Business

Document protection with GDPR in mind

by Conor Smith | March 8, 2018

Coming into play on May 25th 2018, GDPR is all about the way customers protect a data subject’s personal information. Numerous blogs and media have talked about this subject to death it seems but this information has been mostly from a CRM point of view. What about document management and protecting customer data that exists within documents within your company? What happens when a report falls into the wrong hands or seen by the wrong person in a company?

Examples of this scenario are plentiful in the past, from employees misplacing laptops in public to information be stolen straight from an office. But it is quite simple to protect documents from data breaches through creating a simple security process that all employees must comply with. This article will look at our PDF SDK security module and how this can help protect your documents from breaches outside and within your company.

General Data Protection Regulation (GDPR)

From the perspective of GDPR, a data breach is not merely someone outside of your company accessing information about your customers. It can be from within your company as well. Employees should not have access to a co-worker’s personal information on a daily basis. For example, a coworker should not know of any particular dealings that another team member may have within the workplace. GDPR gives the data subjects, that is the customer or team member, the right to be protected against their personal information placed in the wrong hands.

Personal information, as described in GDPR, is any information that can identify a person in any way. This could be the person’s company ID, email address or even their cultural or social identity. The list is not exhaustible and shows how careful we need to be when making documents available to others around our companies. Take as an example a customer who has complained about a member of a company’s customer service team. The complaint goes straight to the customer service representative’s manager. It should not be shown to the team member until the correct action is chosen. If this document gets filed in a folder that is accessible to anyone in the company, what happens then? The concerned customer service representative can easily go into this file and read not only about the complaint against them, but also the information about the customer who made a claim. This is a massive breach of security because then the customer service representative can easily contact that customer. Quickly this incident can escalate and all because the company did not protect the customer’s personal information. But processes can be put in place to protect not only customers but employees as well.

Here a just a few ways that you can protect personal information in PDF documents.

Protecting documents with passwords

Password protected documents cannot be opened by someone without that password. This ensures that the owner of the material knows precisely who has access to this document at any given point in time. Having control over who has access to the text means that if personal information is present in this document and the data leaked, there are only a select few people within a company who could have seen and read this information. Ensuring only those who you trust with access to documents means that security is not compromised and that a data subject’s personal information is kept under wraps.

Document encryption

Encryption is the process of converting information into a code to protect user information when sent through email or other electronic means. This ensures that any unauthorised access will be in vain as they will not be able to read any of the document information without an encryption key. This key decrypts the encryption for the right personnel to read this document. Again only a select few people can read these documents, as only those with the encryption key can decrypt the information.

Document Permissions and Rights Management

Document permissions allow you to add a person’s email address or login details to a document so only they can access it. Even if you grant a person access to the data, if they use a different email address, say their personal instead of their work email address, this document will not be accessible to them as the document permissions specify a particular ID (this being a person’s work email address in this instance). Document permissions are an excellent way of managing document protection as permissions can be added and taken away at will, and it is easy to control who has access to the document at any given time.

Redaction

Sometimes documents need to be shared with those who should not have access to the personal information that is in them. For example with legal proceedings sometimes email communication must be shown, but what happens when other people have been cc’d on that email who are not part of these legal proceedings? You need to protect this person’s personal information. Redaction can be the simple answer to this predicament. Redaction is a feature that carefully covers up personal information in a document, deleting it from the record so that it is untraceable back to the person involved. All that will exist in its place is a dark line to show that information once lay there. When looking into the code behind a document, in our PDF SDK, the redaction module ensures that no personal information is kept underneath these lines.

In Summary

Protecting your customer information is important regardless of new regulations being introduced. Your customers trust you to keep their information safe. A data breach places a customer’s information in the hands of the wrong people who could then easily use it against them or sell it illegally. We don’t want this to happen to you or your company. We certainly don’t want you to wait until May to start thinking about how to comply with GDPR when everything above is all you need to protect your customer information within your document or information management system. All that remains for your company to do is to create a simple process that your team members can comply with to ensure that the above is put into motion across your company from day one.

Contact us to find out more about what we can do to help you comply with GDPR. We are already working with large Enterprise customers to help them achieve full GDPR compliance, internally and externally.