log.
The Event Log can be exported and analyzed by Administrator in other tools. Should you wish for even stronger access to event analysis over a very long time, Solution Management can provide a solution that exports all events to its own SQL database with extensive opportunities for analyzing and monitoring accidental events.
3. Deleting data
It should be possible to delete data in the system should a data subject wish to be deleted.
Typically, M-Files will be configured so that data about a person will be related to a specific person. Specifically, this means that all data and documents about the person will be applied to a metadata that uniquely refers to the person. Data on a particular person can therefore be easily identified, marked and completely deleted from M-Files. Should you have configured M-Files so that you cannot find data and documents about the person using metadata, you will be able to search for information by name, CPR number, etc. using advanced search.
It should be emphasized that the documents concerned can be completely deleted.
4. Data export
It should be possible to export personal data in a widely applicable format.
In M-Files, documents can be exported in their original format or in PDF. Other data can be exported in Excel format.
5. Data classification
It should be possible to specify a classification of data that will affect their processing.
In M-Files, data can be classified in any conceivable way. Metadata is created as needed. Metadata can have its own metadata. Thus, the metadata customer could have their own metadata such as address, postal code. and city. The exact number of document classes that can be defined can be defined precisely. For example, in a personal data context it could be application, development interview, employment contract, etc.
For each document class, rights can be defined. Thus, it is often seen that HR documents are a priori given the right “me and HR”, where HR can be a user group consisting of employees in the HR department. Or it could be “me, my closest boss and HR”. This ensures that these document classes do not inadvertently create rights for the wrong persons.
6. Delete rule can be specified
The system must support an indication of individual deletion rules, if any. as part of the data classification.
In M-Files, deletion rules can be configured on the single document, generally on the document class or on a metadata. Typically, we will configure M-Files such that an employee is a specific metadata that is applied to all the data and documents that relate to the employee. The employee metadata will have a date of employment as well as a severance date.
On the employee metadata, a deletion rule will be defined, which will delete all personal sensitive data and documents relating to the employee in accordance with a specified rule, typically 6 months. If so desired, a notification may be received after 5 months or it may be shown in a view of upcoming deletions that specific resigned employees’ data will be deleted.
7. Automatic deletion is system supported
The system must be able to enforce deletion rules so that data is automatically deleted when their lifetime has expired.
Automatic deletion is supported in accordance with the rules set up in M-Files.
8. Encryption, communication
Communication with the system should take place over a secure and encrypted connection.
In M-Files you can encrypt file data and the database itself. Furthermore, communication with M-Files can be set up to take place over a secure connection.
9. Encryption, databases
Encrypting data in the system will reduce the risk of unauthorized access to data.
In M-Files you can encrypt file data and the database itself.
10. Plans for updating GDPR properties
The supplier should be able to explain the plans for the system’s support of the requirements in the personal data regulation.
By the above review, we believe that we have reported that M-Files is almost completely compliant with the listed GDPR requirements for ECM systems.
As national authorities concretize the requirements, both M-Files and Solution Management will keep up with the development and actively add relevant functionality and configuration as well as help our customers comply with the requirements.
In addition to the above requirements, we also consider that the following should be taken into account:
By being purely metadata managed and where rights can also be assigned / deprived of all metadata, M-Files provides ideal opportunities to establish perfect access control for personal sensitive data.
In general, in order to comply with the Personal Data Ordinance, it is a good idea to think that access to documents is given according to a “need to know” principle and not just give all persons access to all documents. A “need to know” principle is difficult to implement in a traditional folder structure (the “F: Drive”) but efficient to implement in M-Files because metadata and access rights can be easily arranged after that.
*References/Sources
Devoteam has set 10 specific requirements that are relevant to suppliers of Case Management and Enterprise Content Management systems.
Contact us for more information or a personal demo.