Why getting rid of processes prone to human errors are important for GDPR compliance – according to Sofia Bruno, Partner & Senior GDPR expert, Gro Advokatbyrå.
The General Data Protection Regulations, or GDPR, applies to all personally identifiable information and we urge companies to take a look at the processing activities around documents containing personal data, such as contracts.
Processing activities may include any action that you do that document, such as saving, sending, filing, etc.
Some of the activities that are prone to human errors include emailing contracts attached in emails back and forth, creating and managing contracts in “manual” formats such as Word/PDF/paper, or saving a different contract version every time there is a change to the contract on your local computer.
For example, someone can mistakenly email the contract to a wrong recipient. Someone saves the contract in his or her local drive or mailbox and then forgets to remove the older versions of the contract from his or her computer when the contract expires.
Why is this important to GDPR compliance?
As a data controller, you must have control of the personal data flows. You have the responsibility to keep the data flows secured, therefore you must eliminate all risks of human errors to ensure control. One of the biggest GDPR compliance risks is the failure to map data flows. These current practices of managing contracts present massive risks of you losing track of the data flows and control.
What should you do?
Besides overseeing the internal routines and procedures, companies need to provide an alternative way that is not only secure but also easy to adopt. Employees will still need to accomplish their tasks, however, in a GDPR compliant way. The recommended approach to achieve this is for companies to look for a cloud-based solution that fulfills these criteria:
- The solution is secure and uses approved encryption standard.
- The solution stores your data within the EU or EEA.
- The solution eliminates the “attach to email” practice.
- The solution eliminates the “save to disk” practice.
- The solution allows you to manage documents within the service itself.
What is the key takeaway?
Many PDF-based e-signing tools out there require you download and upload the contract each time you make an update during the negotiation process. You often have to open the original Word document, make requested changes, save the document as PDF, upload to the electronic signing service. By doing this, you may be unintentionally saving the older versions of the contract on your computer. You may even have to attach the document to your email. These practices, as mentioned earlier, present serious GDPR compliance risks.
So the key takeaway is, if you are still relying on paper or PDF-based e-signing tools, you are not ready for GDPR.
Don’t take our words for it.
Take a look at this 7 minute interview with Sofia Bruno, Partner at Gro Advokatbyrå, where we explore GDPR compliance risks with today’s typical business practices of (1) storing documents containing personally identifiable information locally, (2) uploading/downloading these documents, and (3) sending the documents attached in emails back and forth. Sofia is a senior GDPR and Privacy expert and works with advising clients on these matters daily.PS: You may also want to take a look at Oneflow’s commitment to GDPR compliance.