Security

1,000 days of GDPR: what have businesses learned?

GDPR compliance can be challenging. Streamline your efforts and reduce your risk of non-compliance with an intelligent enterprise content solution.

21.06.2022
4 minutes 4 minutes
Table of Contents
In the 1,000 days since the European Union General Data Protection Regulation (EU GDPR) came into force, businesses of all sizes have struggled with compliance, and many have been fined. An intelligent enterprise content solution can help your business gain control over its data — your starting point for meeting the regulation’s compliance requirements more efficiently.

As private individuals, we benefit from the data privacy and data security protections offered by the EU and UK General Data Protection Regulations (GDPR). We have more certainty and confidence about how companies and public bodies store, use and protect our personal data. We also have more rights over our personal data — we can ask what data a company holds about us, ask for it to be deleted, and more.

For organisations, however, being compliant with GDPR requirements can be challenging. Inability to comply can lead to large fines, not to mention reputational damage and loss of customer trust.



In the 1,000 days since the EU GDPR came into force in May 2018, businesses large and small have been fined for non-compliance. In 2021, more than 130,000 personal data breaches were notified, and fines totalling nearly €1.1 bn for GDPR violations were issued¹. Among the organisations to be fined was Amazon; which, in July 2021, was hit with the largest GDPR fine to date — $887 million — for not obtaining proper consent from users regarding their personal data.²

Although larger companies may face higher fines, small and medium-sized companies have also been fined for non-compliance. The GDPR Enforcement Tracker provides an overview

Why is GDPR compliance challenging for companies?

To comply with GDPR, organisations must be able to respond, within given timescales, to data subject rights — requests by individuals (‘data subjects’) relating to their personal data, such as asking for it to be deleted. Organisations must also be able to meet their data protection obligations, which comprise:
  • Knowing what personal data they hold, and how and why it’s being processed
  • Protecting that personal data from events like unauthorised access, loss, or inadvertent destruction
  • Notifying the authorities and the affected data subjects of any personal data breaches
 

For more details, please click on the fields in the diagram below:

Right to information

Clear information on what the data is used for
Ability for customers to give clear consent and withdraw consent

Right to access

Ability for data subject to access their data

Right to be forgotten

Right to have data erased, halt 3rd party data processing

Right to restriction

The right to restrict and stop processing of data at any time

Right to data portability

Right to receive data in a machine-readable format

Breach notifications

Companies processing personal data have the obligation to notify authorities within 72 hours of learning of a data breach.

Data protection officers

Companies must appoint a data protection officer, who understands the law, the obligations and who understands the processes being carried out that are relevant to GDPR.

Privacy impact assessments

Companies must assess the potential risk to freedom and privacy of individuals when introducing of changing processes related to PII, introduce measures to miligate serious risks and incorporate privacy-by-design.

In most organisations, storing and processing personal data about employees and customers is part of everyday work. That often adds up to a large amount of data, which translates into a critical responsibility for a data controller or processor, especially in situations such as:
  • Data subject access requests from (usually former) employees or customers
  • Data leaks or breaches, if personal data is stored in a non-secure repository
  • Data breach notifications to data subjects
  • Individual compliance, where employees are responsible for personal data they hold in their emails or work documents
An organisation that isn’t well prepared can find GDPR compliance costly in terms of time and resources. Without the right workflows, processes and supporting tools in place, you may be unable to confirm what data you hold about an individual. And if a breach occurs, you may be unsure about what data has been affected, and so unable to meet reporting obligations within the GDPR-mandated timeframes.

Data protection: the top business challenge

28% of organisations say that data protection is their biggest business challenge.

Organisations say that the ‘new normal’ caused by the pandemic is affecting their approach to content/customer data management:
 
  • 18% say they need to rethink customer data processing
  • 34% say it’s about tightening up their security

Source: Konica Minolta & Keypoint Intelligence Survey 2022

How intelligent enterprise content solutions can support GDPR compliance

If you’re in the throes of transforming from paper to digital for information management, it’s a great opportunity to take GDPR compliance into account and get set up for it. Even if your data is already digitised, you may still be challenged to find what you need if data is held in multiple repositories, or is poorly controlled and indexed.

An enterprise content management (ECM) solution (like Konica Minolta’s M-Files) or an enterprise search solution (like our dokoniFIND) can help you streamline data management and GDPR compliance.

Solutions like these help you gain control over the data in your organisation by managing information access and monitoring all your repositories in real time to detect any personal data that shouldn’t be there. For example, credit card numbers mustn’t be stored in email systems. If an occurrence is detected, you’re made aware so you can take swift corrective action.

An ECM solution like M-Files can additionally automate the deletion of expired information.

Responding more efficiently to data subject requests

ECM and enterprise search solutions can help reduce the cost and effort of responding to data subject requests. You no longer have to take employees away from other work or require them to put in overtime.

These solutions make light work of searching through multiple data sources and file formats, automatically identifying personal data across all your data stores (both structured and unstructured sources), extracting it, and enabling you to generate customised reports in just a few clicks. Compared with manual processes, there’s little risk of unwanted data being incorrectly included, or relevant data being erroneously excluded.

Enterprise content management and search solutions also enable you to verify that any required actions with the retrieved data, such as deletion, have been completed in line with the request.

Meeting data breach notification requirements

Enterprise ECM and search solutions like ours also help you more easily meet GDPR data breach notification timeframes and requirements.

If you believe your organisation has suffered a data breach, our solutions help you create reporting on all of the impacted records holding personal data for you to share with the authorities — helping you meet the mandated 72-hour notification window. In addition, you can create the required reporting for sharing with the affected data subjects without undue delay.

Turn GDPR compliance into a competitive advantage

With the right processes, workflows and supporting tools in place, you can more easily and efficiently meet GDPR obligations around storing and processing personal data, responding to data subject requests, and notifying any potential breaches.
 
And with increased confidence in your ability to comply with GDPR, you can present your business as a champion of personal privacy, which can help build and maintain customer trust and loyalty.


 
¹ https://www.complianceweek.com/regulatory-enforcement/report-gdpr-fines-surpass-1b-in-2021-breach-notifications-also-rise/31259.article#:~:text=In%202021%2C%20there%20was%20an,28%2C%20the%20report%20noted.
 
² https://www.techtarget.com/searchsecurity/feature/GDPR-as-we-enter-2022-Challenges-enforcement-and-fines

Are you ready for electronic signatures?

95% of organisations are using e-signatures, evaluating e-signature providers or planning to buy an e-signature solution in the future, according to DocuSign research. Discover the applications and benefits of different types of e-signature.

GDPR as we enter 2022: challenges, enforcement and fines

2021 saw an increase in EU GDPR non-compliance fines, including record-breaking multimillion dollar fines for two tech giants. What factors have contributed to this increase? Read this TechTarget/SearchSecurity blog to find out more
This may also be interesting for you:

How remote work is transforming cybersecurity

As organizations of all sizes extend their commitment to supporting remote...

Security
29.09.2020

Backup management: every business needs an emergency exit

Losing data can be catastrophic for any business. So it is crucial to...

Security
25.10.2019

Data security now

Why is data security so important to SMEs? And what does a comprehensive...

Security
28.08.2019
STAY IN TOUCH VIA OUR QUARTERLY NEWSLETTER!